The Loop Fallacy and Serialization in Tracing Intrusion Connections through Stepping Stones

摘要

Network based intruders seldom attack directly from their own hosts, but rather stage their attacks through intermediate "stepping stones" to conceal their identity and origin. To identify attackers behind stepping stones, it is necessary to be able to trace through the stepping stones and construct the correct intrusion connection chain. A complete solution to the problem of tracing stepping stones consists of two complementary parts. First, the set of correlated connections that belongs to the same intrusion connection chain has to be identified; second, those correlated connections need to be serialized in order to construct the accurate and complete intrusion connection chain. Existing approaches to the tracing problem of intrusion connections through stepping stones have focused on identifying the set of correlated connections that belong to the same connection chain and have overlooked the serialization of those correlated connections. In this paper, we use set theoretic approach to analyze the theoretical limits of the correlation-only approach and demonstrate the gap between the perfect correlation-only approach and the perfect solution to the tracing problem of stepping stones. In particular, we identify the serialization problem and the loop fallacy in tracing connections through stepping stones. We formally demonstrate that even with perfect correlation solution, which gives us all and only those connections that belong to the same connection chain, it is still not adequate to serialize the correlated connections in order to construct the complete intrusion path deterministically. We further show that correlated connections, even with loops, could be serialized deterministically without synchronized clock. We present an efficient intrusion path construction method based on adjacent correlated connection pairs.