TSYS School Researchers Explore New Approach to Stepping-Stone Intrusion Detection

As TSYS School computer scientists Jianhua Yang and Lixin Wang, along with their student Maochang Qin, explain in a new study, hackers usually send attacking commands through compromised hosts, called stepping-stones, for the purpose of decreasing the chance of being discovered. An effective approach for stepping-stone intrusion detection is to estimate the length of a connection chain. This type of detection method is referred to as the network-based stepping-stone intrusion detection. According to Yang, "All of the existing network-based stepping-stone intrusion detection approaches use the distribution of packet round-trip times to estimate the length of a connection chain. Our study explores a novel approach – Fast Fourier Transformation – to analyze the distribution of packet round-trip times." To do so, Yang and his colleagues first capture network packets from different stepping-stones in a connection chain, after which they identify and match the Send and Echo packets in each stepping-stone. Packet round-trip times can be obtained from matched pairs of packets. "We then apply the round-trip time interpolation method to obtain a round-trip time function and finally conduct Fast Fourier Transformation to the round-trip time function in each stepping-stone host. Finally, we conduct a complete Fast Fourier Transformation analysis for the distribution of packet round-trip times and present the Fast Fourier Transformation analysis results in this paper," Yang explained. Yang et al.'s study appears in the latest issue of the Journal of Mobile Networks, Ubiquitous Computing, and Dependable Applications.