We propose a “Step-Function” method to detect network attackers from using a long connection chain to hide their identities when they launch attacks. The objective of the method is to estimate the length of a connection chain based on the changes in packet round trip times. The key point to compute the round trip time of a connection chain is to match a Send and its corresponding Echo packet. We propose a conservative and a greedy matching algorithm to match TCP/IP packets in real-time. The first algorithm matches fewer packets but the quality of the matching is high. The second one matches more packets with some uncertainty on the correctness. The two algorithms give us almost identical results in determining the length of a long connection chain.
展开▼