Mining TCP/IP packets to detect stepping-stone intrusion

摘要

An effective approach of detecting stepping-stone intrusion is to estimate the number of hosts compromised through estimating the length of a connection chain. This can be done by studying the changes in TCP packet round-trip time. In this paper, we propose a new algorithm by using data mining method to find the round-trip time from the time-stamps of TCP send and echo packets. Previous algorithms produce either good packet matches on very few packets, or poor matches on many packets. This method gives us better round-trip time and more matched packets than other algorithms proposed in the past. It can estimate the length of a connection more accurate than other methods and has largely decreased false positive error and false negative error in detecting stepping-stone intrusion comparing with existing methods.