TY - GEN
T1 - Online sketching of network flows for real-time stepping-stone detection
AU - Coskun, Baris
AU - Memon, Nasir
PY - 2009
Y1 - 2009
N2 - We present an efficient and robust stepping-stone detection scheme based on succinct packet-timing sketches of network flows. The proposed scheme employs an online algorithm to continuously maintain short sketches of flows from a stream of captured packets at the network boundary. These sketches are then used to identify pairs of network flows with similar packet-timing characteristics, which indicates potential stepping-stones. Succinct flow sketches enable the proposed scheme to compare a given pair of flows in constant time. In addition, flow sketches identify pairs of correlated flows from a given list of flows in sub-quadratic time, thereby allowing a more scalable solution as compared to known schemes. Finally, the proposed scheme is resistant to random delays and chaff, which are often employed by attackers to evade detection. To explore its efficacy, we mathematically analyze the robustness properties of the proposed flow sketch. We also experimentally measure the detection performance of the proposed scheme.
AB - We present an efficient and robust stepping-stone detection scheme based on succinct packet-timing sketches of network flows. The proposed scheme employs an online algorithm to continuously maintain short sketches of flows from a stream of captured packets at the network boundary. These sketches are then used to identify pairs of network flows with similar packet-timing characteristics, which indicates potential stepping-stones. Succinct flow sketches enable the proposed scheme to compare a given pair of flows in constant time. In addition, flow sketches identify pairs of correlated flows from a given list of flows in sub-quadratic time, thereby allowing a more scalable solution as compared to known schemes. Finally, the proposed scheme is resistant to random delays and chaff, which are often employed by attackers to evade detection. To explore its efficacy, we mathematically analyze the robustness properties of the proposed flow sketch. We also experimentally measure the detection performance of the proposed scheme.
KW - Data sketching
KW - Network security
KW - Stepping-stones
KW - Streaming algorithms
UR - http://www.scopus.com/inward/record.url?scp=77950825753&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77950825753&partnerID=8YFLogxK
U2 - 10.1109/ACSAC.2009.51
DO - 10.1109/ACSAC.2009.51
M3 - Conference contribution
AN - SCOPUS:77950825753
SN - 9780769539195
T3 - Proceedings - Annual Computer Security Applications Conference, ACSAC
SP - 473
EP - 483
BT - 25th Annual Computer Conference Security Applications, ACSAC 2009
T2 - 25th Annual Computer Conference Security Applications, ACSAC 2009
Y2 - 7 December 2009 through 11 December 2009
ER -