Stepping-stone detection via request-response traffic analysis

Abstract

In this paper, we develop an algorithm that may be used as a stepping-stone detection tool. Our approach is based on analyzing correlations between the cumulative number of packets sent in outgoing connections and that of the incoming connections. We present a study of our method's effectiveness with actual connections as well as simulations of time-jittering (introduction of inter-packet delay) and chaff (introduction of superfluous packets). Experimental results suggest that our algorithm works well in the following scenarios: (1) distinguishing connection chains that go through the same stepping stone host and carry traffic of users who perform similar operations at the same time; and (2) distinguishing a single connection chain from unrelated incoming and outgoing connections even in the presence of chaff. The result suggests that timejittering will not diminish our method's usefulness. © Springer-Verlag Berlin Heidelberg 2007.