Using Dynamic Programming Techniques to Detect Multi-Hop Stepping-Stone Pairs in a Connection Chain

Stepping-stone attack in network intrusion detection are attackers who use a sequence of intermediate (or so called stepping-stone) hosts to initiate attacks in order to hide their origins. We investigate a number of dynamic programming based pattern recognition approaches and our novel algorithm for detecting correlation and similarity of two connections not only into and out of a single stepping stone host(consecutive streams), but also across multiple stepping-stone hosts. The goal of this paper is to find out which technique can be better adopted for detection applications. To evaluate their accuracy and efficiency, we conduct extensive experiments. We also evaluate how chaff packets and time skew may affect these methods. We compare the results from five methods with their false positive and false negative rates. We demonstrate that our proposed approach named OSSM returns very good performance even under a variety of complex circumstances.