Keywords: Stepping-Stone Intrusion, Intrusion Detection, Interpolation, Round-Trip Time, Fast Fourier Transformation.
Abstract
Hackers usually send attacking commands through compromised hosts, called stepping-stones, for the purpose of decreasing the chance of being discovered. An effective approach for stepping-stone intrusion detection (SSID) is to estimate the length of a connection chain. This type of detection method is referred to as the network-based SSID (NSSID). All the existing NSSID approaches use the distribution of packet round-trip times (RTTs) to estimate the length of a connection chain. In this paper, we explore a novel approach – Fast Fourier Transformation (FFT) to analyze the distribution of packet RTTs. We first capture network packets from different stepping-stones in a connection chain, identify and match the Send and Echo packets in each stepping-stone. Packet RTTs can be obtained from matched pairs of packets. We then apply the FFT interpolation method to obtain a RTT time function and finally conduct FFT transformation to the RTT function in each stepping-stone host. Finally, we conduct a complete FFT analysis for the distribution of packet RTTs and present the FFT analysis results in this paper.