A Signal Processing Perspective to Stepping-stone Detection

Malicious use of anonymity techniques makes network attackers difficult to track. The problem is even worse in stepping-stone attacks, where multiple anonymous connections are linked to form an intrusion path. The tracking of a stepping-stone attacker requires the detection of all the connection pairs on the intrusion path. In this paper, we consider the problem of identifying a stepping-stone connection pair at an intermediate host. We formulate the problem as one of nonparametric hypotheses testing. Our attacker model allows the attacker to encrypt the traffic and modify the timing. We propose two algorithms which do not depend on the content of the traffic. Our techniques only make generic assumptions such as delay or memory constraints, and therefore they are applicable in most practical systems. We show that our algorithms can detect all the stepping-stone connections while falsely accusing normal traffic with exponentially-decaying probabilities.