An effective method to detect stepping-stone intrusion (SSI) is to estimate the length of a connection chain. This type of detection method is referred to as a network-based detection approach. Existing network-based SSI detection methods are either ineffective in the context of the Internet because of the presence of outliers in the packet round-trip times (RTTs) or inefficient, as many packets must be captured and processed. Because of the high fluctuation caused by the intermediate routers on the Internet, it is unavoidable that the RTTs of the captured packets contain outlier values. In this paper, we first propose an efficient algorithm to eliminate most of the possible RTT outliers of the packets captured in the Internet environment. We then develop an efficient SSI detection algorithm by mining network traffic using an improved version of k-Means clustering. Our proposed detection algorithm for SSI is accurate, effective, and efficient in the context of the Internet. Well-designed network experiments are conducted in the Internet environment to verify the effectiveness, correctness, and efficiency of our proposed algorithms. Our experiments show that the effective rate of our proposed SSI detection algorithm is higher than 85.7% in the context of the Internet.
Publications
- Article type
- Year
- Co-author
Year
Open Access
Issue
Tsinghua Science and Technology 2022, 27(2): 432-442
Published: 29 September 2021
Downloads:63
Total 1