Deakin University
Browse

File(s) under permanent embargo

Detecting stepping stones by abnormal causality probability

Version 2 2024-06-06, 02:59
Version 1 2015-09-01, 15:08
journal contribution
posted on 2015-07-01, 00:00 authored by Sheng Wen, Di Wu, Ping Li, Yang Xiang, Wanlei Zhou, G Wei
Locating the real source of the Internet attacks has long been an important but difficult problem to be addressed. In the real world, attackers can easily hide their identities and evade punishment by relaying their attacks through a series of compromised systems or devices called stepping stones. Currently, researchers mainly use similar features from the network traffic, such as packet timestamps and frequencies, to detect stepping stones. However, these features can be easily destroyed by attackers using evasive techniques. In addition, it is also difficult to implement an appropriate threshold of similarity that can help justify the stepping stones. In order to counter these problems, in this paper, we introduce the consistent causality probability to detect the stepping stones. We formulate the ranges of abnormal causality probabilities according to the different network conditions, and on the basis of it, we further implement to self-adaptive methods to capture stepping stones. To evaluate our proposed detection methods, we adopt theoretic analysis and empirical studies, which demonstrate accuracy of the abnormal causality probability. Moreover, we compare our proposed methods with previous works. The result shows that our methods in this paper significantly outperform previous works in the accuracy of detection malicious stepping stones, even when evasive techniques are adopted by attackers.

History

Journal

Security and communication networks

Volume

8

Issue

10

Pagination

1831 - 1844

Publisher

Wiley

Location

London, Eng.

ISSN

1939-0114

eISSN

1939-0122

Language

eng

Publication classification

C Journal article; C1 Refereed article in a scholarly journal

Copyright notice

2015, Wiley