ScienceDirect® Home Skip Main Navigation Links
You have guest access to ScienceDirect. Find out more.
 
Home
Browse
My Settings
Alerts
Help
 Quick Search
 Search tips (Opens new window)
    Clear all fields    
advertisementadvertisement
Computers & Security
Volume 26, Issues 7-8, December 2007, Pages 479-484
 
Font Size: Decrease Font Size  Increase Font Size
 Abstract - selected
Article
Purchase PDF (337 K)

  E-mail Article   
  Add to my Quick Links   
Bookmark and share in 2collab (opens in new window)
Request permission to reuse this article
  Cited By in Scopus (0)
 
 
 
Related Articles in ScienceDirect
View More Related Articles
 
View Record in Scopus
 
doi:10.1016/j.cose.2007.07.001    How to Cite or Link Using DOI (Opens New Window)
Copyright © 2007 Elsevier Ltd All rights reserved.

Mining TCP/IP packets to detect stepping-stone intrusionstar, open

Jianhua Yanga, Corresponding Author Contact Information, E-mail The Corresponding Author and Shou-Hsuan Stephen Huangb, E-mail The Corresponding Author

aDepartment of Math and Computer Science, Bennett College, Greensboro, NC 27401, United States bDepartment of Computer Science, University of Houston, United States

Received 3 February 2007; 
accepted 30 July 2007. 
Available online 11 August 2007.

Purchase the full-text article



References and further reading may be available for this article. To view references and further reading you must purchase this article.

Abstract

An effective approach of detecting stepping-stone intrusion is to estimate the number of hosts compromised through estimating the length of a connection chain. This can be done by studying the changes in TCP packet round-trip time. In this paper, we propose a new algorithm by using data mining method to find the round-trip time from the timestamps of TCP send and echo packets. Previous algorithms produce either good packet matches on very few packets, or poor matches on many packets. This method gives us better round-trip time and more matched packets than other algorithms proposed in the past. It can estimate the length of a connection more accurate than other methods and has largely decreased false positive error and false negative error in detecting stepping-stone intrusion comparing with existing methods.

Keywords: Network security; Intrusion detection; Round-trip time; Stepping-stone; Clustering; Partitioning

Article Outline

1. Introduction
2. Packet round-trip time
3. Clustering–partitioning algorithm
4. Testing and performance of the algorithm
4.1. Effectiveness of the clustering–partitioning algorithm
4.2. Comparison with the previous methods
4.3. The effect of the window size
5. Conclusion and future work
References
Vitae





Computers & Security
Volume 26, Issues 7-8, December 2007, Pages 479-484
 
Home
Browse
My Settings
Alerts
Help
Elsevier.com (Opens new window)
About ScienceDirect  |  Contact Us  |  Information for Advertisers  |  Terms & Conditions  |  Privacy Policy
Copyright © 2008 Elsevier B.V. All rights reserved. ScienceDirect® is a registered trademark of Elsevier B.V.