A Review of Recent Progress in Stepping-stone Intrusion Detection
Lixin Wang* and Jianhua Yang
TSYS School of Computer Science, Columbus State University, Columbus, Georgia, USA
*Corresponding Author: Lixin Wang, TSYS School of Computer Science, Columbus State University, Columbus, Georgia, USA.
December 03, 2021; Published: December 23, 2021
Hackers on the Internet usually send attacking commands through compromised hosts, referred to as stepping-stones, in order to avoid being detected. Stepping-stone intrusion (SSI) is a hacking technique used by intruders to launch cyber-attacks and allows them to hide behind a long connection chain. In an SSI attack, an intruder employs a chain of stepping-stones as relay hosts and remotely connect these stepping-stones using software like SSH. Due to the nature of the TCP protocol, an interactive session of a TCP connection between a client and a server is independent of other sessions in the connection. Therefore, it is extremely hard to detect the origin of the attack if an intruder gained unauthorized access to a remote target system through multiple relayed TCP sessions. The final target of a TCP connection chain may only capture the traffic from the last session of the chain, but can hardly learn any information about the attacker machine. There are quite a few recent significant and innovative approaches for SSI detection (SSID) that have not yet been reviewed and compared with other similar SSID approaches. This paper conducts a research survey on most of the significant approaches proposed for SSID by far with the inclusion of all recent progress in this area. The SSID methods reviewed in this paper are categorized into two different types: host- based and network-based approaches, according to the number of the hosts that play a key role in the SSID algorithm design. The contributions and limitations of every SSID approach included in this paper are clearly described and compared with similar SSID approaches proposed in the literature.
Keywords: Stepping-stone Intrusion; Intrusion Detection; Network Security; Connection Chain; Interactive Session
- Staniford-Chen S and Heberlein L T. “Holding intruders accountable on the internet”. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, 8-10 May (1995): 39-49.
- Zhang Y and Paxson V. “Detecting Stepping-Stones”. In Proceedings of the 9th USENIX Security Symposium, Denver, CO, USA, 14-17 August (2000): 67-81.
- K Yoda and H Etoh. “Finding a Connection Chain for Tracing Intruders”. Proc. 6th European Symposium on Research in Computer Security, Toulouse, France (2000): 31-42.
- D Donoho., et al. “Multiscale stepping-stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay”. in the 5th International Symposium on Recent Advances in Intrusion Detection, Lecture Notes in Computer Science (2002).
- A Blum., et al. “Detection of Interactive Stepping-Stones: Algorithms and Confidence Bounds”. Proceedings of International Symposium on Recent Advance in Intrusion Detection, Sophia Antipolis, France, September (2004): 20-35.
- He T and Tong L. “Detecting Encrypted Stepping-Stone Connections”. IEEE Transactions on Signal 55 (2007): 1612-1623.
- J Yang., et al. “Monitoring Network Traffic to Detect Stepping-Stone Intrusion”. The Proceedings of 22nd IEEE International Conference on Advanced Information Networking and Applications (AINA 2008), Okinawa, Japan (2008): 56-61.
- J Yang and Y Zhang. “RTT-based Random Walk Approach to Detect Stepping-Stone Intrusion”. IEEE 29th International Conference on Advanced Information Networking and Applications (2015): 558-563.
- Yang J., et al. “Manipulating network traffic to evade stepping-stone intrusion detection”. Internet of Things 3 (2018): 34-45.
- Wang L., et al. “A Framework to Test Resistency of Detection Algorithms for Stepping-Stone Intrusion on Time-Jittering Manipulation”. Wireless Communication and Mobile Computing 2021 (2021): 1-8.
- Zhang Y., et al. “Resist Intruders‘ Manipulation via Context-based TCP/IP Packet Matching”. In Proceedings of the 24th IEEE International Conference on Advanced Information Networking and Applications (AINA 2010), Perth, Australia (2020): 20-23.
- Wang X and Reeves D. “Robust Correlation of Encrypted Attack Traffic through Stepping-Stones by Flow Watermarking”. IEEE Transactions on Dependable and Secure Computing 8 (2010): 434-449.
- Gamarra M., et al. “Analysis of Stepping-Stone Attacks in Internet of Things Using Dynamic Vulnerability Graphs”. In Modeling and Design of Secure Internet of Things; Kamhoua, C.A., Njilla, L.L., Kott, A., Shetty, S., Eds.; Wiley: Hoboken, NJ, USA 1 (2020): 273-294.
- Yang J. “Resistance to Chaff Attack through TCP/IP Packet Cross-Matching and RTT-based Random Walk”. In Proceedings of the 30th IEEE International Conference on Advanced Information Networking and Applications, Crans-Montana, Switzerland, 23-25 March (2016): 784-789.
- H Clausen., et al. “Evading stepping-stone detection with enough chaff”. in Network and System Security (2020): 431-446.
- Yung KH. “Detecting Long Connecting Chains of Interactive Terminal Sessions”. In Proceedings of the International Symposium on Recent Advance in Intrusion Detection (RAID), Zurich, Switzerland, 16-18 October (2002): 1-16.
- J Yang., et al. “A Real-Time Algorithm to Detect Long Connection Chains of Interactive Terminal Sessions". Proceedings of 3rd ACM International Conference on Information Security (Infosecu'04), Shanghai, China, November (2004): 198-203.
- Yang J and Huang, SHS. “Mining TCP/IP packets to detect stepping-stone intrusion”. Computers and Security 26 (2007): 479-484.
- Wang L., et al. “Detect Stepping-stone Intrusion by Mining Network Traffic using k- Means Clustering”. In Proceedings of the 39th IEEE International Performance Computing and Communications Conference (IEEE IPCCC 2020), Austin, TX, USA, 6-8 November (2020): 1-8.
- Sheng Y., et al. “Mining Network Traffic Efficiently to Detect Stepping-Stone Intrusion”. In Proceedings of the 26th IEEE International Conference on Advanced Information Networking and Applications, Fukuoka, Japan, 26-29 March (2012): 862-867.
- Wang L., et al. “Effective algorithms to detect stepping-stone intrusion by removing outliers of packet RTTs”. Tsinghua Science and Technology 27 (2021): 432-442.
- Alghushairy O., et al. “Improving the Efficiency of Genetic-Based Incremental Local Outlier Factor Algorithm for Network Intrusion Detection. Advances in Artificial Intelligence and Applied Cognitive Computing”. In Transactions on Computational Science and Computational Intelligence; Arabnia, H.R., Ferens, K., Fuente, D., Kozerenko, E.B., Olivas, J.A., Tinetti, F.G., Eds.; Springer, Cham: New York, NY, USA. 1 (2021): 1011-1027.