Cited By
View all- Zhao Z(2022)Analysis of Museum Cultural Creation from the Perspective of Cultural IndustryScientific Programming10.1155/2022/81385742022Online publication date: 1-Jan-2022
Mining Network Traffic with the k-Means Clustering Algorithm for Stepping-Stone Intrusion Detection
Authors: 
Lixin Wang, Jianhua Yang, Xiaohua Xu, Peng-Jun Wan Academic Editor: Wenzhong LiAuthors Info & Claims
Abstract
Intruders on the Internet usually launch network attacks through compromised hosts, called stepping stones, in order to reduce the chance of being detected. With stepping-stone intrusions, an attacker uses tools such as SSH to log in several compromised hosts remotely and create an interactive connection chain and then sends attacking packets to a target system. An effective method to detect such an intrusion is to estimate the length of a connection chain. In this paper, we develop an efficient algorithm to detect stepping-stone intrusion by mining network traffic using the k-means clustering. Existing approaches for connection-chain-based stepping-stone intrusion detection either are not effective or require a large number of TCP packets to be captured and processed and, thus, are not efficient. Our proposed detection algorithm can accurately determine the length of a connection chain without requiring a large number of TCP packets being captured and processed, so it is more efficient. Our proposed detection algorithm is also easier to implement than all existing approaches for stepping-stone intrusion detection. The effectiveness, correctness, and efficiency of our proposed detection algorithm are verified through well-designed network experiments.
References
[1]
L. Wang, J. Yang, M. Mccormick, P.-J. Wan, and X. Xu, “Detect stepping-stone intrusion by mining network traffic using k-means clustering,” in 39th IEEE International Performance Computing and Communications Conference (IEEE IPCCC 2020), November 2020.
[2]
B. Mathew, “UNIX security: threats and solutions,” in Invited talk given at the 1995 system administration, networking, and security conference, Washington, DC, April 1995.
[3]
S. Staniford-Chen and L. T. Heberlein, “Holding intruders accountable on the Internet,” in Proceedings 1995 IEEE Symposium on Security and Privacy, pp. 39–49, Oakland, CA, USA, 1995.
[4]
V. Paxson and S. Floyd, “Wide area traffic: the failure of Poisson modeling,” IEEE/ACM Transactions on Networking, vol. 3, no. 3, pp. 226–244, 1995.
[5]
L. Wang and J. Yang, “A research survey in stepping-stone intrusion detection,” EURASIP Journal on Wireless Communications and Networking, vol. 2018, no. 1, 15 pages, 2018.
[6]
Y. Zhang and V. Paxson, “Detecting stepping-stones,” in Proceedings of the 9th USENIX Security Symposium, pp. 67–81, Denver, CO, August 2000.
[7]
J. Yang, B. Lee, and S. S.-H. Huang, “Monitoring network traffic to detect stepping-stone intrusion,” in 22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008), pp. 56–61, Okinawa, Japan, March 2008.
[8]
J. Yang, Y. Zhang, R. King, and T. Tolbert, “Sniffing and chaffing network traffic in stepping-stone intrusion detection,” in 2018 32nd International Conference on Advanced Information Networking and Applications Workshops (WAINA), pp. 515–520, Krakow, May 2018.
[9]
S. S. H. Huang, R. Lychev, and J. Yang, “Stepping-stone detection via request-response traffic analysis,” in 4th IEEE International Conference on Automatic and Trusted Computing, pp. 276–285, Hong Kong, China, July, 2007.
[10]
S. S. H. Huang, H. Zhang, and M. Phay, “Detecting stepping-stone intruders by identifying crossover packets in SSH connections,” in 2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA), pp. 1043–1050, Crans-Montana, 2016.
[11]
T. He and L. Tong, “Detecting encrypted stepping-stone connections,” IEEE Transactions on Signal Processing, vol. 55, no. 5, pp. 1612–1623, 2007.
[12]
K. Yoda and H. Etoh, “Finding connection chain for tracing intruders,” in Proceedings of the 6th European Symposium on Research in Computer Security, pp. 31–42, Toulouse, France, September 2000.
[13]
A. Blum, D. Song, and S. Venkataraman, “Detection of interactive stepping-stones: algorithms and confidence bounds,” in Proceedings of International Symposium on Recent Advance in Intrusion Detection (RAID), pp. 20–35, Sophia Antipolis, France, September 2004.
[14]
D. Bhattacherjee, “Stepping stone detection for tracing attack sources in software-defined networks,” Degree Project in Electrical Engineering, Stockholm, Sweden, 2016.
[15]
D. Donoho, A. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford, “Multiscale stepping-stone detection: detecting pairs of jittered interactive streams by exploiting maximum tolerable delay,” in 5th International Symposium on Recent Advances in Intrusion Detection, Lecture Notes in Computer Science, Berlin, Heidelberg, 2002.
[16]
W. Ding, M. J. Hausknecht, S. H. S. Huang, and Z. Riggle, “Detecting stepping-stone intruders with long connection chains,” in 2009 Fifth International Conference on Information Assurance and Security, pp. 665–669, Xi'an, 2009.
[17]
Xinyuan Wang and D. Reeves, “Robust correlation of encrypted attack traffic through stepping stones by flow watermarking,” IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 3, pp. 434–449, 2011.
[18]
Y. Chen and S. Wang, “A novel network flow watermark embedding model for efficient detection of stepping-stone intrusion based on entropy,” in Proceedings of the International Conference on e-Learning, e-Business, Enterprise Information Systems, and e-Government (EEE), 2016.
[19]
K. H. Yung, “Detecting long connecting chains of interactive terminal sessions,” in Proceedings of International Symposium on Recent Advance in Intrusion Detection (RAID), pp. 1–16, Zurich, Switzerland, October 2002.
[20]
J. Yang and S.-H. S. Huang, “A real-time algorithm to detect long connection chains of interactive terminal sessions,” in Proceedings of 3rd ACM International Conference on Information Security (Infosecu’04), pp. 198–203, Shanghai, China, November 2004.
[21]
J. Yang and S. H. S. Huang, “Matching TCP packets and its application to the detection of long connection chains,” in Proceedings of 19th IEEE International Conference on Advanced Information Networking and Applications (AINA 2005), pp. 1005–1010, Taipei, Taiwan, China, March 2005.
[22]
J. Yang and S. S.-H. Huang, “Mining TCP/IP packets to detect stepping-stone intrusion,” Computers & Security, vol. 26, no. 7-8, pp. 479–484, 2007.
[23]
G. Hamerly and J. Drake, “Accelerating Lloyd’s algorithm for k-means clustering,” in Partitional Clustering Algorithms, pp. 41–78, Springer, Cham, 2015.
[24]
“Data clustering algorithms: k-means clustering algorithm,” https://sites.google.com/site/dataclusteringalgorithms/k-means-clustering-algorithm.
[25]
P. K. Agarwal and C. M. Procopiuc, “Exact and approximation algorithms for clustering,” Algorithmica, vol. 33, no. 2, pp. 201–226, 2002.
[26]
T. Kanungo, D. M. Mount, N. S. Netanyahu, C. D. Piatko, R. Silverman, and A. Y. Wu, “An efficient k-means clustering algorithm: analysis and implementation,” IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 24, no. 7, pp. 881–892, 2002.
[27]
J. Yang, L. Wang, A. Lesh, and B. Lockerbie, “Manipulating network traffic to evade stepping-stone intrusion detection,” Internet of Things, vol. 3-4, pp. 34–45, 2018.
[28]
J. Liu, W. Zhang, Z. Tang, Y. Xie, T. Ma, J. Zhang, G. Zhang, and J. P. Niyoyita, “Adaptive intrusion detection via GA-GOGMM-based pattern learning with fuzzy rough set-based attribute selection,” Expert Systems with Applications, vol. 139, article 112845, 2020.
[29]
H. Clausen, M. S. Gibson, and D. Aspinall, “Evading stepping-stone detection with enough chaff,” in 14th International Conference, pp. 431–446, Melbourne, VIC, Australia, 2020.
[30]
Q. Wang, B. Zheng, Q. Li, C. Shen, and Z. Ba, “Towards query-efficient adversarial attacks against automatic speech recognition systems,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 896–908, 2021.
[31]
Z. Cai and X. Zheng, “A private and efficient mechanism for data uploading in smart cyber-physical systems,” IEEE Transactions on Network Science and Engineering, vol. 7, no. 2, pp. 766–775, 2020.
[32]
X. Zheng and Z. Cai, “Privacy-preserved data sharing towards multiple parties in industrial IoTs,” IEEE Journal on Selected Areas in Communications, vol. 38, no. 5, pp. 968–979, 2020.
[33]
Z. Cai and Z. He, “Trading private range counting over big IoT data,” in 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS), pp. 144–153, Dallas, TX, USA, 2019.
[34]
Q. Li and D. L. Mills, “On the long-range dependence of packet round-trip delays in Internet,” in ICC'98. 1998 IEEE International Conference on Communications. Conference Record. Affiliated with SUPERCOMM'98 (Cat. No. 98CH36220), vol. 2, pp. 1185–1191, 1998.
[35]
J. Yang, S.-H. S. Huang, and M. D. Wan, “A clustering-partitioning algorithm to find TCP packet round-trip time for intrusion detection,” in 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06), vol. 1, Vienna, 2006.
Index Terms
- Mining Network Traffic with the k-Means Clustering Algorithm for Stepping-Stone Intrusion Detection
Index terms have been assigned to the content through auto-classification.
Recommendations
Monitoring Network Traffic to Detect Stepping-Stone Intrusion
AINAW '08: Proceedings of the 22nd International Conference on Advanced Information Networking and Applications - WorkshopsMost network intruders tend to use stepping-stones to attack or to invade other hosts to reduce the risks of being discovered. There have been many approaches that were proposed to detect stepping-stone since 1995. One of those approaches proposed by A. ...
Mining Network Traffic Efficiently to Detect Stepping-Stone Intrusion
AINA '12: Proceedings of the 2012 IEEE 26th International Conference on Advanced Information Networking and ApplicationsMore and more intruders are used to using stepping-stone to launch the attacks on their interested targets because exploiting stepping-stones can hide them deeply and make them feel safe. Clustering-Partitioning approach was proposed to detect stepping-...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Copyright © 2021 Lixin Wang et al.
This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Publisher
John Wiley and Sons Ltd.
United Kingdom
Publication History
Published: 01 January 2021
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 13 Dec 2024
Other Metrics
Citations
Cited By
View all- Zhao Z(2022)Analysis of Museum Cultural Creation from the Perspective of Cultural IndustryScientific Programming10.1155/2022/81385742022Online publication date: 1-Jan-2022