A research survey in stepping-stone intrusion detection

Attackers on the Internet often launch network intrusions through compromised hosts, called stepping-stones, in order to reduce the chance of being detected. In a stepping-stone attack, an intruder uses a chain of hosts on the Internet as relay machines and remotely log in these hosts using tools such as telnet, rlogin, or SSH. A benefit of using stepping-stones to launch attacks is that intruders can be hidden by a long interactive session. Since each interactive TCP session between a client and a server is independent of other sessions even though the sessions may be relayed, so accessing a server via multiple relayed TCP sessions can make it much harder to tell the intruder's geographical location unless all the compromised servers collaborate with each other and work efficiently. Due to such a nature of TCP protocol, the final victim host can only see the traffic from the last session of the connection chain, and it is extremely difficult for the victim host to learn any information about the origin of the attack. This paper provides a research survey in the area of stepping-stone intrusion detection. Most of the significant approaches developed by far for stepping-stone intrusion detection are included in this paper. These detection methods are put into two categories: host-based and network-based (i.e., connection-chain based), according to whether multiple hosts in the connection chain are involved in the design of detection algorithms. In each category, the detection algorithms are divided into several different subsections based on the key techniques used in the algorithms. At the end of the paper, several important and challenging open problems are proposed in this area.