A Hybrid Stepping-Stone Detection Algorithm to Counter Packet Jittering Evasion

Hackers often use a chain of intermediate stepping-stone hosts to hide their identity before launching an attack to a particular target. This type of stepping-stone attack can be detected by applying timing-based correlation algorithms on the connections in and out of a stepping-stone host. However, hackers can add chaff packets or jitter the original packets to decrease the detection rate of these correlation-based algorithms. This paper proposes a novel method to detect intrusions under the influence of packet jittering. We first show how the distribution of the inter-arrival time gaps of a jittered connection differs from connections without jittering. An algorithm was designed to detect jittered stream of packets based on the above model. The impact of the jittering probability model on the detection rate and the impact of distribution parameters on the detection rate are presented. A hybrid method to detect stepping-stone detection is proposed which combines a correlation algorithm and our jittering detection algorithm to achieve a better result. This hybrid algorithm gives a much more robust solution to the stepping-stone detection problem.