Detecting Stepping Stones in Internet Environments

by

Ping Li B.Eng. (University of Electronic Science and Technology of China) M.Eng. (University of Electronic Science and Technology of China)

Submitted in Fulfillment of the requirements for the degree of Doctor of Philosophy

Deakin University February, 2011

DEAKIN UNIVERSITY ACCESS TO THESIS  A

I am the author of the thesis entitled

Detecting Stepping Stones in Internet Environments

submitted for the degree of

Doctor of Philosophy

This thesis may be made available for consultation, loan and limited copying in accordance with the Copyright Act 1968.

'I certify that I am the student named below and that the information provided in the form is correct'

Full Name

.....................PING

LI..........…………………………………..

Signed

......

Date

.........................22/08/2011......………………………………….

.........………………………………….

II

DEAKIN UNIVERSITY CANDIDATE DECLARATION

I certify that the thesis entitled

Detecting Stepping Stones in Internet Environments

submitted for the degree of

Doctor of Philosophy

is the result of my own work and that where reference is made to the work of others, due acknowledgment is given. I also certify that any material in this thesis which has been accepted for a degree or diploma by any university or institution is identified in the text.

'I certify that I am the student named below and that the information provided in the form is correct'

Full Name

.....................PING

LI..........…………………………………..

Signed

.........

Date

.........................22/08/2011.......………………………………….

....………………………………….

III

Acknowledgements I would like to express my sincere gratitude and profound thanks to my supervisor Professor Wanlei Zhou for his supportive supervision, helpful criticism, valuable suggestions

and

endless

patience.

Without

his

inspiring

enthusiasm

and

encouragement, this work could not have been completed. He generously provided me his time, effort, and insightful advice at all times, and guided me into the door leading to a successful researcher. I would like to thank many staff members in School of Information Technology, Deakin University. They are Professor Lynn Batten, Professor Andrez Goscinski, Dr. Robin Doss, Dr. Yang Xiang, Dr. Shang Gao, Dr. Gang Li, Dr. Ming Li, Dr. Shui Yu, Mr. Jun Zhang and Dr. Shuyuan Jin etc. And I am also grateful to Ms. Georgina Cahill, Mr. Nghia Dang and other staff in the school for their valuable help. I would also like to thank my friends and colleagues for their wonderful help to my research and life. They are Dr. Ke Li, Dr. Ashley Chonka, Dr. Leanne Ngo, Dr. Yiqing Tu, Dr. Faye Ferial Khaddage, Miss Yini Wang, Mr. Theerasak Thapngam, Mr. Alessio Bonti, Mr. Longxiang Gao, Mr. Yongli Ren, Ms. Wei Zhou, Mr. Sheng Wen, Ms. Yanli Yu, Mr. Min Gan, Miss Jia Rong and so on. I cannot end without thanking my family, which include my lovely parents, my dad Zhongxin Li, and my mum Xianglian Wang for their continue support. Also a special thanks to the love of my life Yu Deng for his encouragement, care and love and my angels,

Keyue

and

Kezhuo

for

their

IV

patience

and

understanding.

Publications During my PhD Candidature, the following research papers were published or accepted in fully refereed International Conference Proceedings and Journals. ¾ Yu, Y., Li, K., Zhou, W. and Li, P., Trust Mechanisms in Wireless Sensor Networks: Attack Analysis and Countermeasures, Journal of Networking and Computer Applications. Accepted: 12/12/2010 (ERA Rank

A,

Impact

Factor=1.111). ¾ Li, P., Zhou, W. and Wang, Y. (2010) Getting the Real-Time Precise Round-Trip Time for Stepping Stone Detection, NSS 2010 Proceedings of the 3rd IEEE International Conference on Network & System Security, IEEE Computer Society Press, United States, pp. 377-382. ¾ Li, P., Zhou, W. and Yu, Y. (2010) A Quick-Response Real-Time Stepping Stone Detection Scheme, HPCC 2010 Proceedings of the 12rd IEEE International Conference on High Performance Computing and Communications, IEEE Computer Society Press, United States, pp. 677-682. ¾ Li, K., Zhou, W., Li, P., Hai, J. and Liu, J. (2009) Distinguishing DDoS Attacks from Flash Crowds Using Probability Metrics, NSS 2009 Proceedings of the 3rd IEEE International Conference on Network & System Security, IEEE Computer Society Press, United States, pp. 9-17. ¾ Li, K., Zhou, W. and Li, P. (2009) Reliable Downloading Algorithms for BitTorrent-like Systems, NPC 2009 Proceedings of the 6th IFIP International Conference on Network and Parallel Computing, IEEE Computer Society Press, United States, pp. 167-173. V

¾ Li, P., Zhou, W. and Li, K. (2008) An Operational Approach to Validate the Path of BGP, Lecture Notes in Computer Science. Volume 5022/2008, pp. 133-143, Springer Berlin / Heidelberg. ¾ Li, K., Zhou, W., Yu, S. and Li, P. (2007) Novel Data Management Algorithms in Peer-to-Peer Content Distribution Networks, Lecture Notes in Computer Science, Volume 4798/2007, pp. 538-543, Springer, Germany.

VI

ABSTRACT

Although many countermeasures and legislation have been developed against Internet attacks, the number of attacks is still on the rise, causing devastating consequences such as disrupting critical infrastructure, significant financial loss, and endangering public life. One critical question that researchers and law enforcement agencies still cannot answer easily is where are the real source(s) of Internet attacks coming from? Attackers can easily hide their identities and evade punishment by relaying their attacks through a series of compromised systems or devices which are called stepping stones. Attackers also make detection more difficult by using evasive techniques such as the introduction of dummy packets into the stream, and introducing delay into the timing of the packet stream. The goal of this thesis is to develop an effective and efficient scheme along with a number of related algorithms to detect stepping stones in real Internet environments, even when evasion techniques are used by attackers. This thesis is organized as follows. Chapter 1 presents an introduction about stepping stone attacks and important issues related to stepping stone detection. Chapter 2 provides a brief, but in-depth introduction to the major characteristics of stepping stone attacks and a detailed survey of the related work carried out in detecting stepping stones. Chapters 3 to 6 present our major contributions for detecting stepping stones. In Chapter 3, we propose a real-time Round Trip Time (RTT) getting algorithm for stepping stones, which can be employed by RTT based stepping stone detection approaches to detect stepping stones. Or it can be used by other stepping stone detection approaches to select the value of important parameters. A simple but effective stepping stone detection scheme which can be employed in Internet is proposed in Chapter 4. Two stepping stone detection algorithms that are highly resistant to evasion techniques are proposed in Chapter 5. In Chapter 6, we present a quantitative and comparative study on network-based passive stepping stone detection proposals based on a series of experiments. Finally, Chapter 7 summarizes the contributions of this thesis and discusses future work.

VII

Table of Contents Acknowledgements ............................................................................. IV Publications ........................................................................................... V ABSTRACT ....................................................................................... VII Table of Contents ............................................................................. VIII List of Figures .................................................................................... XII List of Tables ...................................................................................... XV Chapter 1 Introduction ..........................................................................1 1.1

Motivation and Rationale ............................................................................ 1

1.2

Contributions of This Thesis ....................................................................... 4

1.3

Approaches of This Thesis .......................................................................... 6

1.4

Organization of This Thesis ........................................................................ 8

Chapter 2 Background ........................................................................ 10 2.1

Attacks Using Stepping Stone ................................................................... 10

2.2

Stepping Stone Detection .......................................................................... 13 2.2.1 Introduction to Stepping Stone Detection Systems ............................ 13 2.2.2 Evading Detection ............................................................................. 15

2.3

Network-Based Passive Stepping Stone Detection Systems ...................... 16 2.3.1 Content Correlation ........................................................................... 16 2.3.2 Count Correlation .............................................................................. 17 2.3.3 Timing Correlation ............................................................................ 20 2.3.4 RTT Correlation ................................................................................ 27 2.3.5 Others ............................................................................................... 28

2.4

Summary .................................................................................................. 29

VIII

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection................................................................................ 30 3.1

Introduction .............................................................................................. 31

3.2

Motivation ................................................................................................ 33

3.3

Estimation-Based Algorithm (EBA) .......................................................... 37 3.3.1 The Estimating Module ..................................................................... 38 3.3.2 The Matching Module ....................................................................... 41

3.4

Evaluation ................................................................................................ 44 3.4.1 Matching Rate ................................................................................... 44 3.4.2 Accurate Rate.................................................................................... 46

3.5

Application ............................................................................................... 49

3.6

Summary .................................................................................................. 54

Chapter 4 Detecting Stepping Stones in Real Internet Environments .......................................................................................................... 56 4.1

Introduction .............................................................................................. 56

4.2

Definitions and Property for Packet Delay ................................................ 58 4.2.1 Related Definitions ........................................................................... 58 4.2.2 Property of Packet Delay ................................................................... 60

4.3

Algorithm and Analysis ............................................................................ 64 4.3.1 PDBC Algorithm .............................................................................. 64 4.3.2 Analysis ............................................................................................ 65

4.4

Experiments .............................................................................................. 69 4.4.1 Data Source and Testing Method....................................................... 69 4.4.2 Experimental Results ........................................................................ 72

IX

4.5

Summary .................................................................................................. 79

Chapter

5

Detecting

Chaffed

and

Jittered

Stepping

Stone

Connections ..................................................................................... 81 5.1

Introduction .............................................................................................. 82

5.2

Related Works .......................................................................................... 83

5.3

Probability Analysis .................................................................................. 84 5.3.1 Related Definitions ........................................................................... 85 5.3.2 Modelling Connection Streams ......................................................... 87 5.3.3 Probability Bound under Poisson Model with Varying Rate .............. 88 5.3.4 Probability Bound under Poisson Model with a Fixed Rate ............... 91

5.4

Algorithm and Analysis ............................................................................ 93 5.4.1 Abnormal Probability Detection Algorithm ....................................... 94 5.4.2 Speedy Abnormal Probability Detection Algorithm ........................... 98 5.4.3 Analysis and Improvement ................................................................ 98

5.5

Experiment and Results .......................................................................... 101 5.5.1 Experiment Design .......................................................................... 101 5.5.2 Experiment Results ......................................................................... 103

5.6

Summary ................................................................................................ 116

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches .................................................................................... 117 6.1

Introduction ............................................................................................ 118

6.2

Design of Experiments ............................................................................ 119 6.2.1 The Implementation of Stepping Stone Detection Approaches ........ 119 6.2.2 Private Dataset ................................................................................ 124

X

6.2.3 Public Dataset ................................................................................. 126 6.3

Evaluation Results .................................................................................. 130 6.3.1 The Approaches having Maximum Delay Assumption .................... 130 6.3.2 Other Approaches ........................................................................... 135 6.3.3 Experimental Results Summary....................................................... 140

6.4

Summary ................................................................................................ 141

Chapter 7 Conclusions and Future Work ........................................ 142 7.1

Conclusions ............................................................................................ 142 7.1.1 Major Contributions ........................................................................ 142 7.1.2 Significance of this Thesis............................................................... 145

7.2

Future Work ........................................................................................... 146

Bibliography ....................................................................................... 149

XI

List of Figures Figure 1.1. DDOS attack using stepping stones ......................................................... 2 Figure 2.1. Attacks using stepping stones ................................................................ 11 Figure 2.2. Steal secure data using stepping stones. Source [33] .............................. 12 Figure 3.1. Stepping stone chain between Attacker and Target ................................ 35 Figure 3.2. RTT distribution .................................................................................... 39 Figure 3.3. RTT distribution.................................................................................. 40 Figure 3.4. Matching module processing ................................................................. 43 Figure 3.5. One connection with simple inputting commands by slow typing speed . 50 Figure 3.6. One connection with complex inputting commands by quick typing speed ................................................................................................................................. 51 Figure 3.7. One chain with simple inputting commands by slow typing speed ......... 52 Figure 3.8. One chain with complex inputting commands by quick typing speed ..... 53 Figure 4.1. Stepping stone packet delay ................................................................... 62 Figure 4.2. Experimental topology for data source ................................................... 69 Figure 4.3. False negative with different  .............................................................. 71 Figure 4.4. False positive with different  ............................................................... 71 Figure 4.5. False negative with different . .............................................................. 73 Figure 4.6. False positive with different  ................................................................ 73 Figure 4.7. False negative for PDBC,sketching and IPD .......................................... 74

XII

Figure 4.8. False positive for PDBC,sketching and IPD ........................................... 74 Figure 4.9. Accuracy for PDBC, sketching and IPD ................................................ 75 Figure 4.10. Accuracy for PDBC with different chaff rate ....................................... 77 Figure 4.11. Accuracy for sketching with different chaff rate................................... 78 Figure 4.12. Accuracy for IPD with different chaff rate ........................................... 78 Figure 5.1. The timing causality on a stepping stone chain ...................................... 85 Figure 5.2. Accuracy for APD with monitoring time rising .................................... 103 Figure 5.3. The impact of correlated connection by fixed delay for APD ............... 104 Figure 5.4. The impact to a normal connection by fixed delay for APD ................. 105 Figure 5.5. The impact to correlated connections by jitters for APD ...................... 106 Figure 5.6. The impact to normal connection by jitters for APD ............................ 107 Figure 5.7. Accuracy for SAPD with monitoring time increasing........................... 108 Figure 5.8. The impact to correlated connections by fixed jitter for SAPD ............. 109 Figure 5.9. The impact to normal connections by fixed delay for SAPD ................ 109 Figure 5.10. Comparing for APD and SAPD by fixed delay .................................. 110 Figure 5.11. Comparing for APD and SAPD by jitter ............................................ 110 Figure 5.12. Impact to correlated connections by jitter with SAPD ........................ 111 Figure 5.13. Impact to normal connections by jitter with SAPD ............................. 111 Figure 5.14. Accuracy with no jitter and chaff ....................................................... 113 Figure 5.15. Accuracy with chaff only ................................................................... 114 Figure 5.16. Accuracy with jitter only ................................................................... 115 Figure 5.17. Accuracy with chaff and jitter ............................................................ 115 Figure 6.1. True positive for DA and DMV by public dataset ................................ 128 Figure 6.2. Accuracy for DA and DMV by private dataset ..................................... 129

XIII

Figure 6.3. True positive and true negative for S-I and S-III by public dataset ....... 130 Figure 6.4. Accuracy for S-I and S-III by private dataset ....................................... 131 Figure 6.5. Accuracy for Deviation, S-II and S-III by private dataset ..................... 132 Figure 6.6. Accuracy for SI, S-II, SIII and S-IV by private dataset with different chaff rate ......................................................................................................................... 133 Figure 6.7. Accuracy for SI, S-II, SIII and S-IV by private dataset with different jitter ............................................................................................................................... 134 Figure 6.8. Accuracy by public dataset with 600s duration .................................... 135 Figure 6.9. True positive and true negative by public dataset with 100s duration. . 136 Figure 6.10. Accuracy by private dataset with different durations ......................... 137 Figure 6.11. Accuracy by private dataset with different chaff rate ......................... 138 Figure 6.12. Accuracy by private dataset with different jitters............................... 138

XIV

List of Tables Table 2.1. Network based passive stepping stone detection systems ......................... 17 Table 3.1. Standard deviation comparisons for RTT and RTT distribution............. 41 Table 3.2. Matching rate examples for EBA ............................................................ 45 Table 4.1. Practical features comparison among the encrypted traffic stepping stone detection approaches ................................................................................................ 59 Table 4.2. Real-time comparing processing in the PDBC algorithm ......................... 63 Table 4.3. Monitoring time expired processing in PDBC algorithm ......................... 65 Table 4.4. Parameters for PDBC, sketching and IPD ................................................ 76 Table 4.5. Execute time for PDBC, IPD and sketching ............................................ 79 Table 5.1. Real-time comparing processing in APD algorithm ................................. 95 Table 5.2. Monitoring time expired processing in APD algorithm ............................ 96 Table 5.3. Real-time comparing processing in SAPD algorithm ............................... 97 Table 5.4. Monitoring time expired processing in SAPD algorithm.......................... 99 Table 5.5. Parameters values for sketching and S-III.............................................. 112 Table 6.1. Parameters of stepping stone detection approaches ................................ 121 Table 6.2. Parameters values for stepping stone detection approaches .................... 139

XV

Chapter 1 Introduction

Chapter 1 Introduction

In this Chapter we begin by introducing the motivation and rationale of this thesis. We then describe the major contributions of our research, and the main approaches used in our study. Finally, we describe the organization of this thesis.

1.1 Motivation and Rationale Networks have dramatically altered aspects of our daily activities particularly in how we communicate and how we learn and conduct business. Unfortunately, while enjoying the convenience of the Internet, we also have to face network security problems. Attackers from anywhere may attack a site at any time causing nearly irreparable damage. Various defense systems have been proposed to detect these attacks. However, attackers can always evade punishment and new attacks can be launched again. One of the most important reasons why attackers can easily hide their identities and evade the desired punishment is by relaying their attacks through a series of compromised systems or devices which are called stepping stones [1].

1

Chapter 1 Introduction For example, the DDoS (distributed denial of service) [89] attack is one of the attacks notorious for causing tremendous destruction. Popular websites, such as Yahoo, Amazon, CNN and eBay, were targeted by a DDoS attack. As shown in Figure 1.1, the DDoS attack begins with an attacker, who may pass information on through various stepping stone hosts to reach a controller node, which in turn might

Attacker

Stepping stone

Stepping stone

Stepping stone

Stepping stone

Controller

Zombie

Controller

Zombie

Zombie

Zombie

Figure 1.1. DDOS attack using stepping stones control a number of zombie hosts. The stepping stones, controllers and zombies are all compromised systems or devices. Upon a signal, these zombies may attack one or more target machines to perform a DDoS attack. It’s possible for the DDoS defense systems to detect such a DDoS attack, find the zombies and even find the controllers. However, where is the real attacker? Without finding the real attackers hiding behind various stepping stones, it is impossible to reduce such DDoS attacks.

2

Chapter 1 Introduction Only by finding stepping stones, is it possible to trace the real attackers hiding behind the stepping stones. Therefore, the detection of stepping stones is one of the foundations to reducing issues of security on the Internet. To date, there has already been some stepping stone detection systems proposed. However, few of these can be employed in real application. To begin with, in order to trace-back and identify the source of an attack, real-time and quick-response is necessary because attackers may have many excuses and techniques (such as a fake IP address) to deny their attacking activity without spot evidence. In addition to this, attackers normally launch their attacks in a very short time period to evade detection plus most stepping stone detection systems don’t take responsiveness into consideration. Secondly, some stepping stone detection systems assume there is no packet loss during packet relaying by stepping stones, which is not true for Internet traffic. Finally, to obtain accurate detection results, some stepping stone detection systems use complex computations and consume too much storage, which is not acceptable by real-time applications.

Therefore, quick-responsiveness, few

assumptions, small computations and the cost of memory are still challenges to developing a practical stepping stone detection system. In addition, current stepping stone detection systems are generally based on a similarity of the attack streams relayed by stepping stones. For example, the intervals of packet arrival times are nearly consistent between the attack streams relayed by stepping stones. However, attackers may evade identification of stepping stone detection systems by introducing random jitter delays before packets are relayed from stepping stones or inserting chaffs (chaffs are superfluous packets, which contain no

3

Chapter 1 Introduction valuable information and are not relayed by stepping stones) into the attack flow by stepping stones. These evasion techniques can completely break most of the similarity features in attack streams, which may leave most stepping stone detection systems useless. Therefore, to be resistant to evasion techniques is another challenge to developing a stepping stone detection system. In this thesis, our aim is to develop stepping stone detection systems, which can provide effective and efficient stepping stone detection in real Internet environments, and even evasive techniques used by attackers.

1.2 Contributions of This Thesis In this thesis, we develop a Real-Time Round-Trip Time (RTT) getting algorithm which provides accurate RTTs for stepping stone detection systems, and a simple but effective stepping stone detection system which can be used in real Internet environments. We also present two abnormal probability based stepping stone detection systems that can effectively resist evasion techniques. We further present a highly quantitative comparative experimental study on stepping stone detection systems. The main contributions of our research in this thesis are listed as follows. ¾ We firstly study the RTTs of stepping stones. They are critical for detecting stepping stones. The RTT based stepping stone detection systems need precise RTTs in order to directly detect stepping stones, while other stepping stone systems need RTTs indirectly to calculate some important parameters. However the RTTs of stepping stones are different from the RTT of TCP, and it’s not easy to get them with a high degree of precision. We propose the

4

Chapter 1 Introduction Estimation Based Algorithm (EBA) that can achieve real-time RTT accurately. The experiments show that our algorithm is far more precise than other realtime RTT getting algorithms. We also present theory analysis from the probability point, which shows that our algorithm has a high matching rate and has a high accuracy rate as a complicated non real-time approach. ¾ We study the practical features of previous stepping stones detection systems. Due to their demands of storage, computation and the excessive monitoring time, previous stepping stone detection systems are hardly applicable in real Internet environments. We propose a simple but effective stepping stone detection scheme which can reduce some of these demands. Our experiments show that the proposed approach can achieve more than 90% accuracy by monitoring for 2 seconds and can achieve more than 95% accuracy by monitoring for 10 seconds. This is in addition to low computation costs. ¾ We study the packet timing or frequency features of stepping stone attack streams which are foundations commonly employed to detect stepping stones. These features may be altered by attackers introducing jitters and chaffs into stepping stone connections. However the one timing feature that the packet has to arrive first before it can leave a node will not be changed. Based on two Poisson processing models, we formulate and derive two separate upper bounds of probability that normal streams present when this timing feature of stepping stone attack streams is used. Based on the two upper bounds of probability, we further propose two novel stepping stone detection systems which have no parameter, yet can detect stepping stones accurately even if there are large jitters and a high chaff rate. We compare the two proposed stepping stone

5

Chapter 1 Introduction detection systems with some of the previous ones. The experiments show that the two proposed systems are more resistant to chaffs and jitters than previous ones, and also maintain a high rate of accuracy for detecting stepping stones attack streams which have no chaffs or jitter perturbations. ¾ Finally, we study experimental designs of stepping stone detection systems. There are still two big issues for previous experimental designs. One issue is the insufficiency of Internet environment applications. Another is the absence of a highly quantitative comparative experimental study. Based on the implementation of 13 stepping stone detection systems, the exaction of SSH [66] data from public traces that have millions of packets, and the capturing of genuine stepping stone connection chain data from the Internet, we test these stepping stone detection systems in several scenarios using uniform criteria. According to the experimental results and analysis, we present the conclusion in the real-time application of stepping stone detection systems, highlight the accuracy of stepping stone detection systems, the impaction of assumption, and the impaction of chaffs and jitters. In addition, we give suggestions for improvement of some previous stepping stone detection systems.

1.3 Approaches of This Thesis In this thesis, we use multiple approaches in our research, which are listed below. ¾ Probability theory. We use probability theory and Chebyshev inequality [88] to analyze the accurate rate and matching rate of the proposed RTT getting algorithm. We also use the probability theory to analyze network traffic models

6

Chapter 1 Introduction and formulate the upper bounds of probability that normal streams present with a timing feature of stepping stone attack streams. ¾ Queuing Theory. We use this powerful network analysis tool to analyze the packet delay on the stepping stone attack streams and derive the proposed Packet Delay Bidirectional Comparison scheme for stepping stone detection. ¾ Signal Processing. We use the first-order linear recursive filter to estimate the RTTs of stepping stones in the proposed RTT getting algorithm. ¾ Private Datasets. We use KpyM [79], OpenSSH [75] and PuTTY[78] SSH tools to install the SSH [66] client and sever services on some hosts, build stepping stone topology on the Internet, and obtain the private dataset by using the Wireshark [77] traffic capturing tool. This private dataset provides an ideal source for testing and evaluating stepping stone detection systems. ¾ Public Datasets. We extract SSH data from the Auckland-VIX traces datasets provided by WITS [52] as the complementary source for testing and evaluating stepping stone detection approaches. ¾ Programming Language and Platform. We program and implement 3 of our proposed stepping stone detection systems and the other 10 stepping stone detection systems by C language. Furthermore, several scenarios are implemented for every stepping stone detection system. The exacting and processing of the dataset and result statistics are implemented by programming as well. There are more than 30,000 lines of codes totally in our control. We use cygwin [76] as the platform for program running.

7

Chapter 1 Introduction

1.4 Organization of This Thesis The reminder of this thesis is organized as follows. ¾ Chapter 2 introduces the background and related work of our research in this thesis. At first, it provides an introduction to the basic characteristic of attacks using stepping stones. Then, it introduces the stepping stone detection systems, the techniques to evade stepping stone detection and the classification of stepping stone detection systems. Lastly, the chapter focuses on the previous research related to network-based passive stepping stone detection systems. ¾ Chapter 3 deals with a real-time RTT getting algorithm for stepping stone detection called Estimation Based Algorithm (EBA). This chapter begins to present the motivation for this research. Then it presents detail of the two modules composed of the EBA, the estimating module and the matching module. Analysis of the accurate rate and the matching rate of the EBA from probability theory follows, and finally, this chapter demonstrates the application of several real-time RTT getting algorithms, including the EBA, to one of the stepping stone detecting systems. ¾ Chapter 4 introduces a practical stepping stone detection system which is efficient and quick-responsive for the purposes of stepping stone detection. This

chapter begins by covering some previous research on practical features including response time, computation complexity and storage demand. After this brief discussion of previous research, details of the Packet Delay Bidirectional Comparison (PDBC) algorithm are introduced. This is followed

8

Chapter 1 Introduction by a number of experiments and evaluations, highlighting the comparison of previous stepping stone detection systems. ¾ Chapter 5 deals with stepping stone detection systems which can be highly resistant to evasion techniques such as chaffs and jitters. This chapter first presents some previous stepping stone detection systems related to evasion techniques. Then it introduces two mathematical models for normal streams, and derives the upper bounds of probability based on the two mathematical models. With the derived upper bounds, Abnormal Probability Detection algorithm (APD) and Speedy Abnormal Probability Detection algorithm (SAPD) are introduced. Lastly, a number of experiments and evaluations demonstrate the accuracy of the upper bounds. Comparison with certain stepping stone detection systems is also undertaken. ¾ Chapter 6 presents a comparative experimental analysis for stepping stone detection systems. Initially it deals with the implementation of stepping stone detection systems, the obtaining of datasets and a set of experimental criteria and scenarios. After the introduction of the experimental designs, a number of experiments and evaluations are conducted to show the accuracy of stepping stone detection approaches, the impaction of assumption, and the impaction of chaffs and jitters. Finally, some important questions on the comparison of stepping stone detection systems are answered. ¾ Chapter 7 summarizes the main contributions and innovations of this thesis, and points out some possible avenues for future work.

9

Chapter 2 Background

Chapter 2 Background

This chapter introduces background and other work related to our research in this thesis. Firstly, it provides an introduction to the basic characteristics of attacks using stepping stones. Then, it introduces the stepping stone detection system and the techniques employed to evade stepping stone detection. Finally, focus turns to previous research related to network-based passive stepping stone detection systems.

2.1 Attacks Using Stepping Stone The Internet has become increasingly critical nowadays but at the same time, Internet attacks have increased significantly. One of the most important reasons for this is that attackers can very easily avoid the desired punishment by maintaining anonymity [1]. Stepping stones are one of the effective strategies adopted by network perpetrators to maintain their anonymity during an attack. Instead of using direct communication, an attacker uses a series of intermediate nodes that have been previously compromised to relay his commands to a victim.

10

Chapter 2 Background These intermediate nodes are called stepping stones [1]. By employing this technique, attackers construct a connection chain of stepping-stones, which is a sequence of logins where a person logs into one computer by interactive protocol like SSH and

Who is the rea attacker? SteppingStones

IP network

IP network

IP network

IP network

Attacker

Victim

Figure 2.1. Attacks using stepping stones Telnet, and then logs into another computer, and so on [1]. Attack commands or programs are sent from the attacker’s machine, transferred by stepping stones, and then transferred to the targeted machine via a connection chain constructed by the attackers. Consequently, as shown in Figure 2.1, if the victim detects he is under attack, he will only know the attack packets are coming from the closest intermediate node, and the real attacker will be free from punishment. Stepping stones are often used for launching Denial of Service (DoS) [89] attacks or used to hack into systems to steal secure data by network perpetrators. We already described a scenario of DoS attack in chapter 1. Now, let us consider a scenario where an attacker seeks to penetrate a tightly secured server and retrieve top secret data from a carefully monitored government network. The hacker first selects nodes with weak security across geographically diverse locations as candidates to be stepping stones, the controller, the receiver, the zombies and then he proceeds to compromise them.

11

Chapter 2 Background Following this, stealing commands are then sent by the hacker, which passes through various stepping stone hosts to reach the controller node, which in turn controls a series of zombies. When a signal from the controller is received, these zombies may modify or exfiltrate information from the victim. Exfiltrated information may then go to the receiver that, in turn, is separated from the hacker by a series of stepping stones. This attack scenario, described in the Mitre workshop report [57], has been illustrated in Figure 2.2. Even if forensic investigators manage to trace the attack path to the controller, they may not get access to the system logs of the stepping stones. Thus, an attack using stepping stones is the most favored attack mechanism that guarantees anonymity to the attacker.

Stepping stone Stepping stone

Controller

Zombie Zombie

Attacker

Zombie Victim

Stepping stone

Stepping stone

Receiver

Figure 2.2. Steal secure data using stepping stones. Source [33]

12

Chapter 2 Background

2.2 Stepping Stone Detection

2.2.1 Introduction to Stepping Stone Detection Systems

Since a stepping stone is just forwarding attack traffic along the stepping stone connection chain, the traffic of connections in the same connection chain must have similar characteristics. Therefore, the problem of detecting stepping stones comes down to finding correlated connections with the same characteristics. An intuitive approach to solve this problem would be to compare the contents of the incoming and outgoing packets within a network to find packets with the same content. However, the use of encrypted communication protocols like SSH have made this approach ineffective. Therefore, we need to use other features of the traffic like timing characteristics to detect stepping stones. Besides the similarity, the stepping stone connections may have anomaly in some characteristics as well. For example, the response time from a server for the stepping stone connections may take longer than normal connections because the victim (the server for stepping stone connection) is located many hops away. However, the anomaly based methods only find the abnormal connections, and then identify the stepping stones, they do not identify correlated connections, which means they can’t be used for tracing attackers. A stepping stone detection system is a system to analyse the connection traffic and identify which connections are stepping stone connections or identify which connection pair are correlated connections. Correlated connections are a pair of

13

Chapter 2 Background connections which are in the same connection chain. The connection which is closest to the attacker in the connection chain is called the upstream connection. The connection which is closest to the victim in the connection chain is called the downstream connection. Depending on the location where the analysis takes place, the stepping stone detection systems can be classified as host-based and network based. The host-based approach [97] [98] requires some kind of monitoring software to be installed on each participating host. This kind of approach is limited as the attacker can manipulate the results of the monitoring software if he has control over the host machine. The network-based approach requires tracing software to be installed in network routers and switches. This ensures that the whole network comes under the purview of the scan and the hosts do not need to individually participate. Stepping stone detection systems can also be classified into passive methods and / or active methods. Passive methods simply examine the data stream, while active methods attempt to modify the transmission stream. One active method explored in certain papers is the process of watermarking [6] [11] [17] [18] [34]. Watermarking is a method where the packet or packet flow is modified to insert a signature which needs to be encoded (inserted) at one point and decoded (recovered) at another point. The active monitor may be more powerful in detecting stepping stones, but it needs to modify the operation of the network at many points. This means the passive methods are relative simple and more easily employed in practice.

14

Chapter 2 Background

2.2.2 Evading Detection

Attackers may attempt to evade detection by actively modifying connections so they appear uncorrelated. Encrypting stepping stone connections makes the approaches [1] based on content unavailable with the widespread application of SSH. In addition, attackers may also introduce random jitter delays before packets depart stepping stones or they may insert chaffs into the original attack flow on the stepping stones. This can completely break the timing and count characteristics employed by many stepping stone detection systems. Introducing jitters and inserting chaffs on stepping stones is not a difficult task for attackers. As a simple example, an attacker can add a number of characters followed by the same number of DEL (delete) characters. In addition, M. Venkateshaiah et al. [45] [47] propose a buffering technique to avoid detection by using jitters and chaffs, along with selective dropping of packets on stepping stones.The SNEAK attack tool [46] proposed by J.D. Padhye et al. can even can create constant rate streams by using a buffer delay and chaffs. Therefore, stepping stone detection systems should take the evasion techniques used by attackers into consideration as well.

15

Chapter 2 Background

2.3 Network-Based

Passive

Stepping

Stone

Detection

Systems Since host-based methods are easily controlled by attackers, and active methods are hardly employed in practice, we focus our research on the network based passive stepping stone detection systems. Depending on the characteristics of the system analyses, characteristics can be classified as content characteristic, timing characteristic, count characteristic, RTT characteristics and other characteristics. We then introduce previous works on network based passive stepping stone detection systems according to these characteristics. All work we surveyed has been listed in Table 2.1.

2.3.1 Content Correlation ¾ Thumbprint Staniford and Heberlein [1] initially explored steppingstone detection by considering a chain of Telnet [65] connections, in which the content is transmitted in the clear and therefore, it could be statistically analysed. Their approach was to create thumbprints by tabulating character frequencies during set time intervals over all Telnet connections into and out of a domain, and to compare them by looking for suspiciously good matches. As a technical feature, they used statistical analysis tools (principal components) to reduce the dimensionality of the feature vector, enabling rapid comparisons of features of different connections. However, it cannot be used to detect encrypted connections.

16

Chapter 2 Background

Table 2.1. Network based passive stepping stone detection systems System Thumbprints

Multiscale

Characteris Function -tic Content Identify correlated connections

RequestResponse ON/OFF

Character Count Packet Count Packet Count Packet Count Timing

Deviation

Timing

IPD

Timing

DM

Timing

S-I, S-II, SIII and S-IV Sketching

Timing

Send-Ack/ Send-Echo RTTThumbprints StepFunction Anomaly

RTT

DA DMV

Timing

RTT RTT Other

Identify correlated connections Identify correlated connections Identify correlated connections Identify correlated connections Identify correlated connections Identify correlated connections Identify correlated connections Identify correlated connections Identify correlated connections Identify correlated connections Identify abnormal connections Identify correlated connections Identify abnormal connections Identify abnormal connections

2.3.2 Count Correlation ¾ Multiscale

17

Author

Year

S. Staniford Chen and L.T.Herberlein D. L. Donoho, et al. A. Blum, et al.

1995[1]

T. He and L. Tong Huang et al.

2006[21]

2002[5] 2004[8]

2007[33]

Y. Zhang, V. 2000[2] Paxson K. Yoda and 2000[3] H. Etoh X. Wang, et al. 2002[4] T. He and L. Tong L. Zhang, et al. B. Coskun and N. Memon K. H. Yung

2006[10]

Yang, and Huang Yang, and Huang Kampasi et al.

2005[48]

2006[9] 2009[35] 2002[12]

2006[16] 2007[49]

Chapter 2 Background “Multiscale” proposed by Donoho et al. [5] uses character count to detect stepping stones. This method uses wavelets and similar multiscale methods to separate the short-term behavior of the streams (the jittering or chaff) from the long-term behavior of the streams (the remaining correlation). This method requires the connections to remain for long periods however the authors never implemented it in a scalable system. Despite this, it is the first method to address robustness to added delay jitter and introduction of chaff. It was also the first method to introduce two constraints, with many methods following. One constraint, the causality constraint, requires a packet to arrive first before it can leave a node. Another constraint is the maximum tolerable delay constraint, where packets have a limit on the length a packet can be delayed at a stepping stone. Assume C2 is downstream connection of C1 , and N1 (t ) = # of symbols in C1 on [0, t) and similarly for N 2 (t ) , there are below conclusions for the two constraints. 1) Causality constraint: N2 (t ) d N1 (t ) 2) Maximum tolerable delay constraint: N2 (t  ') t N1 (t ) ¾ DA Following the two constraints in the “multiscale” method, Blum et al. [8] proposed the DA (Detect-Attacks) method which is based on packet count. Using ideas from Computational Learning Theory and the analysis of random walks, Blum et al. achieve provable (polynomial) upper bounds on the number of packets needed to confidently detect and identify stepping stone streams with proven guarantees on the false positives. In addition, Blum et al. also proposed the DAC (Detect-Attacks-Chaffs)

18

Chapter 2 Background method, which is able to detect connections with chaffs. DA and DAC are nearly same except the computing of upper bounds is different. The upper bounds for DAC are much bigger than the upper bounds for DA. In DA and DAC, when a packet arrives at a connection, the connections obtain the difference of packet numbers between the compared connections. If the difference is bigger than specified number p' , then return normal connections; if the total number of packets observed on two compared connections is bigger than the upper bound which can be calculated by p' , then return correlated connections. These methods are simple. However, their upper bounds on the number of packets required is large, and Blum et al. do not discuss how to detect stepping stones when the number of packets is inadequate or when there is large amounts of chaff. ¾ DMV Based on Blum’s et al. work [8], He et al. [20, 21] proposed DMV (DetectMaximum-Variation) method which is also based on packet counts. Compared with DA, DMV records a maximum and minimum difference of packet numbers between two compared connections. If the difference between the maximum value and minimum value is larger than the specified number, then return normal connections. He et al. proves that DMV always outperforms DA. He also claimed that the DMV algorithm has a time complexity of O(n) and uses only constant memory ( O(log( p' )) , to be precise), where n is the monitored packet number, and p' is the largest number of packets the attacker can send within maximum tolerable delay. But similar to DA, DMV needs a large number of packets to detect stepping stones.

19

Chapter 2 Background

¾ Request-Response Huang et al. [33] developed a method to detect stepping stones by comparing the bidirectional packet counts. Their method is based on their observation that if the frequency of the send stream is linearly related to the frequency of the echo stream, then the stepping stone is identified. This method works well in Huang’s et al. simulation when multiple connection streams pass through the same stepping stone node and the operations performed by users are similar. However, the packet count needs for this method are large, and in their simulation the packet count is based on a scale of a thousand. In addition to their paper, as stated in their conclusion, their work is incomplete. For example, they not did prove via experimentation that steams with chaff could be detected, and for other traffic, additional constraints may be required.

2.3.3 Timing Correlation ¾ ON/OFF The ON/OFF based approach proposed by Zhang et al. [2] is the first timing-based method which can trace stepping stones even if the traffic were to be encrypted. In their approach, they calculate the correlation of different connections by using each connection’s OFF periods. A connection is considered to be in an OFF period when there is no data traffic on a connection for more than Tidle . When a packet with a non-

20

Chapter 2 Background empty payload appears, the connection ends its OFF period and begins an ON period. Two OFF periods are considered correlated if their ending times differ by d G . For two connections C1 and C2 , let OFF1 and OFF2 be the number of OFF periods in each, and OFF1,2 be the number of these which are correlated. They consider C1 and C2 are correlated connections if

OFF1,2 min(OFF1 , OFF2 )

tJ .

This method is simple, but is easily affected by chaffs and jitters. ¾ Deviation Deviation is another timing-based measure proposed by Yoda et al. [3]. The measure relies on the idea that as packets flow through a connection, the total size of transferred bytes tends to increase monotonically in time. Therefore, if two connections belong to the same connection chain, the total size of transferred bytes should grow at a similar rate. Assume connection C1 is an upstream connection from C2 . The deviation between connections C1 and C2 is calculated as follows. For each connection, the algorithm constructs a graph with the timestamp value in the x axis and the TCP connection sequence number in the y axis, while ignoring retransmitted packets. The graphs are conceptually superposed and the graph of C2 is repositioned along both x and y axis until the average horizontal distance between the two graphs is minimized. Based on the graphs, the authors’ present the method to calculate the deviation between two connections. Then, the connections with small deviations are thought to be correlated connections.

21

Chapter 2 Background Obviously, this measure only works if the packet sizes are not altered at the stepping stones, and thus it is unable to correlate connections where padding is added to the payload, e.g. when certain types of encryption are used. ¾ IPD Wang et al. [4] propose a two-phased stepping stone detection system by using Inter-Packet Delay (IPD) timing characteristics. The first phase finds “correlation points” between two packet streams. The second phase obtains the correlation value of the two connections from the set of correlation points. Considering the correlation metric for true real-time correlation cannot be defined over the entire duration of a connection, and therefore they introduce window size, which means the packet number base calculates correlation points. In other words, IPD is designed for a quick response. Correlation points are found by the following algorithm. Let ti represent the timestamp of the i th packet on a connection. The IPD is defined as di

The IPD vector, then, is (d1 ,

ti 1  ti

, dn ) . A window of this vector is defined as

W j ,s (d1 ,

, d n ) (d j ,

, d j  s 1 )

Given two connections X and Y whose IPD vectors are ( x1 , ( y1 ,

, xm ) and

, yn ) respectively, for a given window size s, the tuple (j, j+k) – i.e., the values

of the start of the windows — is defined as a correlation point if the maximum taken

22

Chapter 2 Background over the offset value k of the similarity measure of )() is greater than a given correlation point threshold G CP . That is,

max )(W j , s ( X ),W j  k , s (Y )) t G CP k

Four similarity measures of )() are defined, and a particularly successful one is the Min/Max Sum ratio. That is,

)(W j , s ( X ),W j  k ,s (Y ))

¦ ¦

j  s 1 i j j  s 1

i j

min( x i , yi  k ) max( x i , yi  k )

The second phase of the process uses the Correlation Value Function (CVF) to decide if two streams are correlated. After obtaining a set of correlation points – i.e., ( j1 , j1  k1 ) Cx

( j1 ,

( jn , jn  kn ) – they are represented as two n-dimensional vectors , jn ) and Cy

( j1  k1 ,

, jn  kn ) , then if the value of CVF is bigger than a

given correlation value threshold G , the compared connections are considered correlated connections. The CVF is defined below.

CVF (Cx , C y )

¦

n i 1

( j i  E (Cx )) u ( ji  ki  E (C y ))

ª¦ n ( j i  E (Cx )) 2 º u ª ¦ n ( j i  ki  E (C y )) 2 º ¬ i1 ¼ ¬ i1 ¼

Although IPD is designed for a quick response, as described, it is very complex. And all IPD information should be stored during the monitored time and the computation time is normally large because it compares packets with the number of window sizes for every packet.

23

Chapter 2 Background ¾ DM He et al. [10] proposed a timing-based detection algorithm “DETECT-MATCH” (DM) to detect stepping stones. They applied the causality constraint and maximum tolerable delay constraint proposed by Donoho et al. [5] to the timing characteristic, which means a packet delay on the correlated connections must be in the range of [0, ), where  is the maximum tolerable delay. They map the packet’s arrivals on the compared connections by the causality constraint and maximum tolerable delay constraint. For two connections, A and B, the delay between a packet arrival on A and a packet arrival on B is in the range [0, ), and if it’s similar to all the following packet arrivals on A, and all the following packet arrivals on B, then the two compared connections are considered correlated connections. However, there are packet drops [44] during the packet relay of stepping stones in real application which can break the maximum tolerable delay constraint. So whether it can be applied in practice should be doubted. ¾ S-I, S-II, S-III and S-IV Zhang et al. [9] provide four timing methods with the intention of detecting stepping stones effectively even under jitter and chaff perturbations. Similar to DM [10], they are also based on the causality constraint and bounded by the delay constraint. S-I is the same with DM. In S-III, if every packet arrival in one connection has a non-repeated map in the other connection’s packet arrivals, which possess a delay in the range of [0, ), then the two compared connections are considered correlated connections.

24

Chapter 2 Background Differing from S-I and S-III, S-II and S-IV initially performs the packet filtering function, and then applies any other stepping stone detection method. For every packet arrival ui on connection A, S-II selects the packet arrival on the other connection B which is first after ui as the mapping packet arrival. If the mapping packet arrival can’t be found, then A and B are normal connections; otherwise other stepping stone detection methods are used for detection between the original packet arrival on A and the mapping packet arrival on B. S-IV is different from S-II in that it selects the packet arrival on connection B which has a delay in the range of [0, ) as the mapping packet arrival. However the schemes of Zhang et al. can detect stepping stone traffic if chaff is inserted only in the departing stream. And, if chaff is inserted in the incoming stream, one chaff packet can to evade their schemes. This is similar to DM, which also has the assumption of a “no packet drop”. ¾ Sketching The sketching method proposed by Coskun et al. [35] identifies correlated connections with the similar packet-timing sketches characteristic. A packet-timing sketch is a short, constant-length integer array, which summarizes the connection’s packet-timing information. It is calculated following the three steps below. It first computes the packet-count vector VF of connection F. Let LTS denote the length of these timeslots forming the time axis. Then time slot t is defined as the t th time interval after an epoch ( Tepoch ) such that [Tepoch  (t  1) LTS , Tepoch  (t ) LTS ] . Based

25

Chapter 2 Background on these time-slots, then it is able to obtain VF (t ) , which is the number of packets that flow F transmits during time-slot t. Secondly, it applies a random linear transformation to obtain the integer-array sketch by projecting the packet-count vector VF onto the k random basis vectors Bi

1,2,, k

as follows: f

CF (i)

¦ B (t )V i

F

(t ) and Pr( Bi (t ) 1) Pr( Bi (t )

t f

1)

1 2

Thirdly, it binarizes the integer-array sketch by

S F (i )

­1 CF (i) ! 0 ® ¯0 CF (i) d 0

After finding the binary sketches for compared connections, it then calculates the Hamming Distance between the binary sketches. If the Hamming Distance is smaller than the specified threshold, the compared connections are considered correlated connections. Coskun et al. also presented a method to efficiently search for correlated connections. They claimed that the computation time is O(n 

nm ) , where m is

the number of ingress connections and n is egress connections. However, they failed to mention the computing costs to achieve the binary sketches. In addition, when the array of binary sketches is larger than the number of slots, it will not be more efficient than direct comparison.

26

Chapter 2 Background

2.3.4 RTT Correlation

Since the packets sent are always echoed back on the interactive connections, the Round-Trip Time (RTT) between the send packet and the corresponding echo packet, which provides information on how many downstream hops the final victim is located, is also used to detect stepping stones. ¾ Send-Ack/Send-Echo Yung [12] was the first to propose a method detecting stepping stones by RTT. The basic idea is to estimate the length of a downstream connection chain by computing the ratio between Send-Ack delay and Send-Echo delay. Send-Ack delay is the time taken by a send packet travelling to the next host (i.e. stepping stone) and get acknowledged. Send-Echo delay is the time-delay for a send packet to reach the server side (in a stepping stone mechanism, the server is the victim) and get echoed back. In a direct connection, the Send-Ack and Send-Echo are expected to be similar. In an indirect connection (connection-chain), however, the Send-Echo time is expected to be larger than the Send-Ack time. This method can detect connections which have more than two hops downstream, however it cannot identify correlated connections. ¾ RTT-Thumbprint Yang et al. [48] proposed a method to detect stepping stones by RTT-thumbprint, which is a sequence of timestamp pairs between each send packet and its corresponding echo packets. Two different algorithms are presented, one exhaustive

27

Chapter 2 Background and the other heuristic, with the heuristic algorithm actually performing as well as the exhaustive algorithm, but with more efficiency. However this method is based on the assumption that the inter-packet delays are larger than RTT, so there is one-to-one mapping between send packets and echo packets. In practice, many actions can throw this process off, including dropped and retransmitted packets. ¾ Step-Function Yang et al. [16] proposed a method of detecting stepping stones using the feature that RTT changes small for normal connections but increases proportionally with the number of stepping-stones in the chain. The steps involved with RTT changes reflect the number of hosts in the connections and if the number of steps for a connection is more than a specified number, this connection may be considered stepping stone connection. Similar to the “Send-Ack/Send-Echo” method, it can identify stepping stone connections, however it cannot identify correlated connections. In addition, it has to keep monitoring the traffic on the connections.

2.3.5 Others ¾ Anomaly Kampasi et al. [49] provide three algorithms to detect stepping stone connections with either jitter, chaff or both. The algorithms can be used together with other timing based stepping stone detection methods to improve stepping stone detection when

28

Chapter 2 Background either jitter, chaff or both are introduced into a packet stream. The main premise of the design is that if an attacker adds jitter or chaff, then the traffic will appear anomalous, and that will be when the three specialized algorithms take effect. However, the three algorithms are unable to identify correlated connections.

2.4 Summary Stepping stones are one of the effective strategies adopted by network perpetrators to maintain anonymity of an attack. Attackers may further attempt to evade detection by actively modifying connections so they appear uncorrelated. As a mode to be easily employed and hardly controlled by an attacker, many network based passive stepping stone detection systems have been proposed to identify correlated connections or just identify stepping stones.

29

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection

Stepping stone attacks are often used by network intruders to hide their identities. The Round Trip Times (RTT) between the send packets and corresponding echo packets for the connection chains of stepping stones are critical for detecting such attacks. However previous real-time RTT getting approaches cannot precisely obtain RTTs. In this chapter, we propose a novel real-time RTT getting algorithm which can be used at all times by RTT based stepping stone detection approaches to identify stepping stones, and be used sparsely to obtain the value of parameters by other non-RTT based stepping stone detection approaches. Our experiments show that it is far more accurate than the previous real-time RTT getting algorithms. We also present the probability analysis which shows that our algorithm has a high matching rate and accuracy rate.

30

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection

3.1 Introduction Depending on the characteristics of the system analyses, Stepping stone detection systems can be mainly classified as timing correlation[2, 3, 4, 9, 10, 35], count correlation[8, 21] and RTT correlation[12, 16]. Whichever stepping stone detection approach is used, RTTs will be either directly or indirectly involved. In the ON/OFF approach [2], Zhang and Paxson suggested the selection of the control parameter

G

should be based on the RTT of a connection. Donoho et al. [5] argued that there should be a maximum tolerable delay that a packet can be delayed at a stepping stone. Based on this argument, some packet number based approaches [8, 21] and timing based approaches [9, 10] have been proposed. The maximum tolerable delay in all of these approaches is a supposed inputting parameter, but no approaches indicate what value it should be. In fact, the RTT is just the representation of the maximum tolerable delay. Unlike other types of approaches, RTT based approaches use RTT directly. Since RTT is computed by both send and echo packets, one of the benefits of RTT based approaches is that they can filter unsymmetrical Internet packets and chaff packets, and can be more resistant to network imperfections and intruder evasion than any other type of approaches. “Send-Ack/Send-Echo” [12] is the first approach proposed to detect stepping stones by RTT. The basic idea is to estimate the length of a downstream connection chain by computing the ration between packet Send-Ack delay and Send-Echo delay (i.e. RTT). In this approach, if the length of a downstream connection chain is more than a specified number, the connection may be considered a

31

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection stepping stone connection. However, Yung’s method only gives good results when network traffic is relatively uniform. “Step-Function” approach [16] then was proposed, by using the feature that RTT changes small for normal connections but increases proportionally with the number of stepping stones in the chain. The steps of RTT changes reflect the number of hosts in the connections. If the step of RTT changes for an interactive connection is more than a specified number, this connection may be considered a stepping stone connection. This approach can detect stepping stones correctly if the RTTs can be obtained precisely. However, it is not easy to get the RTT with high precision, as echo packets have no obvious characteristic to identify correlated send packets. “Send-Ack/Send-Echo” approach [12] used a statistical method to match TCP send and echo packets. This can result in a correct match only when the echo packet is received before the next send packet is sent. In addition to this, it cannot be used in real-time. In “Step-Function” approach, Yang and Huang [16] proposed Conservative and Greedy algorithms to obtain RTT. But these two algorithms are based on the assumption that every send packet exactly matches one echo packet. Yang [51] proposed a standard deviationbased clustering approach (SDBA) which calculates time delay between all send packets and echo packets, and finds the cluster with the smallest standard deviation. Although it can achieve high accuracy, it is inefficient and cannot be used in real-time. To block or trace attacks, a stepping stone detection approach should be able to identify stepping stone connections as soon as possible. Therefore, obtaining accurate RTTs in real-time remains a challenge.

32

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection In this chapter, we propose an Estimation-Based Algorithm (EBA) to discover RTT in real-time. As a RTT getting approach, the EBA algorithm can be used at all times by RTT based stepping stone detection approaches, such as “Step-Function” [16]. It can also be used sparingly to find the value of parameters by other non-RTT based stepping stone detection approaches. The experiments show that our algorithm is far more accurate than other real-time RTT getting algorithms. We also present the theory analysis from the probability point, which shows that our algorithm has a high matching rate and also a high accuracy rate similar to the complicated non real-time SDBA [51] approach. The rest of the chapter is organized as follows. In Section 3.2 we introduce the motivation of our algorithm. The detail of our Estimation-Based RTT algorithm is presented in Section 3.3. Section 3.4 gives the probability analysis. Some experimental application results are given in Section 3.5. Finally, we summarize this chapter in Section 3.6.

3.2 Motivation RTT estimation is one of the key characteristics of the current TCP mechanism. In order to find a suitable value for the retransmission time-out, all TCP implementations attempt to estimate the current RTT of every active connection by observing the pattern of delay for recent segments. Our estimation-based RTT algorithm is motivated by this observation.

33

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection However the RTT for stepping stone is different from the RTT for TCP. We here formally give definitions of RTT and related terms. Send packet: The packets sent in interactive connections from attacker (client) to target (server), having both ‘Push (P)’ and ‘Acknowledgement (A)’ flags or only a ‘P’ flag[61]. Echo packet: The packets sent in interactive connections from target (server) to attacker (client), having both ‘Push (P)’ and ‘Acknowledgement (A)’ flags or only a ‘P’ flag. Ack packet: The packets, having flag ‘A’ only. RTT for TCP: The time delay between the send packet and the corresponding ack packet or echo packet on an interactive connection is called Round-Trip Time (RTT) for TCP on this interactive connection. Here, the corresponding ack packet or echo packet can be identified by the sequence number. RTT for stepping stone: The time delay between the send packet and the corresponding echo packet on an interactive connection is called Round-Trip Time (RTT) for a stepping stone on this interactive connection. Because the data sent is normally echoed back for interactive connections, we call the echo packet triggered by a send packet as the corresponding echo packet for this send packet. If not specified, all the RTT in this thesis is considered as the RTT for the stepping stone. Connection number: We call the number of relay hosts from the specified connection to the target machine as the connection number on its downstream connection.

34

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection

Send RTT for TCP Ack RTT for stepping stone Echo

i Attacker

Stepping

Stepping

Stepping

stone 1

stone i-1

stone i

Target

Figure 3.1. Stepping stone chain between Attacker and Target See Figure 3.1 for an illustration of the above definition. From this illustration, we see that an attacker establishes a connection chain to the targeted machine by a series of stepping stones. Commands typed by the attacker are relayed to the target by a series of stepping stones, executed on target and then echoed back to the attacker by a series of stepping stones. The RTT for stepping stone on connection i is the time delay of the send command (packet) and the corresponding echoed back command (packet) on connection i. Normally, to achieve the RTT for a stepping stone, we must find the corresponding echo packets for the send packets first. However it is not so easy to find the corresponding echo packet as it is to find the ack packets which can be identified by their sequence number in the TCP head. The reasons for this are explained below. The information we get from the packet content is just TCP packet head information such as packet length, and sequence number, etc. Since intruders normally

35

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection select encrypted connections, such as SSH instead of normal telnet connections, we are unable to see the data content of the packet. Nor can we benefit from the head information. For encrypted connections, even the packet length fails to represent the real TCP data length. TCP’s sequence number and acknowledgement number are used by the Conservative algorithm [16] to match packet. But the sequence number and acknowledgement number are only meaningful for one neighbouring TCP connection and are not that helpful for matching packets in a TCP connection chain, which leads to only a few send packets being matched in the Conservative algorithm. The packet mapping information has no order, since packets transmitted on the Internet are complex and one send packet may correspond with several echo packets. For example, when a command is executed at the target host, the result may be sent back with several packets. Plus, one send packet may have no corresponding packet. For example, the password won’t be sent back by the target host. In addition to this, due to the packet re-transmission and cumulative acknowledgement, several send packets may correspond with one echo packet. Therefore, we cannot assume that each send packet is answered exactly by one echo packet (i.e. one-to-one mapping), which is the strategy used by the Greedy algorithm [16]. The Greedy algorithm has a low accuracy rate because most probably the packets are not using one-to-one mapping. Time interval information between two consecutive send packets is not always large enough. We can assume some time intervals are bigger than the RTT. However we can’t assume that on every occasion an interval is larger than the RTT because users (including intruders)ୈwhen connecting to a host, may need to pause in order to read, think, or respond to the previous operation. However they do not need to pause

36

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection for every operation. So normally there are overlaps of RTT, i.e. the next send packets may be sent prior to the corresponding echo packets having been received. One deficiency of Yung’s proposal [12] is that it cannot deal with this case of RTT overlap. Our Estimation-Based Algorithm is different from the above methods, in that it calculates RTT estimation (ERTT) value first, instead of finding corresponding echo packet directly. If the ERTT is accurate enough, and the send packet has the corresponding echo packet, the corresponding echo packet should arrive around ERTT later than the send packet. This makes it easy to find the corresponding echo packet by our algorithm and we don’t even need to consider if it’s one-to-one mapping or if there is RTT overlap.

3.3 Estimation-Based Algorithm (EBA) Before presenting the Algorithm, we present some definitions related to the algorithm first. RTT sequence: A RTT sequence {RTT1 , RTT2 ,

, RTTi

} is a series of real

RTTs in chronological order calculated by the time delay between arrival epoch of the send packet and arrival corresponding echo packet on an interactive connection. ERTT: The estimation value for RTT. ERTT sequence: A ERTT sequence {ERTT1 , ERTT2 ,

, ERTTi

of ERTTs in chronological order calculated by the EBA algorithm. RTT: The deviation that RTT from ERTT.

37

} is a series

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection RTT sequence: A RTT sequence {'RTT1 , 'RTT2 , of RTTs in chronological order, and 'RTTi

, 'RTTi

} is a series

RTTi  ERTTi

FR (fluctuate range): The maximum value that RTTi can deviate from ERTTi . Our algorithm is composed of two modules: the estimating module and the matching module. Next we will present the detailed algorithm description for each module and include some improvements.

3.3.1 The Estimating Module

The Estimating Module is responsible for calculating the ERTT. We use the firstorder linear recursive filter to estimate the RTT, which is also being used in current TCP

RTT

estimation

{RTT1 , RTT2 ,

, RTTi

mechanisms.

For

the

RTT

} and ERTT sequence {ERTT1 , ERTT2 ,

sequence

, ERTTi

}

on an interactive connection, ERTT can be calculated by the last ERTT and RTT, as shown in equations (1) and (2)

ERTTi

a * ERTTi 1  (1  a)* RTTi 1

(1)

ERTT1

RTT1

(2)

In (1), a is the weighting factor, used to adjust how quickly the estimation value responds to the real value. The weighting factor in TCP RTT estimation mechanism by current TCP/IP implementation normally, is set to 0.875, which has been used for many years and is seen as being reasonable up until now over the Internet [56]. We also tested parameter a using different values in our algorithm, and we found that we

38

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection can obtain the smallest standard deviations for RTT, when a equals 0.875. The smaller the RTT, the more precise the estimation. Therefore, we set parameter a

0.25

Probability

0.2

0.15

0.1

0.05

0 130

140

150

160 170 RTT(microsecond)

180

190

200

Figure 3.2. RTT distribution 0.875 in our applications. To calculate ERTT, the key is how to obtain the first real RTT (i.e. RTT1 ). From the previous analysis in this section, we know it is inevitable that there are some time intervals between two consecutive send packets which are considerably larger than the RTT of a network during an interactive terminal session. This means it is reasonable to begin or resume our estimation from these large time intervals. If two consecutive send packets have a timestamp difference of more than TI (a predefined time interval threshold), we will assume the existence of a large gap and then get the RTT1 .

39

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection Normally, we can consider the first echo packet is matched with the first send packet after the large interval. So we calculate RTT1 as the time delay between the

0.25

Probability

0.2

0.15

0.1

0.05

0 -30

-20

-10

0 10 RTT(microsecond)

20

30

40

Figure 3.3. RTT distribution first echo packet and the first send packet. To evaluate the accuracy of our estimating algorithm, we built a connection chain with three connections. We then input simple characters with big intervals so the send packets with echo packets are one-to-one mapping and there is no overlap of RTT and we easily get the real RTTs by one-to-one matching. Figure 3.2 shows the RTT distribution using the real RTTs we achieved, where Y-axis stands for the probability that each RTT occurred, and X-axis stands for the RTT value in unit microseconds. From Figure 3.2, we found that the RTT distribution is more-or-less a Poisson distribution with a relatively narrow range.

40

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection

Table 3.1. Standard deviation comparisons for RTT and RTT distribution

1

Standard deviation for RTT(ms) 1.735

Standard deviation for RTT(ms) 1.771

2

2.841

2.827

3

3.663

3.722

4

5.312

5.538

5

6.469

6.651

6

9.016

9.043

Examples

At the same time, we calculated ERTT by equation (1) and (2) with the real RTT data we obtained. Then we compared the ERTT with the real RTT, obtained the RTT distribution as shown in Figure 3.3, which is near normal distribution, and discovered that more than 97% of the |RTTs| are smaller than 17 ms. We also found that the standard deviation for the RTT distribution is nearly the same as the standard deviation for the RTT distribution. The standard deviation in Figure 3.2 is 9.31ms and the standard deviation in Figure 3.3 is 9.38ms. Table 3.1 shows other standard deviation examples we experimented with in our tests.

3.3.2 The Matching Module

Since most RTTi fluctuates around ERTTi with a relatively narrow range, we consider a time delay is the RTTi if the time delay between an echo packet and the

41

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection send packet is in the range of ERTTi  FR and ERTTi  FR . This is the basic idea of the matching process. We found that the RTT distribution is near normal distribution. So the maximum RTT (i.e. FR) is infinite in theory. But our destination is to achieve real RTTs which are used to detect stepping stones by using the “Step-Function” stepping stone detection approach [16]. The few real RTTs that are too small or too big, and of no benefit to us, are filtered by selecting an appropriate FR. When the value of FR becomes bigger, more packets will be in the range of ERTTi  FR and

ERTTi  FR , and the probability to find matched packets will be higher, but the incorrect probability will also be higher. So the value of FR is critical for our algorithm. We will discuss the value of FR further in Section 3.4. In our algorithm, we have a queue called SendQ, which stores the send packets in time order. When the time interval between two consecutive send packets is bigger than the TI, we will reset the SendQ. If we find the corresponding echo packet for one send packet, or if we are sure there is no corresponding echo packet for that send packet, we will delete that send packet from the SendQ queue. By the estimating algorithm we can achieve the ERTT. Now, when we capture an echo packet, we will get the first send packet from SendQ and calculate the time delay

Tdelay between the echo packet and the send packet. If the Tdelay is smaller than ERTTi  FR , we consider there is no send packet to match this echo packet; if the

Tdelay is in the range between ERTTi  FR and ERTTi  FR , we consider they

42

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection

Capture the next packet P

No

Is P a Send packet

No

Is P an Echo packet

Yes

E S T I M A T I N G

Yes Get first packet Ps from SendQ

Compute Time Intervals TI since last Send

TI > Threshold

Compute Delay

Yes

the

Time

ERTT No

Reset SendQ

Tdelay > ERTTi + FR

Yes

Put P in SendQ No Tdelay < ERTTi - FR

SendQ

Yes

M O D U L E

No RTTi = Tdelay

RTTi

Figure 3.4. Matching module processing match each other, and the RTTi is Tdelay ; if the Tdelay is larger than ERTTi  FR , we consider there is no echo packet to match this send packet, and we will get the next send packet to repeat the above process. Figure 3.4 describes the matching process.

43

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection Through this matching process, we can obtain RTT, and store every RTT. At the same time, we input the RTT to the estimating process, and find the new ERTT for continuous processing. The stored RTTs can be used to judge if the monitored host is a stepping stone by the RTT based stepping stone detection approaches, or be used to calculate the parameters of non- RTT based stepping stone detection approaches.

3.4 Evaluation

3.4.1 Matching Rate

The matching rate is defined as the ratio between the number of matched packet pairs and the number of send packets having corresponding echo packets. According to our algorithm, only the RTT whose difference with ERTT is smaller than FR can be matched. So FR is critical to our algorithm. The bigger the FR, the higher the matching rate will be but the incorrect probability will be higher as well. In addition, our main destination is to achieve the real RTTs which are used to detect stepping stones. The few too small or too big real RTTs cannot benefit us, therefore our algorithm also has the filter’s function. Assume echo packet Pei is the corresponding echo packet to send packet Psi , the timestamps for Pei and Psi are tei and t si , respectively. If Pei is selected to match Psi , the time delay between them is RTTi . We then assume we also had known ERTTi . Then we can get:

tsi  ERTTi  FR  tei  tsi  ERTTi  FR

44

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection

ERTTi  FR  tei  tsi  ERTTi  FR ERTTi  FR  RTTi  ERTTi  FR | RTTi  ERTTi | FR We assume RTT has standard deviation G , and u

FR

G

. We evaluate the

matching rate, which is the probability that Psi has a corresponding packet being found, i.e., the probability that Pei is selected to match Psi by using Chebyshev inequality [88] is the following:

Matching rate = P ( has corresponding packet being found) P(| RTTi  ERTTi | FR ) ! 1

1 u2

The matching rate is related to the value of u which is the ratio between FR and Table 3.2. Matching rate examples for EBA u

Matching Rate (%)

1

Standard deviation for RTT(ms) 1.771

16.940

99.651

2

2.827

10.612

99.112

3

3.722

8.060

98.461

4

5.538

5.417

96.592

5

6.651

4.510

95.086

6

9.043

3.317

90.802

Examples

45

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection standard deviation of RTT. In our experiments, FR was set to 30ms, which worked well. We calculated using the previous standard deviation examples for RTT we had obtained, and achieved the u and matching rate as shown in Table 3.2. We know that matching rates for all the standard deviation examples are higher than 90% which is high enough to detect stepping stones.

3.4.2 Accurate Rate

We firstly estimated the probability of making an incorrect choice of echo packet Pei for send packet Psi . There are two reasons that Pei is incorrectly selected to match

Psi : Pei should be the corresponding packet for previous send packets, but is not selected to match previous send packets because the real RTTi 1 is more than ERTT + FR. In this case, the most probability is that Pei is the corresponding packet for the last send packet Ps ( i 1) . We assume the timestamps for Ps ( i 1) , Psi , Pei are

ts (i 1) , t si , tei respectively, and the time delay between tei and ts (i 1) is RTTi 1 . So we can get

tei ! tsi  ERTTi  FR ! ts (i 1)  ERTTi 1  FR ts (i 1)  RTTi 1 ! tsi  ERTTi  FR ! ts (i 1)  ERTTi 1  FR

RTTi 1  ERTTi ! tsi  ts (i 1)  FR ! ERTTi 1  ERTTi  FR

46

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection Since Pei is not selected to match Ps ( i 1) , ERTT is not calculated again. So

ERTTi is equal to ERTTi 1 . Then

RTTi 1  ERTTi 1 ! tsi  ts (i 1)  FR ! FR In addition, we assume Li 1 is the time interval between these two consecutive send packets, i.e. tsi  ts (i 1)

Li 1 . And L is the smallest time interval between two

consecutive send packets. Then

RTTi 1  ERTTi 1 ! Li 1  FR and Li 1 ! 2FR

RTTi 1  ERTTi 1 !

Li 1

(3)

2

Pei should be the corresponding packet for Ps (i 1) -- the next send packet of Psi , but it is matched with Psi . Because the difference of the timestamps Psi and Pei is closer to ERTTi than the difference of timestamps Ps ( i 1) and Pei , we assume the timestamps for Psi , Ps ( i 1) , Pei are t si , ts ( i 1) , tei and the time delay between tei and

ts (i 1) is RTTi . Then we can get

tei  tsi  ERTTi  ERTTi 1  (tei  ts (i 1) ) tei  ts (i 1)  ts (i 1)  tsi  ERTTi  ERTTi 1  (tei  ts (i 1) ) tei  ts (i 1)  ERTTi 

RTTi  ERTTi 

 Li

(ts (i 1)  tsi )

2 (4)

2

47

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection So we have | RTTi  ERTTi |!

RTT has the standard deviation

Li

!L

2 from (3) and (4). And we assume

G , and v

L , get the probability that Pei is 2G

2

incorrectly selected to match Psi by using Chebyshev inequality as the following:

P (incorrect choice of Pei for Psi ) P(| RTTi  ERTTi |! L ) 2 1  2 v Then the accuracy rate, i.e. the probability to make a correct selection of a packet RTT can be estimated by using the following inequality:

Accurate rate =P (correct choice of Pei for Psi ) ! 1

1 v2

Yang [51] claims that the accuracy rate of his SDBA algorithm is higher than 1 

1 ,where q q2

L , V is the standard deviation of RTT. We knew that the 2V

standard deviation for RTT is close to the standard deviation of RTT, i.e. V | G , then v | q . Therefore, our algorithm has nearly the same accuracy rate of SDBA. Yang [51] claimed that the probability of the accuracy rate for his SDBA experiment examples was higher than 97%.

48

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection

3.5 Application To achieve comparable results, we also implemented other real-time RTT getting algorithms -- the Greedy and Conservative algorithms [16]. In order to test the accuracy of the RTT getting algorithms, we applied the “Step-Function” [16] stepping stone detection approach, and ascertained whether the RTT getting algorithms were accurate enough to be applied to detect stepping stone. The “Step-Function” approach is responsible for monitoring the steps of the RTT changes on an interactive connection which reflect the number of connections in its downstream connections chain. When the steps of RTTs change and are more than a specified number, the connection will be considered a stepping stone connection. Then further action such as block or trace-back may be taken. Since the RTT getting algorithms are responsible for getting stepping stone RTTs in real-time, we concentrated our experiment on the RTT values that the RTT getting algorithm can achieve and the levels that RTT changes. We estimated our experiments from two perspectives: if the RTT getting algorithms can achieve RTTs with one level for a single connection, and if the RTT getting algorithms can achieve RTTs with the correct number of levels during the establishing of a connection chain. In addition, as we mentioned before, the typing speed and inputting commands can affect the ordering and mapping of the send and echo packets. So we conducted our experiments by using modes as well: slow typing speed and simple inputting commands, quick typing speed and complex inputting commands.

49

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection To begin with, we built a connection in the Internet by SSH from host H1 to host H2. We then captured the SSH packets and applied Greedy, Conservative and EBA

600 Greedy Conservative EBA

RTT(microsecond)

500

400

300

200

100

0 0

314 0

303 0

296

Send Packets

Figure 3.5. One connection with simple inputting commands by slow typing speed. algorithms concurrently at host H1 from the time that host H2 was first connected. We input simple commands by slow typing speed and complex commands with quick typing speed respectively at the connection terminal of H1. We obtained the results by simple inputting commands and slow typing speed as shown in Figure 3.5 and the result by complex inputting commands and quick typing speed as shown in Figure 3.6, where X-axis represents the send packet number, and Y-axis represents RTT values in units of ms. From Figure 3.5, we know that all three algorithms are concentrated around one level, if we can ignore the big protuberances. This is despite the EBA algorithm

50

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection apparently being better than the Greedy and Conservative algorithms, as all the RTT results are closely around 47 ms. In Figure 3.6, the RTTs obtained by the Greedy algorithm are concentrated around three levels, and it will be incorrectly considered a connection chain with three connections by the “Step-Function” stepping stone detection approach. For the Conservative algorithm, there were only 38 RTTs obtained, which is far fewer than the 217 RTTs for the Greedy algorithm and 207 RTTs for the EBA algorithm. It will be hard for the “Step-Function” approach to judge what kind of connection it is due to a small number of RTTs. For the EBA algorithm, all the RTTs it obtained are closely around 49 ms, so the “Step-Function” approach can identify it is a single connection.

1000 Greedy Conservative EBA

900 800

RTT(microsecond)

700 600 500 400 300 200 100 0 0

217

0 38 Send Packets

0

207

Figure 3.6. One connection with complex inputting commands by quick typing speed

51

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection We then built a connection chain by SSH that passed through host H1 to host H2, then to host H3, and then to host H4. We captured the SSH packets and applied the Greedy, Conservative and EBA algorithms concurrently at host H1 from the time host

1000 Greedy Conservative EBA

900 800

RTT(microsecond)

700 600 500 400 300 200 100 0 0

422 0

324 0 Send Packets

389

Figure 3.7. One chain with simple inputting commands by slow typing speed H2 was first connected to the time the whole connection chain was built. We input simple commands by slow typing speed and complex commands by quick speed respectively at the connection terminal of H1 during the chain building. We obtained the result by simple inputting commands and slow typing speed as shown in Figure 3.7 and the result by complex inputting commands and quick typing speed as shown in Figure 3.8, where X-axis represents the send packet number, and Y-axis represents RTT values in units of ms.

52

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection In Figure 3.7, the RTTs obtained by the Greedy and Conservative algorithms are approximately clustered around three levels. But both of them have too many large protuberances that may affect the identification of steps for the “Step-Function” approach. From Figure 3.8, we know that the RTTs obtained by the Greedy algorithm are clustered around many levels, and the “Step-Function” approach will consider it a

1000 Greedy Conservative EBA

900 800

RTT(microsecond)

700 600 500 400 300 200 100 0 0

970 0 200 0 Send Packets

898

Figure 3.8. One chain with complex inputting commands by quick typing speed stepping stone connection when it is just a single connection. For the Conservative algorithm, there are only 200 RTTs obtained, which is far fewer than the 970 and 898 RTTs for the Greedy algorithm and the EBA algorithm, respectively.

53

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection In both Figure 3.7 and Figure 3.8, all the RTTs that the EBA algorithm obtained are closely around three levels: 47 ms, 102ms and 170 ms. Therefore, the RTTs achieved by the EBA algorithm can correctly reflect how many connections it has in its downstream connection chain by any kind of typing speed and inputting commands. From all of our experimental results, we found that the numbers of send packets which are matched by the EBA algorithm are all fractionally smaller than those by the Greedy algorithm. We achieved the ratios of the EBA send packet number and Greedy send packet number for the above figures, which were all higher than 90%. As the Greedy algorithm matches all the send packets, whether or not they had corresponding echo packets, the real number of send packets having corresponding echo packets should be smaller than the number of Greedy send packets. We are confident that the real matching rate for the above figures should be higher than 90%. We also achieved the standard deviations of RTTs for the above figures among 1.771ms and 9.043ms. Although we are unable to achieve an exact accuracy rate from the above figure, our algorithm can achieve RTTs precise enough to detect stepping stones for a wide range of standard deviations for RTTs.

3.6 Summary RTTs are critical for stepping stone detection approaches. But how to achieve precise RTTs for stepping stones in real-time remains a challenge. In this chapter, we propose a novel real-time RTT getting algorithm which can be used at all times by RTT based stepping stone detection approaches to detect stepping stones, and be used sparsely to

54

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection achieve the value of parameters by other non-RTT based stepping stone detection approaches. We present the probability analysis in theory, which demonstrates our algorithm has more than a 90% matching rate, and has a higher rate of accuracy than the non real-time complicated RTT getting algorithm SDBA. Our experimental results show that our algorithm is much more precise than previous real-time methods in the detection of stepping stones.

55

Chapter 4 Detecting Stepping Stones in Real Internet Environments

Chapter 4 Detecting Stepping Stones in Real Internet Environments

Stepping stones are often used by network intruders to launch attacks. However current stepping stone detection approaches are hardly applicable in real Internet environments due to their demands of storage, computation and excessive monitoring time. In this chapter, we propose a simple but effective stepping stone detection scheme that can reduce some of these demands. Our experiments show that our proposed approach can achieve more than 90% accuracy by monitoring for 2 seconds and can also achieve more than 95% accuracy by monitoring for10 seconds, and all at with low computational costs.

4.1 Introduction

56

Chapter 4 Detecting Stepping Stones in Real Internet Environments A stepping stones detection system normally detect stepping stones in a network by searching for correlations such as identical payload or similar packet timings between interactive connections at the network borders or routers. If a pair of interactive connections is detected as part of a stepping stone chain, they can be blocked immediately to stop the attack, thereby preventing further harm. Or, one can compile them in the hope of tracing the stepping stone paths to identify the source of an attack. To prevent such attacks, a stepping stone detection approach should be able to correctly identify correlated connections as quickly as possible, since many attackers launch their attacks in a very short time to evade detection. Plus, the quicker the response, the less harm that will be done. To trace-back and identify the source of an attack, real-time and quick-response is also because attackers may have many excuses and techniques (such as a fake IP address) to deny their attacking activity when no spot evidence is available. However current approaches seldom take responsiveness into consideration (See Chapter 2 for related work). Meanwhile, a stepping stone detection approach should not assume there is no packet dropping during packet transmission on the Internet. Omar et al. [44] claim that packet dropping, assumed by [5][8][9][10][21], would occur over a wide area of a network. Therefore, the accuracy of these approaches with such assumptions should be doubted when these approaches are applied in real Internet environments. Besides the responsiveness and the no-packet-dropping assumption, a practical stepping stone detection approach should have a lower demand for storage and computation. It’s not hard to find correlations by complex computations, but when

57

Chapter 4 Detecting Stepping Stones in Real Internet Environments applied to real environments, a stepping stone detection programme shouldn’t overburden the whole system. As shown in Table 4.1, among all current stepping stone detection approaches, only sketching [35] takes these three factors into consideration, but it has a low accuracy. In this chapter, we propose the Packet Delay Bidirectional Comparison (PDBC) scheme which is a simple but practical stepping stone detection algorithm. It has no assumptions of no-packet-dropping, and is designed with high efficiency. Our experiments and analysis show that our system has high accuracy, quick responsiveness along with low storage and computation costs. At the same time, it can also be resistant to chaffs. We also present a comparison with previous methods, including the sketching approach. The rest of the chapter is organized as follows. Section 4.2 explains the definition and properties. We demonstrate the scheme in Section 4.3 and experimental results are given in Section 4.4. Finally, we summarize this chapter in Section 4.5.

4.2 Definitions and Property for Packet Delay In this section we begin by defining some terms, and then present property for a packet delay.

4.2.1 Related Definitions

Definition 4.1 (RTT) The packets sent in interactive connections from an attacker (client) to a target (server) are called send packets; and the packets sent in the reverse

58

Chapter 4 Detecting Stepping Stones in Real Internet Environments

Table 4.1. Practical features comparison among the encrypted traffic stepping stone detection approaches Approach

No-packetdropping assumption No

Computation complexity

Storage demand

ON/OFF

Quick Responsivene ss No

low

high

Deviation

No

No

high

high

IPD

No

high

high

Multiscale

Requires a few dozen packets No

Yes

low

low

DA

No

Yes

low

low

DMV

No

Yes

low

low

DM

No

Yes

high

high

SI,SII,SIII,S IV

No

Yes

Depends on algorithm

high

RTTThumbprint

No

Yes

high

high

Sketching

Designed to response quickly

No

Designed to be run efficiently

Depends on sketches

direction are called echo packets. The time delay between the send packet and the corresponding echo packet on a connection is called the Round-Trip Time (RTT) for this interactive connection.

59

Chapter 4 Detecting Stepping Stones in Real Internet Environments Definition 4.2 (RTT sequence) An RTT sequence Rtta is a series of RTTs in chronological order obtained by an RTT getting algorithm on connection a . Let

Rtta

{Rtta1 (ta1 ), Rtta2 (ta2 ),

Rttai (tai ) }(i ! 0) , where Rttai (i > 0) is the ith i

RTT obtained by the RTT getting algorithm for interactive connection a . t a is the arrival epoch of echo packet by which to get the ith RTT on connection a . For an easy description of an algorithm, the RTT sequence representation here is slightly different from the definition in Section 3.3. Definition 4.3 (Upstream and downstream connection) We say that connection

a is an upstream connection of connection b , and b is a downstream connection of a when a and b are in the same connection chain, and Rtta ! Rttb is around the same time. Because the upstream connections have more relay nodes than their downstream connections, for a relayed same send packet, the RTT for upstream connections is larger than the RTT for their downstream. Definition 4.4 (Correlated connections) We say that connection a and connection b are correlated connections, if a and b are in the same connection chain.

4.2.2 Property of Packet Delay

Theorem 4.1. Let interactive connections a and b be in the same connection chain, connection a is the upstream connection of connection b , and Rttan (tan ) and

60

Chapter 4 Detecting Stepping Stones in Real Internet Environments Rttbm (tbm ) are the RTTs got for connections a and b respectively by the same

original send packet. Then E ( Rttan  Rttbm  2(tan  tbm )) 0 , if the routes of the send packet are the same as the corresponding echo packets. Proof. The packet delay consists of four components, including processing delay, queuing delay, transmission delay and propagation delay [69]. Given a packet of size

p that traverses a path of h hops, each link of capacity Ci and propagation delay

G i , the average propagation and transmission delay can be written as: h

¦G

Tpropagation

i

i 1

h

p

¦C

Ttransmission

i 1

i

Applying Kleinrock [99] independence approximation, each link can be modelled as an M/M/1 queue [90]. The average number of packets in the queue can be written as:

Oi

h

N

¦P i 1

i

(where Oi , Pi are the arrival rate and service rate

 Oi

for every link separately) Apply Little’s Law [81], the average queuing delay per packet can be written as:

Tqueuing

1

Oi

h

¦P J i 1

i

 Oi

(where

J is the total arrival rate)

Ignoring the processing delay, the average packet delay can be written as:

61

Chapter 4 Detecting Stepping Stones in Real Internet Environments

Tpropagation  Ttransmission  Tqueuing

T h

h

i 1

i 1

¦Gi  ¦

Oi p 1 h  ¦ Ci J i 1 Pi  Oi

send echo

Tab

RTTa

RTTb Tba

Attacker

Stepping

Stepping

stone a

stone b

Target

Figure 4.1. Stepping stone packet delay Let the send packet time delay from connection a to b be Tab , and the echo packet time delay from connection b to a be Tba , as shown in Figure 4.1. If the routes of a send packet are the same as the corresponding echo packets, the links from connection a to connection b should be the same with the links from b to a . So every parameter on Tab including

G i , Ci , Oi , Pi , J are the same as all parameters on

Tba . The size of the send packet and corresponding echo packet are also the same. So we can achieve:

E (Tab )

E (Tba )

62

Chapter 4 Detecting Stepping Stones in Real Internet Environments Let the RTT from connection a

RTTab

to connection b

be RTTab , and

Tab Tba . By their definition we get: RTTab

Rttan  Rttbm

Tba

tan  tbm

Tab

RTTab  Tba

Table 4.2. Real-time comparing processing in the PDBC algorithm n

PDBC_compare ( Rtta , Rttb ) If ( Rtta ! Rttb ) For(m strat from the last rtt sequence index to the front index) If( ta  Rtta ! tb  Rttb ) n

n

m

m

UCV_ab++; Break; Else if( Rtta  Rttb  2(ta  tb )  ' ) n

m

n

CV_ab++; Break; Endif Endif Endfor Endif

63

m

Chapter 4 Detecting Stepping Stones in Real Internet Environments Then we can get:

E (Tab )  E (Tba )

E ( Rttan  Rttbm  2(tan  tbm ))

0

4.3 Algorithm and Analysis

4.3.1 PDBC Algorithm

Based on Theorem 4.1, we designed the Packet Delay Bidirectional Comparison (PDBC) algorithm which examines the interactive connections and demonstrates that if a connections pair is correlated within a specified monitor time, i.e. if the connections pair in the same connection chain it can be run at the network gateway node or as an independent process at the stepping stone host. When packets come in on an interactive connections, PDBC will firstly calculate the RTT in real-time by the RTT getting algorithm. We use Estimation-Based RTT getting Algorithm proposed in Chapter 3 because it is far more precise than other realtime RTT getting algorithms as analysed in Chapter 3. n

n

Once a new RTT Rtta (ta ) is obtained, the algorithm will compare all other connections whose RTT is smaller than the current one. If there exists one RTT

Rttbm (tbm ) on a comparing connection for such that: Rttan  Rttbm  2(tan  tbm )  '

(1)

We then increase the correlated value (CV) for this pair of comparing connections, otherwise we increase the uncorrelated value (UCV) for this pair of comparing

64

Chapter 4 Detecting Stepping Stones in Real Internet Environments

Table 4.3. Monitoring time expired processing in PDBC algorithm PDBC_Monitor_Expired(UCV_ab, CV_ab) CR = CV_ab/ (CV_ab+UCV_ab); If(CR>) Return CORRELATED; Else Return NORMAL; n

n

connections. The detail processing for the comparing between a new RTT Rtta (ta ) and other connection Rttb is shown in Table 4.2. When the monitored time expired, we calculated the correlated rate (CR) by

CR

CV CV  UCV

If the CR for a pair of connections is higher than a specified threshold , we then consider it a pair of correlated connections, otherwise, it will be considered a normal connection pair. The detail processing of monitoring time expired on a comparing pair is shown in Table 4.3.

4.3.2 Analysis ¾ Computation Time During the comparing processing, we do not need to compare the new RTT with every RTT of other connections. All we need to do is compare the RTTs whose arrival

65

Chapter 4 Detecting Stepping Stones in Real Internet Environments epoch for a send packet is later than the new RTT’s send packet arrival epoch. Then the question arises, how many RTTs on another connection will be compared with the new RTT? If we consider two connections: a and b , and we suppose Rtta ! Rttb , the total number RTTs on connection a is n, the packet arrival rate on connection b is

O . When a new RTT is achieved on connection a , the RTTs to be compared on connection b should have a send packet arrival epoch Rttb earlier than the new RTT’s echo packet. Therefore, the answer should be the packet number sent on connection b during Rtta  Rttb . Let p be the average number of RTTs on connection b which will compared with a RTT on connection a . So we get:

p

«¬( Rtta  Rttb )* O »¼  1 for a correlated connection pair

p

¬«( Rtta  Rttb )* O ¼» for a normal connection pair

We then get the computation time for comparing two connections pair as

O( «¬( Rtta  Rttb )* O »¼ * n  n) for

a

correlated

connections

pair,

and

O( «¬( Rtta  Rttb )* O »¼ * n) for a normal connections pair. Generally, the value of «¬( Rtta  Rttb )* O »¼ is small if there is no manual intended delay added. In our

experiments, it equalled 0 in most cases, which resulted in the computation time no bigger than O(n) . ¾ Storage demand

66

Chapter 4 Detecting Stepping Stones in Real Internet Environments On the other hand, because limited recent RTTs need to be compared, the algorithm doesn’t need to store all RTTs. Suppose the maximum RTT value for all comparing interactive connections is MRTT. When a new RTT for an interactive connection is obtained, it will check if there are stored RTTs on this connection whose epoch are MRTT earlier than the current time, and if so, are then deleted from storage. Therefore, PDBC requires little storage. ¾ Parameters selection According to Chebyshev inequality (Kao [1996]; Feller [1968]) and Theorem 4.1, we get:

P(|Rtt a (t a n ) - Rtt b (t b m ) - 2(t a n - t b m )|< ' = P(|Tab - Tba - E(Tab - Tba )| < ') ! 1 (

standard deviation of |Tab - Tba | 2 ) '

Therefore, the bigger the , the higher the probability for equation (1) is. However, the accuracy decreases as well. For the CR threshold parameter , with the decrease of , the probability to be determined for correlated connections will increase, but the probability for normal connections to be determined for correlated connections will increase as well. This means we should balance the two parameters in the applications and select suitable values for the applications. In our experiments, we present the impaction of different parameters. When  is set to 30ms and  is set to 0.2, we achieve the highest accuracy. ¾ Asymmetric Routing

67

Chapter 4 Detecting Stepping Stones in Real Internet Environments Due to the route of the Internet normally following the shortest path rules, the routes of send packets are normally the same with the corresponding echo packets. But there still exists some situations where the routing is asymmetric. For these situations, we introduce an asymmetric parameter O for E (Tab )

O E (Tba ) . We

then change equation (1) to (2) in this situation.

Rttan  Rttbm  (1  O )(tan  tbm )  '

(2)

¾ Chaffs resistant Attackers may also introduce superfluous packets, called chaff, which contain no valuable information and are not relayed to the succeeding flow of the chain, in order to perturb the timing information. In fact, when packets are transmitted on the Internet, packet merges, packet drops and packets retransmissions occur, which can be considered as a natural chaffs perturbation. Therefore, a stepping stone detection approach should not assume there are no packet drops and the approach should be resistant to chaffs to some extent. Since PDBC is based on the RTTs achieved by the EBA algorithm, which is able to filter unsymmetrical packets as analysed in Chapter 3, the PDBC scheme can also be resistant to chaffs as well.

68

Chapter 4 Detecting Stepping Stones in Real Internet Environments

4.4 Experiments

4.4.1 Data Source and Testing Method

The data from a LAN environment or a simulation, generally presents packets one-toone mapping which makes stepping stone detection easier. To test the applications of stepping stones detection approaches, the data must first be real data from the Internet.

Figure 4.2. Experimental topology for data source

In order to achieve this, we designed the topology on Internet environments and found real stepping stone connection chain data for testing the stepping stone detection approaches. We built two separate connection chains on the Internet by SSH from host H1 and host H2, with both passing through host H3, then to hosts H4, H5, H6, and finally connecting to host H7. H4 and H6 are in the same network segment, as shown in Figure 4.2. The other hosts were located in different areas of Melbourne, Australia. We started to capture the packets at host H4 when all the connection chains were built. We then quickly entered commands at the terminal of H1 and H2 and concurrently for about three minutes. After that, we stopped capturing packets.

69

Chapter 4 Detecting Stepping Stones in Real Internet Environments Since H4 and H6 are in the same network segment, there are eight SSH connections which belong to two connection chains in the captured data. This means there is a total of 12 correlated connections and 16 uncorrelated connections. As it is easier to detect stepping stones in light traffic, we quickly entered commands so we could at least obtain normal traffic. During the experiment we found there was more than 7% retransmission packets on some connections, which is higher than the normal 1%-6% Internet retransmission rate [53]. In addition to this, certain packet number differences in some connection chains were more than 17%, which means there are many packet drops and merges during the packet transmission on the connection chains. Therefore, the captured data can be considered Internet data with normal or even heavy traffic. With the captured data, then we can run the stepping stone detection approaches from a start epoch of the captured data until a specified time (such as 10 seconds), and then output the results of every two connection pairs. More results can be obtained by selecting a different start epoch. We use the epoch of every 500ms along the data source as the start epochs in our experiments, and run all the numbers of the start epochs we selected. Every time we achieved 28 results, there were a total of more than 8000 results for 10 seconds of monitored time. With these results we then calculated and obtained the accuracy. We used the terms below to weigh the accuracy. False negative: the rate that a correlated connections pair is judged as compared to a normal connections pair. False positive: the rate that a normal connections pair is judged as compared to a correlated connections pair.

70

Chapter 4 Detecting Stepping Stones in Real Internet Environments

PDBC 0.2 =20 =30 =40 =50

0.18 0.16

False Negative

0.14 0.12 0.1 0.08 0.06 0.04 0.02 0

0

10

20

30

40 Times(s)

50

60

70

80

Figure 4.3. False negative with different  PDBC 0.2 =20 =30 =40 =50

0.18 0.16

False Positive

0.14 0.12 0.1 0.08 0.06 0.04 0.02 0

0

10

20

30

40 Times

50

60

70

80

Figure 4.4. False positive with different  Accuracy: the rate a correlated connections pair is judged as compared to a

71

Chapter 4 Detecting Stepping Stones in Real Internet Environments correlated connections pair and the rate a normal connections pair is judged as compared to a normal connections pair. As attackers may add chaff to evade detection, we also created chaff inserting data by introducing chaff packets into the original captured data at random times with different Chaff Rates (CR), the ratio of the number of introduced chaff packets to the number of original send packets.

4.4.2 Experimental Results

4.4.2.1 Parameters Impaction In our experiments, there are two parameters: , which is the maximum deviation of packet delay difference in two directions, and , which is the CR threshold. We then ran the PDBC scheme with the original captured data and tested the impaction to the accuracy of the algorithm by the parameters. Figure 4.3 and Figure 4.4 shows the false negative and false positive results separately with different  and different monitoring times. We can see that both of the false negative and false positive decrease with the monitoring time increasing. But the false negative decreases and false positive increases when  increases, which is consistent with our previous analysis. To achieve the highest accuracy, we set  to 30ms in later experiments. Figure 4.5 and Figure 4.6 shows the false negative and false positive results separately with different  and different monitoring time. We can see that both of the false negative and false positive decreases while the monitoring time increases. But

72

Chapter 4 Detecting Stepping Stones in Real Internet Environments

PDBC 0.5     

0.45 0.4

False Negative

0.35

=0.1 =0.2 =0.3 =0.4 =0.5

0.3 0.25 0.2 0.15 0.1 0.05 0

0

10

20

30

40 Times

50

60

70

80

Figure 4.5. False negative with different  PDBC 0.5 =0.1 =0.2 =0.3 =0.4 =0.5

0.45 0.4

False Positive

0.35 0.3 0.25 0.2 0.15 0.1 0.05 0

0

10

20

30

40 Times(s)

50

60

70

80

Figure 4.6. False positive with different  the false negative increases and false positive decreases with the  increasing. To

73

Chapter 4 Detecting Stepping Stones in Real Internet Environments

100 PDBC sketching IPD

90 80

False negative(%)

70 60 50 40 30 20 10 0

0

10

20

30 40 50 Monitoring time(s)

60

70

80

Figure 4.7. False negative for PDBC,sketching and IPD 100 PDBC sketching IPD

90 80

False positive(%)

70 60 50 40 30 20 10 0

0

10

20

30 40 50 Monitoring time(s)

60

70

80

Figure 4.8. False positive for PDBC, sketching and IPD achieve the highest accuracy, we set  to 0.2 in later experiments.

74

Chapter 4 Detecting Stepping Stones in Real Internet Environments 4.4.2.2 Responsiveness and Accuracy To compare our algorithm with previous approaches, we also implemented IPD [4] and sketching [35] approaches, which are the only two approaches that take responsiveness into consideration, as shown in Table 4.1. During our experiments, the parameters we used, as shown in Table 4.4, which enabled us to get the best results for

100

90

Accuracy(%)

80 PDBC sketching IPD

70

60

50

40

0

10

20

30 40 50 Monitoring time(s)

60

70

80

Figure 4.9. Accuracy for PDBC, sketching and IPD

every approach. Figure 4.7, Figure 4.8 and Figure 4.9 shows the false negative, false positive and accuracy results as compared with the IPD and sketching approaches using the original captured data. We discovered that while both of the false negative and false positive for the PDBC and sketching approaches drops with the monitored time

75

Chapter 4 Detecting Stepping Stones in Real Internet Environments increasing, IPD has a different false negative and false positive changing direction with the monitored time increasing. So the accuracy for PDBC and sketching approaches rises to 100% with the monitored time increasing, and the accuracy for IPD rises to around 95% to begin with and then drops with the monitored time increasing. This is despite the apparent low rate of accuracy for the sketching approaches when the monitoring time is shorter than 60 seconds. For PDBC, even if the monitoring time is 2 seconds, it can still achieve above 90% accuracy, while the other two approaches only have around 50% accuracy. In addition, the accuracy for IPD is higher than 95% when the monitored time is longer than 10s and we can get 100% accuracy when the monitored time is longer than 60s. Table 4.4. Parameters for PDBC, sketching and IPD Approach

Parameters

PDBC

=30ms =71

Sketching

slot=1500ms thresh=71

IPD

window_size=10 point_thresh =0.8 thresh = 0.7

4.4.2.3 Chaffs perturbation

76

Chapter 4 Detecting Stepping Stones in Real Internet Environments To test if the stepping stone detection approaches can be resistant to chaffs, we run them by the chaffs inserting data with different chaff rate. Figure 4.10 shows the accuracy comparison for PDBC with a chaff rate of 0, 10%,

100

chaff rate chaff rate chaff rate chaff rate

90

Accuracy(%)

80

= = = =

0 10% 20% 40%

70

60

50

40

0

10

20

30 40 50 Monitoring time(s)

60

70

80

Figure 4.10. Accuracy for PDBC with different chaff rate 20% and 40%. We can see that the PDBC is hardly affected by chaffs. The accuracy comparison for sketching and IPD with different chaff rate is shown on Figure 4.11 and 4.12 respectively, which show the accuracy for IPD and sketching is affected by chaffs, especially IPD. 4.4.2.4 Performance We recorded the execution time for running the three stepping stone approaches within the specified monitoring time with the start epoch changing from the beginning to the end of the data source. However we did the pre-processing such as calculating

77

Chapter 4 Detecting Stepping Stones in Real Internet Environments

100

90 chaff rate=0 chaff rate=10% chaff rate=20% chaff rate=40%

Accuracy(%)

80

70

60

50

40

0

10

20

30 40 50 Monitoring time(s)

60

70

80

Figure 4.11. Accuracy for sketching with different chaff rate 100

90

Accuracy(%)

80

70

60

chaff rate=0 chaff rate=10% chaff rate=20% chaff rate=40%

50

40

0

10

20

30 40 50 Monitoring time(s)

60

70

80

Figure 4.12. Accuracy for IPD with different chaff rate RTT, and calculating packets counts in slots, calculating inter-packet delay only once. So the execution time only reflects the processing for comparison. We found these

78

Chapter 4 Detecting Stepping Stones in Real Internet Environments execution time values were relatively stable, and the average values are shown in Table 4.5. Since the computation time for PDBC is smaller than O(n) in our Table 4.5. Execute time for PDBC, IPD and sketching

PDBC

Execute time /Monitored time(10s) 3.281s

Execute time /Monitored time(40s) 3.281s

Execute time /Monitored time(80s) 3.343s

IPD

4.109s

22.187s

52.437s

Sketching

4.640s

7.578s

8.640s

Approach

experiments, the execution time for PDBC changes only slightly for different monitored times. Because IPD compares packets with the number of window sizes for every packet, the execution time will increase exponentially with the monitoring time increasing. For the sketching scheme, one of the main computing costs is calculating sketches, which will increase linearly.

4.5 Summary Quick responsiveness with high accuracy and low computation costs are critical challenges for applying stepping stone detection approaches in the real Internet environment. In this chapter, we propose a simple but practical stepping stone detection algorithm which has less storage and computation costs than existing algorithms. The results of the experiments demonstrated our method can achieve detection results with more than 90% accuracy within 2 seconds, and 100% accuracy within 60 seconds. This is much better than the IPD and sketching approaches which

79

Chapter 4 Detecting Stepping Stones in Real Internet Environments were the only two approaches taking responsiveness into consideration. Our experiments also demonstrate that our approach can also be resistant to chaffs.

80

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections

Packet timing or frequency (count) characteristics are foundations commonly employed in detecting stepping stones. However these characteristics may be altered by attackers introducing jitters and chaffs into stepping stone connections. But the timing causality that the packet has to arrive first before it can leave a node won’t be changed. In this chapter, based on two Poisson processing models, we formulate and prove two separate upper bounds of probability that normal connections present with the timing causality of correlated connections. In addition, based on the two upper bounds of probability, we propose two novel algorithms which have no parameters that can detect stepping stones accurately even if there are big jitters and a high chaff rate. We compare our algorithms with previous ones and our experiments show that our algorithms are more resistant to chaffs and jitters than previous ones. In addition to this, our algorithms maintain high accuracy for detecting normal stepping stones

81

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections with no chaff or jitter perturbation. We also present comparisons between our algorithms through analysis and experimentation.

5.1 Introduction Current stepping stone detection approaches [2, 3, 4, 5, 8, 9, 10, 21, 35] are predominately based on timing or frequency characteristics that may be altered during the packet transmission on the Internet Additionally, attackers may also introduce random jitter delays before packets depart from stepping stones or they may insert chaffs (chaffs are superfluous packets, which contain no valuable information and are not relayed by stepping stones) into the original attack flow on stepping stones, which can even completely break the timing and frequency features. However the timing causality of the packet arriving first before it can leave a node does not be change. Therefore, the packet arrival epochs on stepping stones keep the order of stepping stone chain. But this timing causality between correlated stepping stone connections may be appeared between normal connections as well. In our experiments we gave much attention to the normal connections instead of stepping stone connections, and found the existence of an upper bound for the probability that normal connections present with the timing causality of correlated stepping stone connections. In addition, based on the upper bounds of probability, we designed the Abnormal Probability Detection algorithm (APD) and Speedy Abnormal Probability Detection algorithm (SAPD) which can accurately detect stepping stones even with chaff and jitter perturbation. In this chapter, we also compare our proposals with previous approaches.

82

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections The rest of this chapter is organised as follows. In Section 5.2, we present related work on the ability of stepping stone detections to resist evasion. We also analyse and explain the mathematical models of connection streams, and present proof for two formulas on the upper bounds of probability based on two Poisson models in Section 5.3. Section 5.4 describes the detail of two algorithms based on the two formulas. Section 5.5 explains our experimental results. And finally, we conclude this chapter in Section 5.6.

5.2 Related Works With many approaches proposed to detect stepping stones, the evading technique developed concurrently. At first, encryption to stepping stone connections makes the approaches [1] based on content unavailable. Then, the introduction of chaffs and jitters may perturb the timing or frequency characteristics of stepping stones, which are the foundations of most stepping stone detection approaches [2, 3, 4, 5, 8, 9, 10, 21, 35]. The SNEAK attack tool [46] can even create constant rate streams by inserting jitters and chaffs, which are completely removed from the inter packet information. The evasion techniques of introducing chaffs and jitters also caught the attention of researchers. Donoho et al. [5] argue that attackers have maximum tolerable delay constraints and correlation between stepping stone connections can be detected regardless of chaff packets if connections last long enough. Similarly, under a maximum tolerable delay constraint, Blum et al. [8] present confidence bounds on the stepping stone detections. Their algorithm is based on the difference of the number of packets between two connections at a given time. This difference is expected to be

83

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections low for correlated connections even if there are a few chaff packets. In [9], Zhang et al. propose several algorithms with special focus on random delays and chaff. They compared most previous stepping stone detection approaches [2, 3, 4, 5, 8] and their experiments demonstrated their proposals were more effective in resisting chaffs and jitters even though their algorithms are also based on the assumption there is no packet dropping, and their experimental data is not real connection data. In [54], Wu et al. tried to improve the chaff resistance properties of [8]. However, they assumed that the chaff is introduced for only one of the connections of a correlated connection pair. Coskun et al. [35] proposed a sketching method and claimed it could resist chaff and jitter perturbations. However, his experiments only involve cases of small jitter and low chaff rates. Kampasi et al. [49] provide methods to improve stepping stone detection when either jitter, chaff or both are introduced into a packet stream. But these methods are only used as supplements to other stepping stone detection approaches.

5.3 Probability Analysis In this section, we begin by formally defining some terms. Then we introduce two network stream models. Based on these two models, we formulate and prove two different upper bounds of probability that stepping stone’s timing causality appears on normal connections.

84

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections

Send Echo RTT

a Attacker

Stepping

Stepping

Stepping

stone 1

stone i-1

stone i

Target

Figure 5.1. The timing causality on a stepping stone chain

5.3.1 Related Definitions

Normally attackers launch stepping stone attacks by constructing a chain of interactive connections on a series of compromised hosts (stepping stones) using protocols such as Telnet or SSH, as shown on Figure 5.1. Definition 5.1 (RTT and timing causality) The packets sent in interactive connections from an attacker (client) to a target (server) are called send packets, and the packets sent in the reverse direction are called echo packets. The time delay between the send packet and the corresponding echo packet on a connection is called Round-Trip Time (RTT) for this interactive connection. From Figure 5.1, and also from the timing causality that the packet has to arrive first before it can leave a node, we can see that for the same send packet, it arrives first on stepping stone i-1, then arrives on stepping stone i. Until the send packet arrives at

85

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections the target host, the corresponding echo packet will be generated, and will be sent back to stepping stone i, and then to stepping stone i-1. If two connections are in the same connection chain, we consider them as a correlated connection pair, otherwise they are a normal connection pair. Definition 5.2 (RTT Sequence and Packet Pair) A RTT sequence Rtta is a series of RTTs in chronological order obtained by an RTT getting algorithm on

{Rtta1 (tas1 , tae1 ), Rtta2 (tas 2 , tae 2 ),

connection a . Let Rtta

Rttai (tasi , taei ) }(i ! 0) ,

i

where Rtta is the ith RTT obtained by the RTT getting algorithm for interactive si

ei

connection a . t a and t a are the arrival epoch of the Send and Echo packet by which si

ei

to get the ith RTT on connection a . (ta , ta ) is called Packet Pair, and

tasi

taei  Rttai . For an easy description of the algorithm, the RTT sequence

representation here is slightly different from the definition in Section 3.3 and Section 4.3. Definition 5.3 (Correlated Packet Pair and Correlated Probability) For the si

ei

sj

ej

packet pair (ta , ta ) on connection a and the packet pair (tb , tb ) on connection b , if there exists ta  tb  ta  tb , we consider si

sj

ei

ej

(tbsj , tbej )  (tasi , taei ) are a

correlated packet pair. By definition 5.2, we can also achieve for a correlated packet pair, there exists:

tasi  tbsj  tbsj  Rttbj  tasi  Rttai tasi  tbsj  tasi  Rttai  Rttbj

86

(1)

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections si

ei

sj

ej

For the packet pair (ta , ta ) on a , if there exists any packet pair (tb , tb ) on b such that (tb , tb )  (ta , ta ) , we consider (ta , ta ) has correlated pair. Correlated sj

ej

si

ei

si

ei

Probability CPab is defined as the ratio that the number of packet pairs of a , having correlated pairs on b to the number of total packet pairs of a . The Correlated Probability for two normal connections seems random. But it is actually related with the packet frequency and RTT value which we will prove in a later analysis.

5.3.2 Modelling Connection Streams

Network streams are frequently modelled as a Poisson process [90]. The famous Jackson’s theorem [80], a significant development in the theory of networks of queues, simply assumes packet arrivals are Poisson processes. To detect stepping stones, connection streams (the packet arrivals on connections) are generally modelled as Poisson processes as well [5, 8, 9, 10]. Normally, Poisson processes with a fixed rate [5, 8, 9, 10] are used to generate the model. In this situation, the distribution of the packet interval follows the exponential distribution with distribution function O e rate, and can be considered

 xO

, where O is the expected packet arrival

1 ( T is the expected packet interval, equals the average T

packet interval).

87

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections Let us assume for every packet arrival on connection streams with different rate Oi (i  n) and over time Ti (i  n) , which is the packet interval of ith packet, we can get Oi * Ti

1 . Then the average arrival rate is the same as the model with a fixed

rate Poisson distribution, as explained below: n

O

¦OT

i i

i 1 n

n n

¦T

¦T

i

.

i

i 1

i 1

This means the Poisson process with a fixed rate can be modelled as many Poisson distributions with varying rates, and over varying time periods [8]. As a result, connection streams can be modelled as Poisson processes with varying rates, and over varying time period. In this situation, the distribution of every inter arrival time will follow the exponential distribution with distribution function Oi e

 xOi

, where Oi

1 . Ti

5.3.3 Probability Bound under Poisson Model with Varying Rate

Theorem 5.1. Let’s assume normal connections a and b behave as sequences of a Poisson processes. For the two RTT sequences obtained by the RTT getting algorithm on connection a and b during the same time range:

Rtta

{Rtta1 (tas1 , tae1 ), Rtta2 (tas 2 , tae 2 ),

Rttan (tasn , taen )}(n ! 0)

Rttb

{Rttb1 (tbs1 , tbe1 ), Rttb2 (tbs 2 , tbe 2 ),

Rttbm (tbsm , tbem )}(m ! 0) ,

If Rtta ! Rttb (i  n, j  m) , i

j

88

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections

(tbsj , tbej )( j  m) is the first packet pair on connection b after tasi (i  n) ,  ( Rttai  Rttbj )

1 e ucp(i, j ) MIN ( a  i ) b 1 e j

bj

,1) (ai

tas (i 1)  tasi , b j

tbsj  tbs ( j 1) )

1 n 1 ¦ ucp(i, j) n 1 i 1

Then CPab d UVCPab

Proof. Firstly, we derive the probability that one packet pair (ta , ta )i {1, si

ei

n}

has correlated pairs on connection b . According to (1), we know that only the packet pairs whose arrival epoch of a send si

si

ei

packet is after t a have a chance to be correlated with (ta , ta ) . If the first packet pair si

si

ei

on connection b after t a is not correlated with (ta , ta ) , then the later packet is also si

si

ei

not correlated with t a . So the probability that (ta , ta ) has correlated pairs on si

connection b equals the probability that the first packet pair on connection b after t a is correlated with (ta , ta ) , i.e. Pr((tb , tb )  (ta , ta )) . si

sj

ei

ej

si

ei

Then we derive Pr((tb , tb )  (ta , ta )) from two cases: sj

ej

si

ei

a) When ai ! Rttai  Rttbj Pr( tbsj , tbej   tasi , taei )

Pr( tbsj , tbej   tasi , taei tbsj  tas(i+1) )*Pr(tbsj  tas(i+1) )

 Pr( tbsj , tbej   tasi , taei tbsj ! tas(i+1) )*Pr(tbsj  tas(i+1) )

d Pr( tbsj , tbej   tasi , taei tbsj  tas(i+1) )  Pr( tbsj , tbej   tasi , taei tbsj ! tas(i+1) )

89

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections s ( i 1)

¾ If tb  ta sj

We assume connection stream b behaves as a Poisson process with rate

O j during

the jth packet arrival. Then we can derive:

Pr( tbsj , tbej   tasi , taei tbsj  tas(i+1) ) Pr(tasi  tbsj  tasi  Rttai  Rttbj ) Pr(tbsj  tas(i+1) ) Pr(tasi  tbsj  tasi  Rttai  Rttbj ) Pr(tasi  tbsj  tas(i+1) )

³

tasi  Rttai  Rttbj tbs ( j 1)

tasi tbs ( j 1)

³

tas ( i 1) tbs ( j 1)

tasi tbs ( j 1)

O j e xO dx j

O j e xO dx j

 ( Rtt i  Rtt j ) O j

1 e a b a O 1 e i j s ( i 1)

¾ If tb t ta sj

By the precondition of ai ! Rttai  Rttbj , we can achieve the below inequation which is in conflict with definition 5.3.

tbsj ! tas (i 1)

tasi  ai ! tasi  Rttai  Rttbj s ( i 1)

So Pr((tb , tb )  (ta , ta ) | tb t ta sj

ej

si

ei

sj

)

0

As a result, when ai ! Rttai  Rttbj , we can get:  ( Rtt i  Rtt j ) O j

1 e a b Pr( t , t   t , t ) d a O 1 e i j sj b

ej b

si a

ei a

By the analysis in 5.3.2, we know O j

1

bj

90

, so we can further get:

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections

Pr( tbsj , tbej   tasi , taei ) d

1 e

 ( Rttai  Rttbj )

1 e

 ai

bj

ucp(i, j ) bj

b) When ai d Rttai  Rttbj We can get Pr((tbsj , tbej )  (tasi , taei )) d 1 ucp(i, j ), as the below inequation exists:

1 e

 ( Rttai  Rttbj )

1 e

 ai

bj

t 1(ai d Rttai  Rttbj )

bj

From cases a) and b), we can derive: si

ei

Pr ( (ta , ta ) has correlated pairs on connection b) = Pr((tbsj , tbej )  (tasi , taei )) d ucp(i, j ), According to the definition of CPab , it can be considered as the expected value of the Pr((tb , tb )  (ta , ta )) . So we get: sj

ej

CPab d

si

ei

1 n1 ¦ ucp(i, j) n 1 i 1

5.3.4 Probability Bound under Poisson Model with a Fixed Rate

Theorem 5.2. For two normal connections a and b , assuming they behave as Poisson

processes

then CPab d UVCPab

with

an

equal

rate

of

O

,

(1  e|Rtta  Rttb |O )*ln(1  e|Rtta  Rttb |O ) , where Rtta and Rttb are the

average RTT on connection a and b separately.

91

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections Proof. Let’s assume Rtta ! Rttb . Similar to the proof of Theorem 5.1, we first derive the probability that one packet pair (tasi , taei ) of connection a has correlated pairs on connection b , which equals Pr( tbsj , tbej   tasi , taei ) , where (tb , tb ) is the first sj

ej

si

packet pair on connection b after t a

By the proof of Theorem 5.1, we knew that: When ai ! Rttai  Rttbj (where ai

¾

 ( Rtt i  Rtt j ) O j

1 e a b Pr( t , t   t , t ) d a O 1 e i j sj b

ej b

si a

ei a

tas (i 1)  tasi )

, where O j is the varying packet arrival rate of

connection b . ¾

When ai d Rttai  Rttbj ,

Pr( tbsj , tbej   tasi , taei ) d 1 As RTT always varies in a narrow range [56], we can approximately replace

Rttai  Rttbj with Rtta  Rttb . By the assumption that connection b behaves as a Poisson process with fixed rate O , we get that: ¾

When ai ! Rtta  Rttb

1  e ( Rtta  Rttb )O Pr( t , t   t , t ) d 1  e ai O sj b

¾

ej b

si a

ei a

When ai d Rtta  Rttb

Pr( tbsj , tbej   tasi , taei ) d 1

92

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections

CPab should be the expected value of Pr( tbsj , tbej   tasi , taei ) , and because connection a behaves as Poisson processes with rate O , which means ai is exponential distribution. Then we can derive:

CPab Pr( tbsj , tbej   tasi , taei )* O e  xO dx

³

f

³

Rtt a  Rttb

0

0

1  e ( Rtta  Rttb ) O 1* O e dx  ³ *(O e xO )dx  xO Rtta  Rttb 1 e  xO

f

1  e ( Rtt a  Rttb ) O  (1  e ( Rtt a  Rttb ) O )*ln(1  e ( Rtt a  Rttb ) O ) (1  e ( Rtt a  Rttb ) O )*ln(1  e ( Rtt a  Rttb ) O ) Now we can relax the assumption Rtta ! Rttb by replacing the Rtta  Rttb with | Rtta  Rttb | , and get:

CPab d UFCPab

(1  e|Rtt a  Rttb |O )*ln(1  e|Rtt a  Rttb |O )

5.4 Algorithm and Analysis By the definition of the correlated pair, we get that if all packets on a appear in b ,

CPab should be 1 for all correlated connection pairs. We then consider the case that not all packets on a appear in b . We can divide correlated connection streams into two parts: one part whose CPab is 1, includes all the packets appearing on both connections. The second part whose CPab has an upper bound, includes the packets just appearing on their own connection. From this point of view, if CPab is larger

93

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections than the upper bound, we consider the connection pair as correlated connection pairs. Otherwise, it would be normal pairs. Based on the upper bounds from the two Poisson models, two stepping stone detection algorithms are designed.

5.4.1 Abnormal Probability Detection Algorithm

The Abnormal Probability Detection algorithm is based on Theorem 5.1. It examines the interactive connections and demonstrates if a connections pair is correlated within a specified monitoring time. It can also be run in real-time at the network gateway node or as an independent process of the stepping stone hosts. When packets come in on a connection, APD will firstly calculate the RTT in realtime by the Estimation-Based RTT getting Algorithm proposed in Chapter 3. Once a i

new RTT sequence Rtta is obtained, the algorithm will do a comparison with each connection that needs to be compared. For every comparing pair, let Cb be the connection with a bigger RTT, and Cs be the connection with a smaller RTT. We have a variable LAST_INDEX recording the first RTT sequence index of Cb , which is later than every RTT sequence on Cs . When the new RTT sequence is on Cb , and if we can’t find a RTT sequence on

Cs , which is later than the new RTT sequence, we will set the variable LAST_INDEX with the index of the new RTT sequence. Otherwise we will set LAST_INDEX to 0, increase the total count for the comparing connection pair,

94

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections Table 5.1. Real-time comparing processing in APD algorithm i

APD_compare ( Rtta , Rttb ) If (( Rtta  Rttb )&&(last_uncompared_index_ab!=0)) For(j strat from the last_uncompared_index_ab to the latest index) i

j

If( Rtta is the first rtt sequences after Rttb ) Count_ab++; UVCP = ucp(i,j)+UVCP; i

j

If ( Rtta is correlated with Rttb ) Count_correlated_ab++; Endif Endif Endfor last_uncompared_index_ab = 0; Else if ( Rtta ! Rttb ) If (last_uncompared_index_ab == 0) j

If (find one RTT sequence Rttb is the first RTT sequence after

Rttai ) Count_ab++; UVCP = ucp(i,j)+UVCP; i

j

If ( Rtta is correlated with Rttb ) Count_correlated_ab++; Endif Else last_uncompared_index_ab = 0; Endif Endif calculate ucp (i, j), and check if they are Correlated Packet Pair. If they are Correlated

95

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections Packet Pair, we will increase the correlated count for the comparing connection pair. The detail processing for the above comparing is shown in Table 5.1. If the new RTT sequence is on the connection Cs and the variable LAST_INDEX is not zero, we will get RTT sequence on Cb starting from the index of LAST_INDEX until the i

last index, and check if Rtta is later than this RTT sequence. If so, we will increase the total count for the comparing connection pair, calculate ucp (i, j), and check if they are Correlated Packet Pair. If they are Correlated Packet Pair, we will increase the correlated count for the comparing connection pair. When the monitoring time for a comparing connection pair expires, we calculate

Table 5.2. Monitoring time expired processing in APD algorithm APD_Monitor_Expired(UVCP, Count_ab, Count_correlated_ab) UVCP = UVCP/ Count_ab; CP = Count_correlated_ab/ Count_ab; If(CP>UVCP) Return CORRELATED; Else Return NORMAL; the CP by the ratio of correlated count and total count, and UVCP by the ratio of UVCP to the total count. If CP>UVCP, then we consider it as a Correlated Connection pair, otherwise it will be considered a Normal Connection pair. The detail processing of monitoring time expired on a comparing pair is shown in Table 5.2.

96

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections Table 5.3. Real-time comparing processing in SAPD algorithm

i

SAPD_compare ( Rtta , Rttb ) If (( Rtta  Rttb )&&(last_uncompared_index_ab!=0)) For(j strat from the last_uncompared_index_ab to the latest index) i

j

If( Rtta is the first rtt sequences after Rttb ) Count_ab++; i

j

If ( Rtta is correlated with Rttb ) Count_correlated_ab++; Endif Endif Endfor last_uncompared_index_ab = 0; Else if ( Rtta ! Rttb ) If (last_uncompared_index_ab == 0) j

If (find one RTT sequence Rttb is the first RTT sequence after

Rttai ) Count_ab++; i

j

If ( Rtta is correlated with Rttb ) Count_correlated_ab++; Endif Else last_uncompared_index_ab = I; Endif Endif

During the processing, the algorithm may store some RTTs, but it doesn’t need to

97

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections store all RTTs. When the variable LAST_INDEX is set to zero, we can clear all stored RTT for the comparing connection pair. Therefore, APD requires little storage.

5.4.2 Speedy Abnormal Probability Detection Algorithm

The Speedy Abnormal Probability Detection algorithm is based on Theorem 5.2. It is nearly the same as the APD algorithm, except that it computes the probability bound one time instead of n times (where n is the number of RTT sequences on the connection with a bigger RTT). The detail processing for comparing and monitoring time expired are shown in Tables 5.3 and 5.4 respectively. However the calculating of UFCP will deal with

O , which is the packet arrival rate

for the comparing connection pair. According to the analysis of 5.3.2, it can be considered as

1 ( T is the expected packet inter arrival time). However, we also have T

the assumption that comparing connections has the same packet arrival rate O . So how to set O is crucial for the algorithm. In our experiments, we found that when O

1 (Ta  Tb )

, we were able to get a more accurate result.

2

5.4.3 Analysis and Improvement

¾

Assumptions

Assumptions such as no packet dropping and maximum delay constraint are generally used by many stepping stone detection approaches [5, 8, 9, 10, 21]. However this is

98

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections not the facts of the real application. Omar et al. [44] claim that most of the papers presented assumed no packet loss, and that packet loss would occur over a wide area Table 5.4. Monitoring time expired processing in SAPD algorithm SAPD_Monitor_Expired(UFCP, Count_ab, Count_correlated_ab) Calculate UFCP; CP = Count_correlated_ab/ Count_ab; If(CP>UFCP) Return CORRELATED; Else Return NORMAL; network. The two algorithms we proposed are only based on the assumption of Poisson models, which are often used in a network area. So APD and SAPD are more suited to Internet environments. ¾

Resisting chaffs

APD and SAPD algorithms are dependent on the RTTs obtained by the EstimationBased (EBA) RTT getting Algorithm that can filter unsymmetrical chaff packets, as proposed in Chapter 3. This means our algorithms can be resistant to chaffs. ¾

No parameters

There is no parameter in either of the two algorithms. This means we do not need to adjust any parameters according to different network situations as most stepping stone

99

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections detection approaches do. As a result, it is more practical than other detection approaches. ¾

Resisting to jitters

Our algorithms can effectively resist jitters when UVCP or UFCP is far or a bit smaller than 1. When UVCP and UFCP is close to 1, for a correlated connection pair the gap between CP and UVCP or UFCP is close to 0. By the front proof, we know that UVCP or UFCP will be 1 when the RTT difference is larger than the packet interval. However in practice, it is harder to reduce the packet intervals due to the minimum packet interval time normally controlled by OS and networks instead of attackers. It is relative easier to increase the RTT difference by adding jitters. However the delay in stepping stone attacks is usually bounded [5]. In practice, long delay can cause the packets to be dropped. Furthermore, in interactive connections, there is usually a certain order according to which packets should arrive to the victim, and the delay of earlier packets will cause all subsequent packets to be delayed. So, the packet interval will increase with jitter being added. Therefore, it is hard for attackers to let UVCP and UFCP near to 1 simply by adding jitters. On the other hand, if there exists such a long RTT difference in practice, and if we get an abnormally large RTT on a connection, this connection can be assumed a jittered connection. ¾

Performance

The performance of APD is mainly affected by the calculating of ucp (i, j). In SAPD, we only need to once calculate UFCP, which means SAPD should be more effective than APD.

100

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections ¾

Improvement

Considering CP for a correlated connection pair is normally close to 1, if UVCP or UFCP is becoming smaller than a specified value (such as 0.2), we will let UVCP or UFCP be the specified value. Thus, we can remove the inaccuracy which is caused by probability calculating when there is a small number of samples. As RTT normally varies in a narrow range [56], we can use one of the RTT to replace the mean value of RTT for UFCP calculating.

5.5 Experiment and Results

5.5.1 Experiment Design

5.5.1.1 Data Source Packet timing or frequency features may be altered during packet transmission on the Internet by packet merging and packet dropping, especially when traffic is heavy. The data from the LAN environment or simulation generally presents a packet’s one-toone mapping, which makes stepping stone detection easier. We use our captured genuine stepping stone dataset from the self-built connection chains on the Internet from Chapter 4. This dataset includes two connection chains which are composed of 4 connections respectively, which means there are a total of 16 normal connection pairs and 12 correlated connection pairs, with each connection lasting three minutes. Additionally, there is more than a 7% rate of retransmission packets for some connections, and the

101

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections packet number differences in some connection chains is more than 17%, which means there are many packets drops and merges during the packet transmission on the connection chains. Therefore, the captured data can be considered Internet data with normal or even heavy traffic. 5.5.1.2 Testing Method With the captured data we can ran the stepping stone detection approaches from a start epoch of the captured data until a specified time (such as 60 seconds), and output the results of every two connection pairs. More results can be obtained by selecting a different start epoch. We use the epoch of every 500ms along the data source as the start epochs in our experiments and ran all the start epochs we selected. Every time we achieved 28 results, there were a total of more than 4000 results with 60 seconds of monitoring time. With these results we can calculate and obtain the accuracy. To test the impaction of chaffs, we created the chaff inserting data by introducing chaff packets into the original captured data at random times with a different Chaff Rate (CR), and the ratio of the number of introduced chaff packets to the number of original send packets. Then we ran the stepping stone detection approaches with different CR chaff inserting data to check the effect of chaffs. To test the impaction of jitters, we modified the stepping stone detection algorithms. For the APD and SAPD algorithm, when we achieved the packet pairs by the RTT getting algorithm on the connection with a larger RTT, we subtract a random amount chosen from the interval [0, max Jitter] to the arrival epoch of the send packet in the packet pair. For other stepping stone detection algorithms, because they only consider

102

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections data from one direction, we directly added a random delay chosen from the interval [0, max Jitter] to the arrival epoch of each packet on one of the compared connections.

100 90 80

jitter=0 chaff=0 jitter=1000 chaff=0 jitter=1000 chaff=0.4

Accuracy(%)

70 60 50 40 30 20 10 0

10

20

30

40

50 60 70 80 Monitoring Time(s)

90

100

110

120

Figure 5.2. Accuracy for APD with monitoring time rising

5.5.2 Experiment Results

5.5.2.1 APD To begin with, we ran the APD algorithm by the original data source with different monitoring times, with the accuracy shown in Figure 5.2. We found that the accuracy increases with the monitoring time rises because the computing of probability is based

103

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections on large amounts of data. It even has the potential to reach 100% accuracy when the monitoring time is 50s. As shown in Figure 5.2, we further tested the accuracy when jitter is added while running the APD algorithm by the original data source or the chaff inserted data. We found that the accuracy increases with the monitoring time rising as well when chaff

100 90

CP UVCP True Positive

80 70

Rate(%)

60 50 40 30 20 10 0

0

500

1000

1500 2000 Fixed delay(ms)

2500

3000

Figure 5.3. The impact of correlated connection by fixed delay for APD and jitter is added. Even with a large jitter of 1000ms and a high chaff rate of 0.4, 100% accuracy can be achieved when the monitoring time is larger than 110s. By the definition of UVCP, we know UVCP will be close to 1 which makes it hard to detect stepping stones, with the RTT difference rising or the packet arrival rates rising (i.e. packet interval time dropping) on the compared connection pairs. As our analysis in 5.4.3 demonstrates, attackers find it hard to reduce the packet interval times.

104

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections Next we show how UVCP and CP are affected by a varying RTT difference. To get a relative steady RTT difference, we adding a fixed delay instead of add a random

100 90 CP UVCP True Negative

80 70

Rate(%)

60 50 40 30 20 10 0

0

500

1000

1500 2000 Fixed delay(ms)

2500

3000

Figure 5.4. The impact to a normal connection by fixed delay for APD jitter as described in 5.5.1.2. And adding delay will not change the packet interval time much, only change the RTT difference. We then run the APD algorithm with a different fixed delay added to the original data source. Figure 5.3 shows CP and UVCP varying for correlated connection pairs on one of the monitoring time slots with the fixed delay rising. The monitoring time in Figure 5.3 is 120 seconds. The total true positive varying with the different fixed delay is also shown in Figure 5.3. We discovered the CP for correlated connection pairs is always very high (more than 90%), but the UVCP increases and is close to CP by the fixed delay (i.e. RTT difference) rising.

105

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections

100 90

CP UVCP True Positive

80 70

Rate(%)

60 50 40 30 20 10 0

0

500

1000

1500

2000 2500 3000 Max Jitter(ms)

3500

4000

4500

5000

Figure 5.5. The impact to correlated connections by jitters for APD Most importantly, we found the true positive dropped significantly when the fixed delay was bigger than 1600ms, which we call the dropping point. In addition, we found the RTT difference is around 1700ms and packet intervals on the connection with a larger RTT is around 1500ms on the dropping point. Therefore, we found that APD can obtain high accuracy when the RTT difference is not much larger than packet interval time. This is in accordance with the front proof and analysis. As the front proof and analysis demonstrates, we know it is hard to make a RTT difference bigger than the packet interval time simply by attackers adding jitter. Figure 5.4 shows varying CP, UVCP and true negative for normal connection pairs. We found that the variance for CP and UVCP is almost identical, with UVCP is always slightly higher than CP, which demonstrate the truth of Theorem 5.1. The true negative keeps relative high which means the accuracy is mainly decided by true positive.

106

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections

100 90 80

CP UVCP True Negative

70

Rate(%)

60 50 40 30 20 10 0

0

500

1000

1500

2000 2500 3000 Max Jitter(ms)

3500

4000

4500

5000

Figure 5.6. The impact to normal connection by jitters for APD Following this, we ran the APD algorithm with jitter added to the original data source in order to find the random delay impact. Figure 5.5 and 5.6 shows the variance of CP, UVCP, true positive and true negative for correlated connection pairs and normal connection separately. The results are nearly the same as the results by fixed delay, and the true positive also dropped significantly when the max jitter was bigger than 1600ms, even though the dropping speed was slower than the fixed delay. Because the average RTT difference for jitter is only around half of the RTT difference for a fixed delay if the max jitter and fixed delay is the same. Therefore, the true positive dropped relative slowly for jitter. However due to the similar max delay, the dropping point for the fixed delay and random jitter was same.

107

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections 5.5.2.2 SAPD In order to test APD, we first tested the accuracy with different monitoring times.

100 jitter=0 chaff=0 jitter=1000 chaff=0 jitter=1000 chaff=0.4

90 80

Accuracy(%)

70 60 50 40 30 20 10 0

10

20

30

40

50 60 70 80 Monitoring Time(s)

90

100

110

120

Figure 5.7. Accuracy for SAPD with monitoring time increasing Figure 5.7 shows the accuracy for SAPD. We found that the accuracy increases and when the monitoring time rises, it can reach 100% accuracy when the monitoring time is 50s for the case of no jitter and chaff, and it can also reach 100% accuracy when monitoring time is 100s with big jitter (1000ms) and a high chaff rate (0.4). These results are coincident with APD. Next we tested how UFCP, CP, true positive and true negative are affected by fixed delay and random delay. Figure 5.8 and 5.9 show the results by fixed delay and Figure 5.10 shows the result compared with APD. From Figure 5.8 and 5.10, we found the true positive for SAPD begins to drop significantly from a smaller dropping point than

108

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections

100 90

UFCP CP True Positive

80 70

Rate(%)

60 50 40 30 20 10 0

0

200

400

600

800 1000 1200 Fixed delay(ms)

1400

1600

1800

2000

Figure 5.8. The impact to correlated connections by fixed jitter for SAPD

100 90 UFCP CP True Negative

80 70

Rate(%)

60 50 40 30 20 10 0

0

200

400

600

800 1000 1200 Fixed delay(ms)

1400

1600

1800

2000

Figure 5.9. The impact to normal connections by fixed delay for SAPD APD. The UFCP for SAPD rises slightly quicker than UVCP for APD, which is the

109

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections

100 90 80 70

Rate(%)

60 50 UFCP for SAPD UVCP for APD True Positive for SAPD True Positive for APD

40 30 20 10 0

0

200

400

600

800 1000 1200 Fixed delay(ms)

1400

1600

1800

2000

Figure 5.10. Comparing for APD and SAPD by fixed delay 100 90 80 UFCP for SAPD True Positive for SAPD UVCP for APD True Positive for APD

70

Rate(%)

60 50 40 30 20 10 0

0

500

1000

1500 Max Jitter(ms)

2000

2500

3000

Figure 5.11. Comparing for APD and SAPD by jitter

reason why the true positive for SAPD starts to significantly drop from a smaller fixed

110

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections

100 90 UFCP CP True Positive

80 70

Rate(%)

60 50 40 30 20 10 0

0

500

1000

1500 Max Jitter(ms)

2000

2500

3000

Figure 5.12. Impact to correlated connections by jitter with SAPD

100 90 80 UFCP CP True Negative

70

Rate(%)

60 50 40 30 20 10 0

0

500

1000

1500 Max jittter(ms)

2000

2500

3000

Figure 5.13. Impact to normal connections by jitter with SAPD delay than APD. From Figure 5.9, we found the true negative is 100%, as UFCP for SAPD rises slightly quicker than UVCP for APD.

111

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections Figure 5.12 and Figure 5.13 shows the results by fixed delay. Figure 5.11 shows the results compared with APD. We find the true positive for SAPD drops quicker than APD. As a result, we conclude the accuracy for SAPD starts to drop significantly from a smaller dropping point than for APD, and its accuracy drops quicker than APD. Therefore, APD is more suitable for detecting connections than SAPD if there are relative big jitters. 5.5.2.3 Accuracy Comparison We compared our methods and previous approaches from four perspectives: 1. The accuracy for identifying normal connections and correlated connections 2. The accuracy for identifying normal connections and correlated connections with inserted chaffs 3. The accuracy for identifying normal connections and correlated connections with added jitters 4. The accuracy for identifying normal connections and correlated connections with both the insertion of chaffs and the addition of jitters

Table 5.5. Parameters values for sketching and S-III Approach

Parameters

Sketching

slot=1500ms thresh=71

S-III

max delay = 3000ms

112

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections For previous approaches, we selected and implemented sketching and S-III. S-III was proposed by Zhang et al. [9], whose experiments demonstrated it is more effective in detecting stepping stones with jitter and chaff than most other methods. Sketching [35] is the latest approach which, to some extent, is resistant to both chaff and packet jitters. During the experiments, we found the result of sketching and S-III is largely affected by the different parameters, and with the parameters shown in Table 5.5, we can achieve the best results for them. To reach the above four destinations, we ran the stepping stone detection Max jitter=0ms Chaff rate=0 100 90 80 SAPD APD sketching S-III

Accuracy(%)

70 60 50 40 30 20 10 0

10

20

30

40

50 60 70 80 Monitoring time(s)

90

100

110

120

Figure 5.14. Accuracy with no jitter and chaff approaches on the original captured data or on the chaff inserting delay with the addition of jitters or without the addition of jitters. Figure 5.14 shows the accuracy of the original data for the different monitoring times. We find both APD and SAPD have around 95% accuracy when monitoring

113

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections time is 10 seconds, and this increases to 100% accuracy when the monitoring time is bigger than 50s. The accuracy for sketching is around 70%, when monitoring time is 10 seconds, and this increases to 100% accuracy when the monitoring time is larger than 70s. The normal accuracy for SIII is only around 80%. Monitoring time=60s Max jitter=0ms 100 90 80

Accuracy(%)

70 60

APD APD SAPD SAPD Sketching sketching S-III S-III

50 40 30 20 10 0

0

0.2

0.4 Chaff rate

0.6

0.8

Figure 5.15. Accuracy with chaff only Figure 5.15 shows the accuracy for chaff inserting data of different chaff rates when monitoring time is 60 seconds. We find that APD and SAPD is hardly affected by chaffs, and sketching is only affected to a small degree by chaff packets, while the accuracy of S-III drops significantly with the chaff rate rising. The accuracy for original data with different jitter added with a monitoring time of 60 seconds is shown in Figure 5.16. Figure 5.16, which shows that APD, SAPD and S-III are rarely affected by jitters, while the accuracy of sketching drops significantly with the chaff rate rising.

114

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections

Monitoring time=60s Chaff rate=0 100 90 80

Accuracy(%)

70 60 APD SAPD Sketching S-III

50 40 30 20 10 0

0

200

400 600 Max jitter(ms)

800

1000

Figure 5.16. Accuracy with jitter only Max jitter = 1000ms chaff rate =0.4 100 90 80

Accuracy(%)

70 60 APD SAPD Sketching S-III

50 40 30 20 10 0

10

20

30

40

50 60 70 80 Monitoring time(s)

90

100

110

120

Figure 5.17. Accuracy with chaff and jitter Figure 5.17 shows the accuracy for insertion of chaff data (chaff rate is 0.4) with 1000ms max jitter added. From Figure 5.17, we find the accuracy for SAPD and APD

115

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections is around or more than 90%, while other methods have an accuracy of around 65% when the chaff rate is 0.4 and jitter is 1000ms. In addition, SAPD and APD will reach around 100% accuracy if the monitoring time is long enough. Meanwhile, SAPD demonstrates it is slightly more effective than APD in resisting to chaff and jitter.

5.6 Summary In this chapter, based on the two Poisson processing models, we formulated and proved two separate upper bounds of probability that normal connections present with the timing causality of correlated connections. In addition, based on the two upper bounds of probability, we proposed APD and SAPD algorithms which can detect stepping stones accurately even if there are large jitters and a high chaff rate. Compared to APD, SAPD has lower less computation costs, but its accuracy drops quicker than APD when jitters are relative big. Our experiments show that both APD and SAPD are increasingly resistant to chaffs and jitters than sketching and S-III which are shown having high resistance to chaffs and jitters in previous researches. At the same time, both APD and SAPD maintain a high accuracy for the detection of data with no chaffs or jitters.

116

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches

Many network-based passive stepping stone detection approaches have been suggested in this thesis. However, there are still two big issues for the previous experimental design. One issue is the lack of application in Internet environments. Another is the absence of high quantitative comparative studies. In this chapter, we implement 13 stepping stone detection algorithms, exact the SSH data from public traces that have millions of packets and obtain genuine stepping stone connection chain data from the Internet. We establish a set of criteria and run these algorithms through several scenarios with different datasets. Based on the experimental results and analysis, we give our conclusion in real-time application of stepping stone detection approaches, the accuracy of stepping stone detection approaches, the impaction of assumption, chaffs and jitters. In addition, we give suggestions for improving some stepping stone detection approaches.

117

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches

6.1 Introduction Since the problem of stepping stones was first discovered by Staniford-Chen and Heberlein [1], many network-based passive approaches have been proposed to detect encrypted stepping stones. However, there are still two big issues for the previous experimental design. Firstly, experiments should be conducted in Internet environments, which has been addressed in the two stepping stone survey papers [15] and [100]. Currently, most research has been conducted in a lab environment, such as running simulations on a local area network (LAN), or by simulated data. While these present ideal situations, when introduced to Internet queuing delays, packet dropping may occur which has been proven in [44]. The question remains: can stepping stone approaches be suitable for this situation, especially when some of the approaches assume there is no packet drop? Secondly, it needs high quantitative comparative studies. Currently most research does not compare previous methods. In fact some only do the analysis in theory. Even if certain approaches did compare the results using the insufficient criterion, they would be are inconvincible. Zhang et al. in [9] compared his four algorithms with the previous five algorithms, however their experiments were not based on genuine stepping stone data. Although they use public SSH data, it cannot simulate genuine stepping stone data, especially if there is no packet drop in their simulation. In this chapter, our aim is to present high quantitative comparative experimental results using various testing methods with multiple datasets, including a genuine

118

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches Internet stepping stone dataset. To achieve this, we implement a total of 13 algorithms, exact the SSH data from the public traces that have millions of packets and obtain data from the genuine stepping stone connection chains from the Internet. We also establish a set of criteria and run these algorithms with different durations, different drop rates, different chaff rates, different delays and different jitters. In addition, based on the experimental results, we provide answers to the following questions: 1.

Can the approaches, with the assumption of no packet drops, be applied in real Internet environments?

2.

Which approaches have high accuracy?

3.

Which approaches have high accuracy during a short duration?

4.

Which approaches can resist chaffs or jitters?

The rest of this chapter is organised as follows. In Section 6.2, we introduce the design of our experiments, including the implementation of stepping stone detection approaches, private dataset and public dataset. Section 6.3 provides an analysis of comparative experimental results. Finally, in Section 6.4, we provide a summary of this chapter.

6.2 Design of Experiments

6.2.1 The Implementation of Stepping Stone Detection Approaches

We implemented most of the network-based passive stepping stone detection approaches, including ON/OFF [2], Deviation [3], IPD [4], DA [8], DMV [21], DM

119

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches [10], S-I [9], S-II [9], S-III [9], S-III [9], sketching [35], PDBC, APD and SAPD. The essence of DM [10] is the same as S-I [9], therefore we only show the results of S-I later in the analysis and experiments. The details for every algorithm can be found in previous chapters. In this section, we only concentrate on the difference between our implementation and the original algorithms, real-time application analysis and the definition of parameters. Most algorithms failed to indicate the length of connection streams or how many packets they needed for the detection of stepping stones. Therefore, we added a duration parameter to every algorithm. The duration parameter is the amount of time connection streams last for every detection process. In real-time application, duration means the monitoring time for stepping stone connections. For the same duration, the algorithm with a higher accuracy is considered more accurate. A larger duration means more processing and more monitoring time, i.e. slow responsiveness. Therefore, for application in Internet environments, we prefer the algorithm with a higher accuracy for the shortest duration. Real-time application means less storage with lower one-off computing demands. If an algorithm has a multiple layer circle from the beginning of the duration, it means that it needs to store all packets during the duration and has to perform the detection process when all packets are collected. Therefore, this kind of algorithm is not suited for real-time application. Before we introduce all algorithms, we list all the parameters for every algorithm in Table. 6.1. PDBC, APD and SAPD are approaches proposed in Chapter 4 and Chapter 5, so we will not go into any further detail.

120

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches Table 6.1. Parameters of stepping stone detection approaches Approach

Parameter Denotation

ON/OFF

Tidle

G

J

Deviation

dev

IPD

Window size

DA/DMV S-I(DM)/ S-III, S-II/ SIV

Sketching

PDBC APD/SAPD

G CP G p'

When there is no data traffic on a connection for more than Tidle , the connection is considered to be in an OFF period Two OFF periods are correlated if their ending times differ by d G If the ratio of the number of correlated OFF periods to the smaller number of OFF periods in one of compared connection t J , then the two compared connections are correlated connections If the deviations calculated from connection b to connection a d dev , a and b are correlated connections The number of packets used to calculate correlation points Maximum correlation points value

'

Correlation Value threshold Maximum number of packets that may be sent in maximum tolerable delay bound Maximum tolerable delay bound

'

Maximum tolerable delay bound

other

Depend on the approach it used together

LTS

The length of timeslots by forming the time axis

H

If the sketches difference between two connections d H , the two connections are considered correlated connections Maximum packet delay difference on bidirection Maximum correlated rate No

' G No

The ON/OFF approach proposed by Zhang et al. [2] is the first approach designed to detect encrypted stepping stone data. In their approach, they calculated the correlation of different connections by using each connection’s OFF periods. The design is simple and the correlated OFF period can be calculated in real-time.

121

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches However it does have several parameters, and these parameters should be adjusted for different network situations, especially the G parameter, which determines if two OFF periods are correlated. In application, G should be larger than the arrival time delay for the same packet between two compared connections. For satellite links, it may be of significant value, but for a LAN link it may be of insignificant value. The inappropriate selection of G will lead ON/OFF to fail in detecting stepping stones. But it is possible to automatically improve the ON/OFF by calculating G with the EBA algorithm (as proposed in Chapter 3) according to the streams. The deviation algorithm proposed by Yoda et al. [3] uses the idea that the sequence number vs. the time curves of correlated connections should be close to each other. This algorithm is not designed for real-time application, since the computation is very complex and all packet timing and sequence number information needs to be stored during the duration. IPD, as proposed by Wang et al. [4] uses the inter-packet delay of packets to correlate connections. While it was designed for quick responsiveness it is not suitable for real-time application, since finding the correlated point consumes too much time and all inter-packet delay information needs to be stored during the duration. DA [8] and DMV [21] are packet number based algorithms. They assume there is no packet drop during the relay of stepping stones, and all packets sent by the upstream connection should arrive at the downstream connection in ' (Maximum tolerable delay bound). The accuracy of their real application is doubted due to this unrealistic assumption, however their design is simple and can be used in real-time. The original DMV algorithm has a packet number parameter which indicates the

122

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches packet number required. With our implementation, we replaced it with duration. In the DA algorithm, there is a packet number upbound computed by the parameter p' , which is the maximum number of packets that may be sent in maximum tolerable delay bound. If the packet number during the duration is smaller than the upbound, we output the non correlated connections result. S-I [9], S-II [9], S-III [9] and SIV [9] are timing based approaches which have similar assumptions to DA and DMV, and therefore we doubt their accuracy in real application as well. In addition, the maximum tolerable delay parameters ' in these algorithms will lose their meaning in real application because some packets sent by the upstream connections may never appear on the downstream connections. On the other hand, S-I is not suitable for real-time application because there is a multiple layer circle from the beginning of the duration. S-II and SIV do the packet filtering function first, but they have to be used together with other approaches. So, whether SII and SIV can be used in real-time application depends on the algorithms used with them. During our implementation, we follow [9] and use the Deviation [3] approach in SII and SIV. The sketching approach proposed by Coskun et al. [35] is based on succinct packettiming sketches of network steams. Coskun et al. claim that it can be run efficiently in real-time. However they failed to consider the value of timefor calculating sketches. In our later experiments, we found the selection of time-slot length parameter LTS significantly affected the accuracy of sketching. In addition, the correct selection of LTS is related to the inter-packet delay on connections. Therefore, sketching

123

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches approaches can be improved by automatically calculating the LTS parameter according to every actual connection stream. From the above analysis, we conclude that the IPD, deviation and SI (DM) are not suitable for real-time application.

6.2.2 Private Dataset

Genuine stepping stone data from the Internet is the best source of data for testing the real application of stepping stone detection approaches. However, it is very difficult to get a publicly available stepping stone dataset. Even if you do find one, it is very difficult to prove it really is a stepping stone without TCP content. Therefore, we used our captured genuine stepping stone dataset from the self-built connection chains on the Internet from Chapter 4. This dataset includes two connection chains which are composed of four connections respectively, with every connection lasting three minutes. This dataset can be considered ideal data for testing stepping stone detection approaches, in that: 1.

It is genuine stepping stone data, and we know which connections are correlated connections, and which connections are normal connections in advance. There are a total of 16 normal connection pairs and 12 correlated connection pairs. In addition, there are not only neighboured correlated connections (connections relayed by one stepping stone), but also remote correlated connections (connections relayed by multiple stepping stones).

124

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches 2.

There are more than 7% retransmission packets on some connections, which is higher than the normal 1%-6% Internet retransmission rate [53], and the packet number differences in some connection chains is more than 17%. This means there are many packets drops and merges during the packet transmission on connection chains.

Similar to the methods introduced in Chapter 4, we ran stepping stone detection approaches with this dataset from a specified starting epoch for a specified duration, and then output the results of every connection pair. In order to obtain more results, every 500ms along the stream was selected as the starting epoch. For example, for every connection pair or normal connection pair, was 240 results for 60 seconds duration on the three minute captured dataset. This gave us a total of 240*(12+16) results for 60 seconds duration. From these results we obtained our accuracy, which is the ratio of the number of correct results to the number of total results. Besides the natural packet drops, packet merge and packet retransmission during packet transmission, chaffs and jitters may be added by attackers to evade detection. To test the impaction of chaffs, we created chaff inserting data by introducing chaff packets into the original captured data at random times with different chaff rates, the ratio of the number of introduced chaff packets to the number of original send packets. Then we were able to follow a similar method to the original dataset, by running the stepping stone detection approaches with chaff inserting data to check the impact of chaffs. To test the impaction of jitters, we modified the stepping stone detection algorithms. When we achieved the packet pairs by the RTT getting algorithm on the connection

125

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches with a bigger RTT for the APD and SAPD algorithm, we subtracted a random number chosen from the interval [0, max Jitter] to the arrival epoch of the send packet in the packet pair. For other stepping stone detection algorithms, because they only consider data from one direction, we directly added a random delay chosen from the interval [0, max Jitter] to the arrival epoch of each packet on one of the compared connections. This means using the real stepping stone dataset, we can test: 1. How accurate a stepping stone detection approach can be for real internet applications. 2. The impaction of chaffs to stepping stone detection approaches. 3. The impaction of jitters to stepping stone detection approaches.

6.2.3 Public Dataset

To prove and reinforce the experimental results by the private dataset, we extracted separately one of the longest SSH connections from four different Auckland-VIX traces [52] captured in 2008, with every extracted connection lasting for about 30 minutes. Since correlated connections must occur during the same time period, we altered the start packet arrival time for every extracted connection to zero, and changed the arrival time of later packets on this connection to the time delay with the start packet of the connection. We refer to these four extracted connections as the original connections. Next, we created the correlated connections for the original connections by subtracting a send delay from the send packets arrival epoch and adding an echo delay

126

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches to the echo packet arrival epoch. The send delay and the echo delay can be different, and are the sum of a specified fixed delay and jitter, which is a random amount chosen from the interval [0, maxDelay]. If the created arrival epoch for a send or echo packet is earlier than the arrival epoch for a front send or echo packet, we add 1 microseconds to the front arrival epoch as the created arrival epoch. This means we have four correlated connection pairs. We refer to these four created connections as the upstream connections. Since every original connection is exacted from a different trace, they should be uncorrelated, which is the same for upstream connections. Except for the above four correlated connection pairs, every other connection pair among the four original connections and four upstream connections is a normal connection pair. For the four original connections and the four upstream connections, we follow the procedure of the private dataset, obtain the stepping stone detection results and calculate the accuracy. Since the difference between the number of correlated connection pairs and the number of normal connection pairs is large, it is sometimes the case that the accuracy cannot reflect the actual results. We also use the true positive (the ratio that correlated connections are accurately judged as correlated connections) and true negative (the ratio that normal connections accurately judged as normal connections) to illuminate the accuracy. The existence of packet drops is inevitable during packet relay on stepping stones. To simulate this situation, we selectively deleted packets from the original connections with a specified drop rate, the ratio of the number of deleted packets to the number of original packets. It should be noted that the result is different for the

127

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches deletion of packets from upstream connections and the deletion of packets from original connections. Deleting packets from upstream connections is similar to adding chaffs. We refer to these four created connections as the drop connections. For the four drop connections and four upstream connections, we follow the previous procedure and achieve results based on accuracy. During our experiments, we generated four group datasets, one group composed of four original connections and four upstream connections with small delay (100ms) and small jitter (20ms); one group composed of four original connections and four upstream connections with big delay (200ms) and big jitter (50ms); one group

DA True positive(%)

100 delay=100ms;jitter=20ms;drop rate=0 delay=200ms;jitter=50ms;drop rate=0 delay=200ms;jitter=50ms;drop rate=0.2

50

0

100

600 Duration(s) DMV

True positive(%)

100 delay=100ms;jitter=20ms;drop rate=0 delay=200ms;jitter=50ms;drop rate=0 delay=200ms;jitter=50ms;drop rate=0.2 50

0

100

600 Duration(s)

Figure 6.1. True positive for DA and DMV by public dataset

128

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches composed of four original connections and four upstream connections with big jitter (50ms) and asymmetrical delay (send delay is 200ms, echo delay is 50ms); and finally the last group, composed of four drop connections with a drop rate of 0.2 and four upstream connections with a larger delay (200ms) and larger jitter (50ms). By using the public dataset, we can test: 1. The accuracy of a stepping stone detection approach if there is no packet drop. 2. The impaction of packet drops to a stepping stone detection approach. 3. The impaction of delays to a stepping stone detection approach.

1 DA DMV

Accuracy(%)

90

80

70

60

50 20

40

60

80 Duration(s)

100

120

140

Figure 6.2. Accuracy for DA and DMV by private dataset

129

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches

6.3 Evaluation Results

6.3.1 The Approaches having Maximum Delay Assumption

6.3.1.1 Packet Number Based Approaches DA [8] and DMV [21] are stepping stone detection approaches based on packet numbers. Both of them assume there is no packet drop during the relay of stepping stones, and all packets sent by the upstream connections should arrive at the downstream connections in the maximum tolerable delay. We first tested them using

S-I

S-III 100

True negative(%)

True negative(%)

100

50

0

100

50

0

600

100

Duration(s) S-I 100 droprate=0 droprate=0.2 50

100

True positive(%)

True positive(%)

100

0

600 Duration(s) S-III droprate=0 droprate=0.2

50

0

600 Duration(s)

100

600 Duration(s)

Figure 6.3. True positive and true negative for S-I and S-III by public dataset the public dataset, and set p' parameter to three. As shown in Figure 6.1, if there is no packet drop, they can reach close to 100% true positive with a very large duration

130

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches (600s), but their true positive is lower than 50% with a small duration (100s). Also, as shown in Figure 6.1, their true positive is close to zero for a 200ms delay, 50ms jitter and a 0.2 drop rate. By by changing p' and the duration to a larger value, they can still achieve a high true positive when there is no packet drop. However when there are packet drops, their true positive remains low even if we adjust p' and duration. Figure 6.2 shows the accuracy by a private dataset. We still set the p' parameter to three, because we achieve the highest accuracy. As shown in Figure 6.2, the accuracy of both DA and DMV is not high, because there are packet drops in the private dataset. 6.3.1.2 Timing Based Approaches S-I [9], S-II [9], S-III [9] and S-IV [9] have the same assumption as DA and DMV,

100 90 80 S-I(Max delay = 6s) S-III((Max delay = 3s)

Accuracy(%)

70 60 50 40 30 20 10 0

20

40

60 80 Duration(s)

100

120

Figure 6.4. Accuracy for S-I and S-III by private dataset

131

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches but are timing based stepping stone detection approaches. Figure 6.3 demonstrates the results by public dataset with a delay of 200ms, and jitter of 50ms. Both S-I and S-III have a of max delay parameter set to 300ms. Both can reach 100% accuracy if there is no packet drop and the duration is very large (600m). However when the duration is small (100s), the true negative is lower than 50%. In addition, the true positive drops to nearly 0 for a 600s duration when the drop rate is 0.2. Figure 6.4 shows the results by private dataset with a 6s maximum delay parameter ( ' ) for S-I and a 3ms maximum delay parameter ( ' ) for S-III. We can see S-I can almost reach near 100% accuracy when the duration is larger than 110s. But the abnormally large max delay parameter loses the meaning of its definitions. On the

100 90 80

Accuracy(%)

70 Deviation S-II S-IV

60 50 40 30 20 10 0

20

40

60

80 Duration(s)

100

120

140

Figure 6.5. Accuracy for Deviation, S-II and S-III by private dataset

132

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches other hand, the max accuracy for S-III is only 90% due to the fact there are packet drops during the relay of stepping stones. S-II and S-IV must be used together with other approaches, with the deviation approach selected in our implementation. S-II and S-IV’s function is to filter packets by their maximum delay constraints before other approaches run. Initially we tested if their filtering can improve the accuracy of other approaches and if they can filter the chaff and jitter. By a private dataset with 5000ms maximum delay parameter ( ' ) for S-II and S-IV, 500 dev parameter for S-II and S-IV and deviation, we achieve the accuracy as shown in Figure 6.5. We found they can improve the accuracy fractionally, but not significantly, since the existence of packet drops destroy the maximum delay

100 S-I S-II S-III S-IV

Accuracy(%)

90

80

70

60

50

0

0.2

0.4 Chaff rate

0.6

0.8

Figure 6.6. Accuracy for SI, S-II, SIII and S-IV by private dataset with different chaff rate

133

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches constraint.

100

90 S-I S-II S-III S-IV

Accuracy(%)

80

70

60

50

40

0

200

400

600

800

1000

Jitters(ms)

Figure 6.7. Accuracy for SI, S-II, SIII and S-IV by private dataset with different jitter We also get the accuracy results with 60s duration, but with a different chaff rate and different jitters by the private dataset, as shown in Figure 6.6 and 6.7. We first discovered that S-II and S-IV were increasingly affected by chaffs and jitters, which means they were unable to filter them. Then we discovered S-I and S-III was also affected by lots of chaff, which is inconsistent with experimental results in [9]. [9], only added chaffs to the downstream connections, but in our experiments, chaffs were added to both upstream and downstream connections. By adding chaffs to downstream connections maintains the assumption of no packet drops, so in [9], S-II, S-III and SIV maintain a high accuracy with chaffs. Lastly, S-I and S-III are not as affected by jitters due to the abnormally large max delay parameter.

134

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches Therefore, we conclude that the approaches with a max tolerable delay assumption can reach achieve a high degree of accuracy when the duration is very large and there are no packet drops. This means it is not suitable to be applied in real environments due to the existence of packet drops.

senddelay=100ms;echodelay=100ms;jitter=20ms;droprate=0 100 90 80

Accuracy(%)

70 60 50 40 30 20 10 0

PDBC

APD

SAPD ON/OFFSketchingDeviation Approach

IPD

Figure 6.8. Accuracy by public dataset with 600s duration

6.3.2 Other Approaches

Initially, we ran every approach by the public dataset with a big duration of 600s, and achieved the accuracy shown in Figure 6.8. We can see if there is no packet drop nearly all of them can reach 100% accuracy except IPD, since some of the interpacket delay of the public dataset is in the order of 1s to 10s, which may mean IPD fails to get some thresh points.

135

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches

senddelay=100ms;echodelay=100ms;jitter=20ms;droprate=0 senddelay=200ms;echodelay=200ms;jitter=50ms;droprate=0 senddelay=200ms;echodelay=50ms;jitter=50ms;droprate=0 senddelay=200ms;echodelay=200ms;jitter=50ms;droprate=0.2

True positive(%)

100 80 60 40 20

True negative(%)

0 100 80 60 40 20 0

PDBC

APD

SAPD ON/OFFSketchingDeviation

IPD

Figure 6.9. True positive and true negative by public dataset with 100s duration Figure 6.9 shows the true positive and true negative by the public dataset with a small duration of 100s. We can see that IPD and deviation have a relative low accuracy, and are also affected to a large degree by packet drops. For sketching, the true negative keeps the value low, since the precise sketches inevitably hide some information of the packet streams when the duration is short. When there is no drop, ON/OFF can still reach 100% accuracy for the small delay and jitter. However, with big delay and jitter, its true positive drops to zero, since in our experiments the value of parameter G is the same for a small delay and a big delay. We attempted a bigger value for G , and found ON/OFF can still reach 100% accuracy when there is no packet drop. Therefore, if the parameter can be calculated according to the streams, the accuracy of ON/OFF will improve significantly.

136

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches

100 PDBC APD SAPD ON/OFF Sketching IPD Deviation

95

Accuracy(%)

90 85 80 75 70 65 60 10

20

30

40

50

60 70 Duration(s)

80

90

100

110

120

Figure 6.10. Accuracy by private dataset with different durations PDBC, APD and SAPD maintain high accuracy, with or without packet drops, and even with a big or small delay. But the true positive of PDBC largely decreases for unsymmetrical delay. We then ran every approach by using the private dataset with a different duration. We achieved the accuracy as shown in Figure 6.10. We can see PDBC, APD and SAPD all maintain more than 95% accuracy when the duration is bigger than 10s, and PDBC has higher accuracy than APD and SAPD when the duration is small. Sketching and ON/OFF can reach 95% accuracy when the duration is bigger than 60s. IPD and deviation generally keeps an accuracy lower than 90% with a different duration, although IPD can reach 95% accuracy when duration is very small. These results are almost consistent with the result of the public dataset, except the accuracy

137

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches

100 95 90 PDBC APD SAPD ON/OFF Sketching IPD Deviation

Accuracy(%)

85 80 75 70 65 60 55 50

0

0.2

0.4 Chaff rate

0.6

0.8

Figure 6.11. Accuracy by private dataset with different chaff rate 100 PDBC APD SAPD ON/OFF Sketching IPD Deviation

95 90

Accuracy(%)

85 80 75 70 65 60 55 50

0

200

400

600

800

1000

Jitter(ms)

Figure 6.12. Accuracy by private dataset with different jitters of sketching in the private dataset is much higher than the one in the public dataset.

138

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches This is due to the inter-packet delays in the public dataset being much bigger than the ones in the private dataset. So in the public dataset, sketching needs a very large duration to achieve high accuracy.

Table 6.2. Parameters values for stepping stone detection approaches Approach

Parameter Figure 6.8

ON/OFF

Tidle (ms)

Deviation IPD

Sketching

PDBC APD/SAPD

Figure 6.9

Figure 6.10

Figure 6.11

Figure 6.12

700 120 0.5 1700 10

700 120 0.5 1700 10

700 120 0.4 500 10

700 120 0.4 500 10

700 120 0.4 500 10

0.8

0.8

0.8

0.8

0.8

0.7 3000

0.7 3000

0.7 1500

0.7 1500

0.7 1500

H

200

200

70

70

70

' (ms) G No

100 0.3 No

100 0.3 No

50 0.2 No

50 0.2 No

50 0.2 No

G (ms) J dev Window size G CP G LTS (ms)

Finally, we ran every approach using the private dataset with 60s duration and a different chaff rate and jitter rate. We achieve accuracy as shown in Figure 6.11 and 6.12. We can see that PDBC, APD and SAPD are hardly affected by chaffs, and sketching is slightly affected by chaffs, while others are significantly affected by chaffs, as can be seen in Figure 6.11. Figure 6.12 shows APD and SAPD are the only ones hardly affected by jitter. The values of parameters for every approach in Figure 6.8 to Figure 6.13 are listed in Table 6.2.

139

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches

6.3.3 Experimental Results Summary

By examining the experimental results and previous analysis, we can make the following conclusions. 1. IPD, deviation and SI (DM) are not suitable for real-time application. 2. Approaches with the assumption of no packet drops are not suitable for use in real Internet environments. 3. When there are no packet drops, nearly all approaches, except IPD, can achieve 100% accuracy if the duration is large enough. 4. In real Internet environments, PDBC, APD, SAPD, ON/OFF and sketching can achieve high accuracy if the duration is big enough. 5. In real Internet environments, PDBC, APD, SAPD can achieve high accuracy if the duration is small. PDBC is more accurate than APD or SAPD in very small durations. 6. PDBC, APD and SAPD are hardly affected by chaffs. 7. APD and SAPD are hardly affected by jitters. Therefore, if we want to apply a stepping stone detection approach in Internet environments with quick responsiveness, we would select PDBC; if we want a stepping stone detection approach to have high accuracy, even with chaff and jitter perturbations, we would select APD or SAPD. In addition, during experiments, for nearly all approaches except APD and SAPD, we attempted to use different parameters for different datasets. The accuracy is occasionally low because we didn’t find the appropriate value for the parameters, especially the LTS parameter for the sketching approach and the G parameter for

140

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches ON/OFF. From this point, APD and SAPD have no parameter, and can be easily suited to any dataset. As we mentioned before, the ON/OFF can be improved by calculating the G parameter, and the sketching approach can be improved by calculating the LTS parameter according to steams.

6.4 Summary The insufficient application of stepping stone detection approaches in real Internet environments, and the absence of high quantitative comparative studies using stepping stone detection approaches are still current issues for stepping stone research. In this chapter, we implemented a total of 13 stepping stone detection algorithms, exacted SSH data from public traces that have millions of packets and obtained genuine stepping stone connection chain data from the Internet. We established a set of criteria and ran these algorithms in several scenarios with different dataset. Based on the experimental results and analysis, we give the conclusion about the real-time application of stepping stone detection approaches, the accuracy of stepping stone detection approaches, the impaction of assumption, chaffs and jitters. In addition, we also provided suggestions for improving stepping stone detection approaches.

141

Chapter 7 Conclusions and Future Work

Chapter 7 Conclusions and Future Work

This chapter summarises the main contributions of this thesis on detecting stepping stone in real Internet environments, and presents the significance of this research. Finally, we make suggestions for improving our research in the future.

7.1 Conclusions

7.1.1 Major Contributions

The Internet has become increasingly critical, but at the same time, Internet attacks have increased significantly. One of the most important reasons for this is that attackers are able to easily hide their identities and evade punishment by relaying their attacks through stepping stones. To date, stepping stone detection systems have already been proposed, however challenges still remain when applied in Internet environments and whether they will resist evasion. The aim of the research in this thesis has been to develop stepping stone detection systems, which can provide

142

Chapter 7 Conclusions and Future Work effective and efficient stepping stone detection in real Internet environments, and identify

evasion techniques used by attackers. We have achieved these aims, and the main contributions of our research can be summarised as follows.

¾ We proposed a real-time RTT getting algorithm for stepping stone detection. The proposed Estimation Based Algorithm (EBA) can provide RTTs for RTT based stepping stone detection systems to identify correlated connections, and it also can provide RTTs for non-RTT based stepping stone detection systems to calculate important parameters. The experiments show that our algorithm is far more precise than other real-time RTT getting algorithms. We also present theory analysis from the probability point, which shows that our algorithm has a high matching rate and has a high accuracy rate similar to the complicated non real-time SDBA [51] approach. By proposing the EBA, the stepping stone detection systems [48] which cannot be applied in practice and those [2] which are hard to select parameters for, may become practical.

¾ We proposed the Packet Delay Bidirectional Comparison (PDBC) scheme, which is a simple but practical stepping stone detection system. It has no assumption of no-packet-dropping, and it is designed with high efficiency. Our experiments show that the proposed scheme can achieve more than 90% accuracy by monitoring for 2 seconds and can achieve more than 95% accuracy by monitoring for 10 seconds. This is in addition to low computation cost.

143

Chapter 7 Conclusions and Future Work Compared to most stepping stone detection systems, it has the quickest responsiveness when applied in Internet environments.

¾ We initially proposed the upper bounds of probability that normal streams present with the timing feature of stepping stone attack streams, and applied them first to stepping stone detection. We also designed the Abnormal Probability Detection algorithm (APD) and the Speedy Abnormal Probability Detection algorithm (SAPD) which can accurately detect stepping stones even if there is big jitter and a high chaff rate. We compare the two proposed stepping stone detection systems with many previous ones and the experiments show that the two proposed systems are more resistant to chaffs and jitters than previous ones. These two stepping stone detection systems also maintain high accuracy for detecting stepping stone attack streams with no chaffs and jitter perturbations. In addition, no parameters need to be adjusted in the APD and SAPD algorithms, therefore it is suitable for application in practice.

¾ We presented high quantitative comparative experimental analysis of network based passive stepping stone detection systems. Based on the implementation of the 13 stepping stone detection systems, the exaction of SSH data from public traces with millions of packets, and the capturing of genuine stepping stone connection chains data from the Internet, we tested these stepping stone detection systems in several scenarios using uniform criteria. According to the experimental results and analysis, we give the conclusion about the real-time application of stepping stone detection systems, the accuracy of stepping stone

144

Chapter 7 Conclusions and Future Work detection systems, the impaction of assumption, the impaction of chaffs and jitters. In addition, we presented some suggestions improvement suggestion for previous stepping stone detection systems.

7.1.2 Significance of this Thesis

The proposed RTT getting algorithm for stepping stones, and the stepping stone detection schemes described in this thesis can bring significant benefits to both academia and industry. The significance of this thesis may be summarized as follows:

¾ Networks have dramatically changed the daily activities of people, particularly in how we communicate and how we learn and conduct business. Unfortunately, while enjoying the convenience of the Internet, we also have to deal with network security problems. Attackers from anywhere may attack a site at any time causing near irreparable damage. One of the reasons for this is that attackers can very easily hide their identities and evade the desired punishment by relaying their attacks through stepping stones. Therefore, this research into stepping stone detection systems in Internet environments is very important and highly practical.

¾ The RTT getting algorithm is critical for stepping stone detection. Due to the absence of a real-time precise RTT getting algorithm, some stepping stone detection systems [48] cannot be applied in practice, and some of them can’t be

145

Chapter 7 Conclusions and Future Work easily employed [2]. Therefore, the proposed RTT getting algorithm will accelerate the application of stepping stone detection systems in industry and also improve the research of stepping stone detection systems in academia.

¾ The profound analysis presented in the comparative experimental study on network based passive stepping stones can provide advantages to further research in this area. At the same time, it provides a sound reference for the application of stepping stone detection systems in industry.

¾ Since we focus our research on real application, the proposed stepping stone detection schemes and RTT getting algorithm described in this thesis can be directly adopted by industry, which has the potential to change the current stagnant application of stepping stone detection systems in industry.

7.2 Future Work This thesis has developed several stepping stone detection systems and compared most network based passive stepping stone detection systems. However, there is room for further improvement. Below, we outline some issues that have arisen from this thesis and future directions for this work. This list is intended to be neither detailed nor comprehensive, but merely suggests some possible ideas for developing future work explored in this thesis first.

146

Chapter 7 Conclusions and Future Work ¾ Improve some aspects of the experiments conducted. Experiments about chaffs and jitters were based on simulation. So in future work, we would like to use real-life SSH data with chaffs and jitters using the SNEAK tool [46], or by directly modifying the SSH client and server software. Secondly, the scale of data in our experiments was not large enough, so we would like to collect more private or public data to conduct a scalable experiment in the future.

¾ Improve some aspects of the algorithms. When there were very large jitters, the EBA RTT getting algorithm does not work well. In this scenario, we would like to consider the RTT with big fluctuation as an anomaly, and be able to notify the stepping stone detection system. Secondly, while we presented some improvements for other approaches, in the future work, we would like to implement and evaluate these.

¾ Detect non-interactive connections. In this thesis, our research focuses on interactive connections. Although attackers normally launch attacks via interactive connections, one-way communication is still possible. In future work, we will consider applying the probability bounds to one-way communication.

¾ Develop a stepping stone detection device. In this thesis, all of our proposed algorithms can be run in real-time, however in our experiments we ran them

147

Chapter 7 Conclusions and Future Work off-line. In future work, we will consider the development of a real stepping stone detection device which can be run on the Internet.

¾ Identify legal stepping stone connections. In this thesis, our aim is to detect connections in the same connection chain. But some of them may not be attack traffic, as normal users may also construct a connection chain. While this may be so, the traffic mode is usually different for normal users and attackers. In future work, we will consider a system to identify between legal connections and stepping stone connections.

148

Bibliography

Bibliography [1] S. Staniford-Chen and L.T. Herberlein: “Holding Intruders Accountable on the Internet”, Proc. 1995 IEEE Symposium on Security and Privacy, 1995, pp. 39-49. [2] Y. Zhang and V. Paxson: “Detecting Stepping-Stones”, Proc. 9th USENIX Security Symposium, 2000, pp. 67-81. [3] K. Yoda and H. Etoh: “Finding a Connection Chain for Tracing Intruders”, Proc. 6th European Symposium on Research in Computer Security (LNCS 1985), 2000, pp. 31-42. [4] X. Wang, D.S. Reeves, and S.F. Wu: “Inter-packet delay based correlation for tracing encrypted connection through Stepping-Stone”, Proc. 7th European Symposium on Research in Computer Security (ESORICS 2002), 2002, pp. 244-263. [5] D.L. Donoho, A.G. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford: “Multiscale Stepping-Stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay”, Proc. 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), 2002, pp. 49-64 [6] X. Wang and D.S. Reeves: “Robust correlation of encrypted attack traffic through Stepping-Stones by manipulation of interpacket delays”, Proc. 10th ACM Conference on Computer and Communication Security (CCS 2003), 2003, pp. 20-29. [7] W.T. Strayer, C.E. Jones, I. Castineyra, J.B. Levin, and R.R. Hain: “An integrated architecture for attack attribution”, BBN Technologies, Tech. Rep. BBN REPORT8384, 2003. [8] A. Blum, D. Song, and S. Venkataraman: “Detection of interactive SteppingStones: Algorithm and confidence bounds”, The 7th International Symposium on Recent Advances in Intrusion Detection (RAID 2004), 2004. [9] L. Zhang, A. G. Persaud, A. Johson, Y. Guan: “Stepping- Stone Attack Attribution in Non-Cooperative IP Networks”, in Proc. Of the 25th IEEE International Performance Computing and Conference (IPCCC 2006), 2006.

149

Bibliography

[10] T. He and L. Tong: “A Signal Processing Perspective to Stepping-Stone Detection”, in Proc. 2006 Conference on Information Sciences and Systems, (Princeton, NJ), March 2006. [11] P. Peng, P. Ning, and D. S. Reeves: “On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques”, in Proc. of the 2006 IEEE Symposium on Security and Privacy (S&P), May 2006, pp. 334–349. [12] K. H. Yung: “Detecting long connection chains of interactive terminal sessions”, in RAID 2002, Lecture Notes in Computer Science, vol. 2516, Jan 2002, pp. 1–16. [13] J. Yang and S. Huang: “A Real-Time algorithm to Detect Long Connection Chains of Interactive Terminal Sessions”, Proceedings of InfoSecu04, Shanghai, China, 2004, pp.198-203. [14] J. Yang and S.-H. Huang: “Matching tcp packets and its application to the detection of long connection chains on the internet”, in AINA 2005 19th International Conference on Advanced Information Networking and Applications, March 2005, pp. 1005–1010. [15] A. Almulhem and I. Traore: “A Survey of Connection-Chains Detection Techniques”, 2007 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, (2007) [16] J. Yang, and S-H. .S. Huang: “Matching TCP/IP packets to Detect SteppingStone Intrusion”, International Journal of Computer Science and Network Security (IJCSNS), vol. 6, no. 10, Oct. 2006, pp. 269-276. [17] P. Peng, P. Ning, D. S. Reeve, and X. Wang: “Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets”, in Proc. Of the 2nd International Workshop on Security in Distributed Computing Systems (SDCS), Jun. 2005, pp. 107–113. [18] X. Wang, D. S. Reeves, S. F. Wu, and J. Yuill: “Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework”, in Proc. of the 16th International Conference on Information Security (IFIP/Sec), Jun. 2001, pp. 369–384. [19] X. Wang, D. S. Reeves, P. Ning, and F. Feng: “Robust network-based attack attribution through probabilistic watermarking of packet flows”, Technical Report TR2005-10, Department of Computer Science, NC State Univ., 2005. [20] T. He and L. Tong: “Detecting Encrypted Stepping-Stone Connections”, Tech. Rep. ACSPTR- 01-06-02, Cornell University, January 2006.

150

Bibliography [21] T. He and L. Tong: “Detecting Encrypted Interactive Stepping-Stone Connections”, in Proc. 2006 IEEE International Conference on Acoustics, Speech, and Signal Processing, (Toulouse, France), May 2006. [22] L. Zhang, A. G. Persaud, A. Johnson, and Y. Guan: “Detection of Stepping-Stone attack under delay and chaff perturbations”, presented at the 25th IEEE Int. Perform. Comput. Commun. Conf. (IPCCC), Phoenix, AZ, 2006. [23] T. He, P. Venkitasubramaniam, and L. Tong: “Packet Scheduling Against Stepping-Stone Attacks with Chaff”, Proceedings of IEEE MILCOM, Cornell University, October, 2006 [24] T. He and L. Tong: “Detecting Information Flows: “Improving Chaff Tolerance by Joint Detection”, CISS 2007: 51-56 [25] Y.J. Pyun and D. S. Reeves: "Strategic Deployment of Network Monitors for Attack Attribution", to appear in Proc. of the 4th Intl. Conf. on Broadband Communications, Networks, and Systems (IEEE Broadnets 2007), September 2007 [26] J. Yang, S-H. S. Huang, and M. D. Wan: “A clustering partitioning algorithm to find TCP packet round-trip time for intrusion detection”, Advanced Information Networking and Applications, 2006. AINA 2006. 20th International Conference on Volume 1, Issue , 18-20 April 2006 Page(s): 6 pp [27] M.N. Omar, M.A. Maarof, A. Zainal: “Solving time gap problems through the optimization of detecting Stepping-Stone algorithm”, Computer and Information Technology, 2004. CIT '04. The Fourth International Conference on Date: 14-16 Sept. 2004, Pages: 391 – 396 [28] J. Yang and S-H. S. Huang: “Correlating Temporal Thumbprints for Tracing Intruders”, To appear in Proceedings of 3rd International Conference on Computing, Communications and Control Technologies (CCCT’05), Austin, TX, July (2005). [29] W.T. Strayer, C. Jones, B. Schwartz, S. Edwards, W. Milliken, and A. Jackson: “Efficient Multi-Dimensional Flow Correlation”, In Proceedings of the 32nd IEEE Conference on Local Computer Networks (October 15 - 18, 2007). IEEE Computer Society, Washington, DC, 531-538 [30] W.T. Strayer, C.E. Jones, B.I. Schwartz,J. Mikkelson, and C. Livadas: “Architecture for multi-stage network attack traceback” In Proceedings of the the IEEE Conference on Local Computer Networks 30th Anniversary (November 15 - 17, 2005). IEEE Computer Society, Washington, DC, 776-785 [31] M.N. Omar, M.A. Maarof and A. Zainal: “The Optimization of Stepping-Stone Detection: Packet Capture Steps”, Jurnal Teknologi, vol. 44, no. (D), Jun 2006, pp. 114.

151

Bibliography [32] Y. Tang, Y. Liverpool and T.E. Daniels: “Monitor placement for Stepping-Stone analysis”, Performance, Computing, and Communications Conference, 2006. IPCCC 2006. 25th IEEE International Date: 10-12 April 2006, Pages: 8 pp. 509-512 [33] S-H. S. Huang, R. Lychev and J. Yang: “Stepping-Stone Detection Via RequestResponse Traffic Analysis”, ATC 2007: 276-285 [34] Y. J. Pyun, Y. H. Park, X. Y. Wang, D. S. Reeves, and P. Ning: "Tracing Traffic Through Intermediate Hosts that Repacketize Flows", in Proc. of the 26th Annual IEEE Conf. on Computer Communications (Infocom 2007), May 2007 [35] B. Coskun and N. Memon,: “Efficient Detection of Delay-Constrained Relay Nodes”, Computer Security Applications Conference, 2007. ACSAC 2007. TwentyThird Annual Date: 10-14 Dec. 2007, Pages: 353 – 362 [36] A. Chantler and R. Broadhurst: “Social Engineering and Crime Prevention in Cyberspace“, Technical Report, Justice, Queensland University of Technology, 2006 [37] E. Messmer: “Cyber Espionage: A growing Threat to Business”, PC World, January 21, 2008 [38] B. Coskun and N. Memon: “Online Sketching of Network Flows for Real-Time Stepping-Stone Detection”, in Proc. of the Annual Computer Security Applications Conference, pp 473-483, 2009 [39] P. Li, W. Zhou and Y. Wang: “Getting the Real-Time Precise Round-Trip Time for Stepping Stone Detection”, in Proc 4th International Network and System Security(NSS), Melbourne, Australia, 2010 [40] G. Gu, J. Zhang, and W. Lee: “BotSniffer: Detecting botnet command and control channels in network traffic”. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), 2008. [41] G. Gu, R. Perdisci, J. Zhang, and W. Lee. “Botminer: Clustering analysis of network traffic for protocol and structure independent botnet detection”. In USENIX Security, 2008. [42] S. Kent and R. Atkinson: “RFC 2401: Security Architecture for the Internet Protocol”, IETF, September 1998. draft-ietfipsec-arch-sec [43] T. Ylonen.: “IETF Internet Draft: SSH Protocol Architecture”, IETF, March 2005. draft-ietf-secsharchitecture-22 [44] M. N. Omar, L. Siregar, and R. Budiart: “Dropped Packet Problems in SteppingStone Detection”, IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.2, February 2008

152

Bibliography [45] M. Venkateshaiah and M. Wright: “Evading Stepping-Stone Detection Under the Cloak of Streaming Media”, Tech. Report, Department of Computer Science and Engineering, University of Texas at Arlington, Arlington, TX 76019, 2007. [46] J. D. Padhye and M. Wright: “Stepping-Stone Network Attack Kit (SNEAK) For Evading Timing-based Detection Methods Under The Cloak Of Constant Rate Multimedia Streams”, Computer Science & Engineering, 17-Sep-2008 [47] M. Venkateshaiah and M. Wright: “Evading Existing Stepping-Stone Detection Methods Using Buffering”, Computer Science & Engineering, 23-Aug-2007 [48] J. Yang and S-H. S. Huang, "Improved Thumbprint and Its Application for Intrusion Detection," Proceedings of the Third International Conference on Computer Network and Mobile Computing (ICCNMC), Zhangjiajie, China, August 2-4, 2005, pp. 433-442 [49] A. Kampasi, Y. Zhang, G. Di Crescenzo, A. Ghosh, and R.Talpade: "Improving Stepping-Stone Detection Algorithms using Anomaly Detection Techniques". The University of Texas at Austin, Department of Computer Sciences. Report# TR-07-28 (regular report). May 21, 2007. 8 pages. [50] S. C. Lee and C. Shields: “Tracing the Source of Network Attack: A Technical, Legal, and Societal Problem”. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, West Point, NY, June 2001. [51] J. Yang and S. Huang: “Probabilistic Analysis of an Algorithm to Compute TCP Packet Round-Trip Time for Intrusion Detection”, Journal of Computers and Security, Elsevier Ltd., 2007, pp137-144, Vol. 26 [52] http://www.wand.net.nz/wits/auck/9/ [53] C. Chen, M. Mangrulkar, N. Ramos and M. Sarkar: “Trends in TCP/IP Retransmissions and Resets”, Technical Report, URL: http://cseweb.ucsd.edu/classes/wi01/cse222/projects/reports/tcp-flags-13.pdf [54] H.-C. Wu and S.-H. S. Huang: “Detecting steppingstone with chaff perturbations,” in AINAW ’07: Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops, 2007, pp. 85–90. [55] D. Knuth: "The Art of Computer Programming", 3rd ed., vol. 1, 1997, p.98 [56] D.L., Mills: Internet Delay Experiments. IETF document, http://www.ietf.org/rfc/rfc889.txt (1983) [57] Department of the Air Force and Air Force Materiel Command: “Network attack traceback,” April 2005.

153

Bibliography [58] H-C. Wu and S-H. S. Huang: “Performance of Neural Networks in SteppingStone Intrusion Detection”, Networking, Sensing and Control, 2008. ICNSC 2008. IEEE International Conference on Date: 6-8 April 2008, Pages: 608 – 613 [59] X. Wang: “The loop fallacy and serialization in tracing intrusion connections through Stepping-Stones.”, SAC 2004: 404-411 [60] X. Wang: "The Loop Fallacy and Deterministic Serialization in Tracing Intrusion Connections Through Stepping-Stones", in International Journal of Security and Networks, Vol. 1, No. 3/4, 2006 [61] J. Postel: “RFC793 - Transmission Control Protocol”, September 1981, http://www.faqs.org/rfcs/rfc793.html [62] J. Postel: “RFC 768 - User Datagram Protocol”, August 1980, http://www.faqs.org/rfcs/rfc768.html [63] J. Postel: “RFC 792 - Internet Control Message Protocol”, September 1981, http://www.faqs.org/rfcs/rfc792.html [64] Z. Trabelsi, W. El-Hajj, S. Hamdy: “Implementation of an ICMP-based covert channel for file and message transfer”, Electronics, Circuits and Systems, 2008. ICECS 2008. 15th IEEE International Conference on Date: Aug. 31 2008-Sept. 3 2008, Pages: 894 – 897 [65] J. Postel and J. Reynolds : “RFC 854 - Telnet Protocol Specification”, May 1983, http://www.faqs.org/rfcs/rfc854.html [66] T. Ylonen and C. Lonvick : “RFC 4251 - The Secure Shell (SSH) Protocol Architecture”, January 2006, http://www.ietf.org/rfc/rfc4251.txt [67] J. Oikarinen and D. Reed: “RFC 1459 - Internet Relay Chat Protocol”, May 1993, http://www.ietf.org/rfc/rfc1459.txt [68] J. Yang and S. Huang: “Mining TCP/IP Packets to Detect Stepping-Stone Intrusion”, Journal of Computers and Security, Elsevier Ltd., pp 479-484, Vol. 26 (2007) [69] Q. Li and D.L. Mills: “On the long-range dependence of packet round-trip delays in Internet”, In: Proc. international conference on communications (ICC’98), Atlanta, USA, No. 1, pp 1185–92 (1998) [70] T. Elteto and S. Molna.: “On the Distribution of Round-Trip Delays in TCP/IP Networks”, In: Proc. the 24th Annual IEEE Conference on Local Computer Networks, p172 (1999)

154

Bibliography [71] J. Yang and S. Huang: “Probabilistic Analysis of an Algorithm to Compute TCP Packet Round-Trip Time for Intrusion Detection”, Journal of Computers and Security, Elsevier Ltd., 2007, pp137-144, Vol. 26. [72] Y. Zhang, J. Yang and C. Ye, “ Modeling and Detecting Stepping-Stone Intrusion”, IJCSNS International Journal of Computer Science and Network Security, VOL.9 No.7, July 2009 [73] W. Feller.: Probability Theory and its Applications. Volume 1. John Wiley and Sons, Inc. (1968) [74] V. Paxson and S. Floyd: Wide-area tra_c: The failure of poisson modeling. IEEE/ACM Transactions on Networking 3 (1995) 226-244 [75] OpenSSH, http://www.openssh.com. [76] Cygwin,http://www.cygwin.com/ [77] Wireshark, http://www.wireshark.org/ [78] Putty, http://www.chiark.greenend.org.uk/~sgtatham/putty/ [79] KpyM, http://www.kpym.com/2/kpym/index.htm [80] Jackson network, http://en.wikipedia.org/wiki/Jackson_network [81] Little’s law, http://en.wikipedia.org/wiki/Little's_law [82] Poisson distribution, http://en.wikipedia.org/wiki/Poisson_distribution [83] Expected value, http://en.wikipedia.org/wiki/Expected_value [84] Probability theory, http://en.wikipedia.org/wiki/Probability_theory [85] Normal distribution, http://en.wikipedia.org/wiki/Normal_distribution [86] Exponential distribution, http://en.wikipedia.org/wiki/Exponential_distribution [87] Jensen’s inequality, http://en.wikipedia.org/wiki/Jensen's_inequality [88] Chebyshev’s inequality, http://en.wikipedia.org/wiki/Chebyshev's_inequality [89] DDoS, http://en.wikipedia.org/wiki/Denial-of-service_attack [90] Queueing theory, http://en.wikipedia.org/wiki/Queueing_theory

155

Bibliography [91] M. N. Omar and R. Budiarto: “Hybriding Intelligent Host-Based and NetworkBased Stepping Stone Detections”, Machine Learning and Systems Engineering, Lecture Notes in Electrical Engineering, 2010, Volume 68, 83-95 [92] J. Xin, L. Zhang, B.Aswegan, J. Dickerson, T. Daniels and Y. Guan: “A Testbed for Evaluation and Analysis of Stepping Stone Attack Attribution Techniques”, Testbeds and Research Infrastructures for the Development of Networks and Communities, 2006. TRIDENTCOM 2006. 2nd International Conference 9 pp. – 378 [93] J. Aikat, J. Kaur, F.D. Smith and K. Jeffay: “Variability in TCP round-trip times”, Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2003, IMC, pp. 279-284. [94] P. Karn and C. Partridge: “Improving round-trip time estimates in reliable transport protocols”, Proceedings of the ACM workshop on Frontiers in computer communications technology, p.2-7, August 11-13, 1987, Stowe, Vermont, United States [95] F. Leu: “Intrusion Detection, Forecast and Traceback Against DDoS Attacks”,2009, http://jitas.im.cpu.edu.tw/2009/2.pdf [96] W. Zhou. Keynote III: Detection and traceback of DDoS attacks. in Computer and Information Technology, 2008. CIT 2008. 8th IEEE International Conference on. 2008. [97] H. Jung, H. Kim, Y. Seo, G. Choe, S. Min, C. Kim and K. Koh: “Caller Identification System in the Internet Environment,” Proceedings of 4th USENIX Security Symposium, vol. 246, 1993. [98] S. Snapp, J. Brentano, G. Dias, T. Goan, L. Heberlein, C. Ho, K. Levitt, B. Mukher-jee, S. Smaha, T. Grance, et al.: “DIDS (Distributed Intrusion Detection System)-Motivation, Architecture, and an Early Prototype,” Proceedings of the 14th National Computer Security Conference, pp. 167–176, 1991. [99] T. Yan M. Veeraraghavan: “Networks of Queues”, 2004, http://www.ece.virginia.edu/mv/edu/715/lectures/QNet.pdf [100] R. Shullich, J. Chu, P. Ji, and W. Chen: “A Survey of Research in SteppingStone Detection”, Proceedings of International Conference on Internet Studies (NETs2010), Taiwan, 2010

156