Montorng etork Traffc to Detect Steng-Stone Intruson Janhua Yang, Byong Lee, Stehen S. H. Huang Deartment of Math and Comuter Scence, Bennett College E-mal: {jhyang, blee }@bennett.edu Deartment of Comuter Scence, Unversty of Houston shuang@cs.uh.edu Abstract Most netork ntruders tend to use steng-stones to attack or to nvade other hosts to reduce the rsks of beng dscovered. There have been many aroaches that ere roosed to detect steng-stone snce 995. One of those aroaches roosed by A. Blum detects steng-stone by checkng f the dfference beteen the number of the send ackets of an ncomng connecton and the one of an outgong connecton s bounded. One eakness of ths method s n resstng ntruders evason, such as chaff erturbaton. In ths aer, e roose a method based on random alk theory to detect steng-stone ntruson. Our theoretcal analyss shos that the roosed method s more effectve than Blum s aroach n terms of resstng ntruders chaff erturbaton.. Introducton Most ntruders tend to nvade a comuter host by launchng ther attacks through a chan of comromsed comuters hch are called steng-stones []. The attackers are called steng-stone ntruders. One obvous reason hy ntruders use steng-stone s that t makes them hard to be caught. Detectng a steng-stone ntruson s dffcult because of the nature of TC/I rotocol, n hch a comuter n a TC/I sesson s vsble only to ts mmedate donstream and ustream neghbors, but not to anyone else. That s, f an ntruder uses a chan of more than one comuter to nvade, only the comuter havng a drect TC/I connecton to the vctm host s vsble and the ntruder s dentty ould be hdden. There are many aroaches develoed to detect steng-stone ntruson. They are dvded nto to categores: assve and actve aroaches. The assve aroaches use the nformaton gathered from hosts and netorks to detect a steng-stone ntruson. One advantage of the assve aroach s that t does not nterfere th the sessons. Ths ork s suorted by SF BC-Allance grant: Contract number #CS-0540577 Its dsadvantage s that t takes more comutatons than the actve aroach does because t fnds a steng-stone ar by checkng all the ncomng and outgong connectons of a host. Most aroaches roosed to detect steng-stone ntruson, such as Content-based Thumbrnt [], Tme-based Aroach [], Devaton-based Aroach [3], Round-tr Tme Aroach [4, 5], and acket umber Dfference-based Aroach [6, 7], are classfed as assve category. Stanford-Chen and Heberlen roosed the contentbased thumbrnt method that dentfes ntruders by comarng dfferent sessons for suggestve smlartes of connecton chans []. The fatal roblem of ths method s that t cannot be aled to encryted sessons because ther real contents are not avalable and therefore unable to make thumbrnt. Zhang and axson [] roosed the tme-based aroach that can be used to detect stengstones or to trace ntruson even f a sesson s encryted. Hoever, there are three major roblems n the tme-based aroach. Frst, t can be easly manulated by ntruders. Second, the method reures that the ackets of connectons have recse and synchronzed tmestams n order to correlate them roerly. Ths makes dffcult or mractcal to correlate the measurements those ere taken at dfferent onts n the netork. Thrd, Zhang and axson also ere aare of the fact that a large number of legtmate steng-stone users routnely traverse a netork for a varety of reasons. Yoda and Etoh [3] roosed the devaton-based aroach that s a netork-based correlaton scheme. Ths method s based on the observaton that the devaton for to unrelated connectons s large enough to be dstngushed from the devaton of those connectons thn the same connecton chan. In addton to the roblems the tme-based aroach has, ths method has other roblems, such as not effcent and not alcable to comressed sesson and to the added ayload. Yung [5] roosed the round-tr tme (RTT aroach that detects steng-stone ntruson by estmatng the donstream length usng the ga beteen a reuest and ts resonse, and the ga beteen the reuest and ts acknoledgement. The roblem of the RTT aroach s that t makes naccurate detecton because t cannot comute the to gas accurately.
Blum [7] roosed the acket number dfference-based (D-based aroach that detects steng-stones by checkng the dfference of Send acket numbers beteen to connectons. Ths method s based on the dea that f the to connectons are relayed, the dfference should be bounded; otherse, t should not. Ths method can resst ntruders evasons such as tme jtterng and chaff erturbaton. D. Donoho et al. [6] sho for the frst tme that there are theoretcal lmts on the ablty of attackers to dsguse ther traffcs usng evasons durng a long nteractve sesson. The major roblem th the D-based aroach s due to the fact that the uer bound on the number of ackets reured to montor s large, hle the loer bound on the amount of chaff an attacker needs to evade hs detecton s small. Ths fact makes Blum s method very eak n resstng to ntruders chaff evason. In ths aer, e roose a novel aroach that exlots the otmal numbers of TC reuests and resonses to detect steng-stones. A random alk rocess can model the dfferences beteen the number of reuests and the number of resonses. A theoretcal analyss n ths aer shos that the erformance of our aroach s better than the Blum s aroach n terms of the number of ackets to be montored under the same confdence th the assumton that the sesson s manulated by tme jtterng or chaff erturbaton. The rest of ths aer s arranged as follong. In Secton, e resent the roblem statement. Secton 3 resents the steng-stone detecton algorthm. In secton 4, e analyze the erformance of ths algorthm, and n Secton 5, e resent the result of comarsons th Dbased aroach. Fnally, n Secton 6, e summarze the ork and dscuss about future ork.. roblem Statement The basc dea of detectng a host or a netork of comuters used as a steng-stone s to comare an ncomng connecton th one of the outgong connectons. If they are relayed, e call them a steng-stone ar; otherse, a normal ar. As Fgure shos, host h has one ncomng connecton C and one outgong connecton C, hle each connecton has one reuest stream and one resonse stream. If e make the three assumtons belo, then n a erod of tme, the number of ackets montored n each connecton should be close to be eual for any to connectons that are relayed: Each acket that aears n one connecton must aear n ts relayed one; An ntruder could hold any acket at any lace, but the holdng tme has an uer bound; 3 An ntruder could nsert meanngless ackets nto an nteractve sesson at any tme, but the nsertng rate s bounded. The assumton means that there are no acket dros, combnatons, or decomostons. It guarantees that the number of the ackets n an ncomng connecton must be greater than or eual to the number of the ackets n the relayed outgong connecton. If to connectons are relayed, e can at least fnd a relatonsh beteen the number of the reuests of the outgong connecton and the number of resonses of the ncomng connecton. The roblem of detectng steng-stones becomes the roblem of fndng a correlaton beteen the number of reuests and the number of resonses. The assumton comes from the fact that each user has a tme tolerance of usng an nteractve sesson; and the assumton 3 ndcates that the rate n hch a user can nsert ackets nto an nteractve sesson s bounded. C ( S ( E h C ( E From the above three assumtons, e kno that f to connectons are relayed, there should be a suggestve relatonsh beteen the number of reuests and resonses. We can use the exstence of ths relatonsh to determne hether to connectons are n the same chan. We clam that t s ossble to detect steng-stone by comarng the number of Sends n an outgong connecton th the number of Echoes n an ustream connecton. In other ords, t s ossble to detect steng-stone ntruson by montorng netork traffc. 3. Steng-Stone Detecton Algorthm 3. Basc Idea to Detect Steng-Stone ( S Fgure. Illustraton of connectons and streams of a host We montor an nteractve TC sesson that s establshed usng OenSSH for a erod of tme, cature all the Send and Echo ackets, and ut them n to seuences, S th n ackets and E th m ackets, resectvely. In an nteractve sesson, the user ll nut a command by tyng a seuence of letters, and then execute the command at the server sde. The executon result ll return to the clent sde n terms of ackets. In general, hen a user tyes one letter (keystroke t ll be echoed by a resonse acket. We call them sngle letter Send and Echo, resectvely. If e flter out the non-sngle letter ackets and kee only the sngle letter Sends and Echoes, then the number of the Sends n an outgong connecton should be
close to the number of the Echoes n an ncomng connecton f the to connectons are relayed. ( We use to denote the number of reuests of the (, s ( outgong connecton, and use to denote the number (, e of resonses of the ncomng connecton, and use to ( ( denote (, e, the dfference beteen the to numbers. For relayed connectons, should vary but close to (, s zero. Ideally, t should be zero. Hoever, there are to reasons hy may not be exactly zero. Frst, multle Sends or Echoes may be combned to one acket durng the roagaton. And also due to the nature of the TC/I rotocol, e may not be able to dentfy all sngle letter ackets. Second, e cannot comletely remove the ackets of command executon result by checkng acket sze. Hoever, f the to connectons are relayed, then should be close to zero th a hgh robablty. If to relayed connectons are manulated, should be bounded thn a range [ Ω, l Ω ] based on the assumtons and 3. For tme jtterng evason, e assume u that f a acket s held, a acket holdng tme cannot be larger than Η and the number of ackets that can be held n each connecton cannot be larger than Ω Η. For chaff erturbaton, e assume that the number of ackets that can be ntroduced n a unt tme for each connecton cannot be larger than r. Assumng that e collect the ackets n unts of tme, should be bounded thn a range [ Ω, Ω ] for to relayed connectons, here Ω * r. o, the roblem of detectng a steng-stone ar s reduced to the task of judgng f the dfferences of the number of sngle letter ackets beteen to connectons are bounded,.e. for a steng-stone ar, the follong relatonsh should hold: Ω ( Ω 3. Steng-Stone Detecton Algorthm To reduce the false alarms and msdetectons n detectng steng-stone ar, e check the condton ( every tme hen a acket s receved. If e montor a total of ackets, the condton ( ll be checked tmes. We roose the follong algorthm to detect steng-stones. We call ths algorthm Detectng Steng-stone Evason (. ( ( ( S, E, Ω, ( ( (, e (, s 0; fo r j : ( ( f j S (, s ( ( f j E (, e + + ; + + ; ( ( (, e (, s ; f < Ω o r > Ω return orm al Endfor return Steng Stone In ths algorthm, e cature and check u to ackets on to connectons to see f formula ( s satsfed. If there s one tme that the formula ( s not satsfed, e conclude that there s no steng-stone ar. The concluson about the exstence of a steng-stone should be made only after all the connectons are checked. If ( s satsfed thn tmes of checkng, e conclude that there s a steng-stone th a very hgh robablty. It s not necessary to check f formula ( holds for all the connectons. The larger the checkng tmes s, the hgher the confdence of the. For a gven confdence, hch s also called false ostve robablty, hat ould be an otmal number of ackets to be montored on the to connectons? 4. erformance Analyss We assume that a collected acket s a Send th robablty, and an Echo th robablty. The dfference beteen the number of the Sends of a stream and the Echoes of another stream can be modeled as a random alk rocess th ndeendent jums Z, Z,, Z,, here s a ostve nteger. If a catured acket s a Send, the dfference ll make a jum Z -, otherse, a jum Z ; there s no other choce. We have the follong euatons. rob( Z rob( Z. ( + Table. otatons used n the analyss of random alks C C False negatve robablty False ostve robablty A gven false negatve robablty A gven false ostve robablty We evaluate the erformance of the algorthm by comutng the smallest for a gven false ostve detecton robablty or false negatve detecton robablty.
Also, for a gven, e comute the false ostve robablty and the false negatve robablty to evaluate the algorthm. A false negatve robablty ndcates the ossblty that the condton ( does not hold even f the to connectons are n the same chan. A false ostve robablty ndcates the ossblty that the condton ( holds hen the to connectons are not n the same chan. For convenence, e use the notatons n Table n the rest of ths aer. 4. False egatve robablty False negatve robablty C of s actually the sum of the robabltes that the random alk rocess hts the loer bound Ω or the uer bound Ω. Based on the results of the random alk rocess from [8], e have: Ω ( ( Ω C f 0Ω + f0 ( ( Ω + s s s (( Ω + ( Ω (3 here s + ( cos ( cos Ω Ω. One secal case hen e have: ( ( C f0ω + f Ω cos (4 0 s Ω,here s. ( cos cos Ω Ω From the condton (4, e get the least acket number needed for a gven false negatve robablty hen : log + (5 log(cos Ω 4. False ostve robablty False ostve robablty C of s the robablty that the dfference could alk thn the range [ Ω, Ω ] n all tmes checked even though the to connectons are not relayed. From the results n [8], e get the follong: C ( f k + ( k 0Ω + f ( k 0Ω k + (( s k Ω Ω (( + ( Ω Ω Ω + ( k + Ω ( s k (( + ( s s (6,here s. + ( cos ( cos Ω Ω When, e have the follong smlfed results, cos Ω (7 C cos Ω Smlarly, e get from (7 for a gven hen as the follong: log[ ( cos ] Ω (8 log(cos Ω 5. Comarson The best ay to evaluate an algorthm for ts effectveness s to comare ts erformance th the best exstng algorthm. So far, Blum s aroach has been consdered to be the best ay to detect steng-stones and Blum s Detect-Attacks-Chaff steng-stone detecton algorthm ( s knon to be able to resst to tme erturbaton and to chaff evason. In ths study, e comare th the Blum s for ts erformance. Ther erformances are comared n terms of the number of ackets reured to montor for a gven false ostve rate,.e. the algorthm that reures feer ackets s consdered to erform better. We must menton that Blum dd not gve false negatve analyss n hs aer [7]. Thus, e comare the erformance beteen the to algorthms n terms of false ostve robablty only. We dscuss to cases: the case th consderaton of chaff and the case thout consderaton of chaff. 5. Comarson beteen and the Best Exstng Algorthm thout Chaff erturbaton
In order to comare th Blum s, e assume the euaton Ω s satsfed. Let B and be the mnmum number of ackets reured to montor n order to get a gven false ostve robablty by the and the resectvely. Our urose s to comare B and. The feer number reresents the better erformance. The numbers B and can be comuted by the follong formula: B ( + log (9 log[ ( cos ] log cos 00000 0000 000 00 0 8 406338445056668748086998 Fgure. Comarson of number of ackets montored th Blum s method under 0. (0 We cannot comare the to numbers drectly by usng Euatons (9 and (0 because there s no guarantee that one of them s absolutely larger than the other. Fgure and Fgure 3 sho the results of comarsons beteen B and th varyng here the Y axs uses the logarthmc scale, under fxed values 0. and 0.000 resectvely. Fgure shos that has better erformance than only hen s under eght. When s larger than eght, outerforms. Fgure and Fgure 3 sho that hen becomes smaller, erforms better than Blum s does. Based on the comarsons shon n Fgure and Fgure 3, e conclude that under a hgh confdence (lo false ostve robablty thout chaff erturbaton, outerforms because needs feer ackets to be montored than does 5. Comarson beteen and the Best Exstng Algorthm th Chaff erturbaton When a sesson s manulated th a chaff erturbaton, Blum clamed that hs method stll can detect steng-stone, but th a condton that no more than x ackets can be nserted for every 8(x+ ackets. Otherse, hs method ould not ork. We evaluate the erformance of our by comarng t th Blum s agan. We assume that e nsert x ackets nto a send stream for every x send and aroxmate x echo ackets. Ths means / x/(x + x / and the nsertng rate s aroxmately 50%, hch s much bgger than Blum s allos. From euaton (6, e obtan the least number of 000000 00000 0000 000 00 0 8 406338445056668748086998 Fgure 3. Comarson of number of ackets montored th Blum s method under 0. 000 ackets montored by th a gven. log[ ( 0.998 cos ( o(0.5, + o(, ] log(0.998 cos ( Accordng to [7], the least number of ackets B montored by th a gven can be obtaned by the euaton (: B 8( + log ( Fgure 4 and Fgure 5 sho the results of comarsons beteen and th chaff erturbaton. Fgure 4 shos that outerforms hen the detecton boundary s less than 50 th gven s 0.. Fgure 5 shos the results of comarsons hen the false ostve robablty s decreased to 0.000. Fgure 4 and Fgure 5 sho that the loer the false ostve robablty, the
better erformance of the. Wth chaff erturbaton, our stll outerforms Blum s. 6. Conclusons and Future Work In ths aer e roose an algorthm that detects steng-stone ntruson. Wth ths algorthm, e need to montor the TC/I reuest and resonse ackets, count the acket numbers, and coumute the dfference beteen them. The results of theortcal analyss sho that ths method outerforms Blum s, hch s knon to be 000000 00000 0000 000 00 0 000000 00000 0000 000 00 8 4063 38445056668748086998 Fgure 4. Comarson of number of ackets montored th Blum s method under chaff and 0. What e have resented n ths aer s based on urely theortcal analyss under the assumton that ntruder s nsertng rate s bounded. Our future ork s to devele a rogram to do chaff erturbaton over a real nteractve sesson and to determne the uer boundary of an user s chaff rate, as ell as Ω. References [] Yn Zhang, Vern axson: Detectng Steng-Stones. roceedngs of the 9 th USEIX Securty Symosum, Denver, CO, August (000 67-8. [] S. Stanford-Chen, L. Todd Heberlen: Holdng Intruders Accountable on the Internet. roc. IEEE Symosum on Securty and rvacy, Oakland, CA, August (995 39-49. [3] K. Yoda, H. Etoh: Fndng Connecton Chan for Tracng Intruders. roc. 6th Euroean Symosum on Research n Comuter Securty (LCS 985, Toulouse, France, Setember (000 3-4. [4] Janhua Yang, Shou-Hsuan Stehen Huang: Matchng TC ackets and Its Alcaton to the Detecton of Long Connecton Chans, roceedngs (IEEE of 9 th Internatonal Conference on Advanced Informaton etorkng and Alcatons (AIA 05, Tae, Taan, Chna, March (005 005-00. [5] Kong H. Yung: Detectng Long Connectng Chans of Interactve Termnal Sessons. RAID 00, Srnger ress, Zurch, Stzerland, October (00-6. [6] D. L. Donoho (ed.: Detectng ars of Jttered Interactve Streams by Exlotng Maxmum Tolerable Delay. roceedngs of Internatonal Symosum on Recent Advances n Intruson Detecton, Zurch, Stzerland, Setember (00 45-59. [7] A. Blum, D. Song, And S. Venkataraman: Detecton of Interactve Steng-Stones: Algorthms and Confdence Bounds. roceedngs of Internatonal Symosum on Recent Advance n Intruson Detecton (RAID, Soha Antols, France, Setember (004 0-35. [8] D. Cox, H. Mller: The Theory of Stochastc rocess. e York, Y: John Wley & Sons Inc., 965. 0 8 4063 384450 5666874 8086998 Fgure 5. Comarson of number of ackets montored th Blum s method under chaff and 0. 000 the best method of detectng steng-stone, n resstng to ntruders chaff erturbaton. For the same false ostve robablty, our aroach needs feer ackets to be montored than Blum s Does.