Abstract
A connection-chain refers to the set of connections created by sequentially logging into a series of hosts. Attackers typically use connection chains to indirectly carry their attacks and stay anonymous. In this paper, we proposed a host-based algorithm to detect connection chains by passively monitoring inbound and outbound packets. In particular, we employ concepts from association rule mining in the data mining literature. The proposed approach is first explained in details. We then present our evaluations of the approach in terms of real-time and detection performance. Our experimentations suggest that the algorithm is suitable for real-time operation, because the average processing time per packet is both constant and low. We also show that by appropriately setting underlying parameters we can achieve perfect detection
Please use the following format when citing this chapter: Almulhem, A. and Traore, I., 2007, in IFIP International Federation for information Processing, Volume 238, Trust Management, eds. Etalle, S., Marsh, S., (Boston: Springer), pp. 47–57.
Chapter PDF
Similar content being viewed by others
References
M. Ranum, “Network forensics: Network traffic monitoring,” Network Flight Recorder, Inc., Tech. Rep., 1997.
S. Staniford-Chen and L. T. Heberlein, “Holding intruders accountable on the internet,” in Proceedings of IEEE Symposium on Security and Privacy, May 1995, pp. 39–49.
Y. Zhang and V. Paxson, “Detecting stepping stones,” in 9th USENIX Security Symposium, Aug 2000, pp. 171–184.
A. Almulhem and I. Traore, “Connection-chains: A review and taxonomy,” ECE Department, University of Victoria, Tech. Rep. ECE-05.4, 12 2005.
F. Buchholz and C. Shields, “Providing process origin information to aid in network traceback,” in Proceedings of the 2002 USENIX Annual Technical Conference, 2002.
B. Carrier and C. Shields, “The session token protocol for forensics and traceback,” ACM Trans. Inf. Syst. Secur., vol. 7, no. 3, pp. 333–362, 2004.
H. W. Kang, S. J. Hong, and D. H. Lee, “Matching connection pairs,” in Lecture Notes in Computer Science, vol. 3320, Jan 2004, pp. 642–649.
R. Agrawal, T. Imielinski, and A. Swami, “Mining association rules between sets of items in large databases,” SIGMOD Rec., vol. 22, no. 2, pp. 207–216, 1993.
P.-N. Tan, M. Steinbach, and V. Kumar, Introduction to Data Mining. Addison-Wesley, 2006.
J. Postel, Transmission Control Protocol, RFC 793, sep 1981.
D. L. Donoho, A. G. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford, “Multiscale stepping-stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay,” in RAID 2002: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection,, October 2002, pp. 17–35.
“Lbnl-ftp-pkt,” http://www-nrg.ee.lbl.gov/anonymized-traces.html.
J. Postel and J. Reynolds, Telnet Protocol Specification, RFC 854, May 1983.
C. Lonvick, SSH Protocol Architecture, Cisco Systems, Inc., December 2004.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Almulhem, A., Traore, I. (2007). Mining and Detecting Connection-Chains in Network Traffic. In: Etalle, S., Marsh, S. (eds) Trust Management. IFIPTM 2007. IFIP International Federation for Information Processing, vol 238. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-73655-6_4
Download citation
DOI: https://doi.org/10.1007/978-0-387-73655-6_4
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-73654-9
Online ISBN: 978-0-387-73655-6
eBook Packages: Computer ScienceComputer Science (R0)