Mining and detecting connection-chains in network traffic

Abstract

A connection-chain refers to the set of connections created by sequentially logging into a series of hosts. Attackers typically use connection chains to indirectly carry their attacks and stay anonymous. In this paper, we proposed a host-based algorithm to detect connection chains by passively monitoring inbound and outbound packets. In particular, we employ concepts from association rule mining in the data mining literature. The proposed approach is first explained in details. We then present our evaluations of the approach in terms of real-time and detection performance. Our experimentations suggest that the algorithm is suitable for real-time operation, because the average processing time per packet is both constant and low. We also show that by appropriately setting underlying parameters we can achieve perfect detection. © 2007 International Federation for Information Processing.