Detecting Anomalies in Active Insider Stepping Stone Attacks
Network attackers frequently use a chain of compromised intermediate nodes to attack a target machine and maintain anonymity. This chain of nodes between the attacker and the target is called a stepping stone chain. Various classes of algorithms have been proposed to detect stepping stones, timing correlation based algorithms being a recent one that is attracting significant research interest. However, the existing timing based algorithms are susceptible to failure if the attacker actively tries to evade detection using jitter or chaff. The authors have developed three anomaly detection algorithms to detect the presence of jitter and chaff in interactive connections, based on response time, edit distance and causality.