Probabilistic proof of an algorithm to compute TCP packet round-trip time for intrusion detection

Abstract

Most network intruders tend to use stepping-stones to attack or invade other hosts to reduce the risks of being discovered. One typical approach for detecting stepping-stone intrusion is to estimate the number of connections of an interactive session by using the round-trip times (RTTs) of all Send packets. The key of this approach is to match TCP packets, or compute the RTT of each Send packet. Previous methods, which focus on matching each Send packet with its corresponding Echo packet to compute RTTs, have tradeoff between packet matching-rate and matching-accuracy. In this paper, we first propose and prove a clustering algorithm to compute the RTTs of the Send packets of a TCP interactive session, and show that this approach can compute RTFs with both high matching-rate and high matching-accuracy. © Springer-Verlag Berlin Heidelberg 2006.