Detecting Stepping Stones

1
Detecting Stepping Stones
Yin Zhang Cornell University yzhang_at_CS.Cornell.EDU
Vern Paxson ACIRI/LBNL vern_at_aciri.org
Presented by Yu Gu
20/02/2002
2
Detecting Stepping Stones

• Introduction
• The Algorithm
• Performance Evaluation
• Discussion

3
Stepping Stones

• Compromised, intermediary hosts used during
  attacks to hide attackers identity
• Often heterogeneous, diversely administered hosts

4
Targeted Environment

• Monitor captures both inbound and outbound
  traffic
• Assume only one single ingress/egress point for
  stepping stone detection

5
Stepping Stone Monitor
6
Direct vs. indirect stepping stones
7
General Principles

• Stepping stone pair are much more likely to have
  some correlated traffic characteristics
• Find traffic characteristics that are invariant
  or at least highly correlated

8
Invariant Traffic Characteristics

• Connection contents
• Inter-packet spacing
• ON/OFF patterns of activity
• Traffic volume or rate
• Combinations of the above

9
Previous Work

• SH95 S. Staniford-Chen and L.T. Heberlein,
  Holding Intruders Accountable on the Internet.
  Proc. IEEE Symposium on Security and Privacy,
  Oakland, CA May 1995
• Content-based
• Divide a Connection into several time windows and
  count character frequencies in these windows
• Search similar character frequencies between
  connections
• Contents may change
• Foiled by SSH other encoding/encrypting

10
Detecting Stepping Stones

• Introduction
• The Algorithm
• Performance Evaluation
• Discussion

11
A Timing-Based Algorithm

• ON/OFF periods
• When there is no data traffic on a flow for more
  than T idle seconds, the connection is considered
  to be in an OFF period
• When a packet with non-empty payload then
  appears, the flow ends its OFF period and begins
  an ON period, which lasts until the flow again
  goes data-idle for T idle seconds
• T is often set to 0.5 second

12
Timing Correlation
A?B
C?D
time

• If A?B and C? are in the same stepping tone
  chain, it is very likely that they often leave
  the OFF periods at similar times
• And vice versa

13
Correlated OFF periods
A?B
C?D
lt 80ms?

• Two OFF periods considered correlated, if their
  ending times differ by lt 80ms.

14
Correlated connections

• Let OFF1 and OFF2 be the number of OFF periods in
  each connection, and OFF1,2 be the number of
  these which are correlated
• Detection criteria
• OFF1,2 / min(OFF1, OFF2) ? ?

15
Additional Refinements I

• Time causality
• If once observe that F1 ends its OFF period
  before F2, then it should be true that F1 always
  ends its OFF period before F2
• For those connection pairs that do not satisfy
  this criterion, they are not considered as in the
  same connection chain

16
Additional Refinements II

• Number of Consecutive Correlations
• Consecutive Coincidences are more likely for true
  stepping stones
• True stepping stones pairs should satisfy
  consecutive_coincidencesmincsc

17
Additional Refinements III

• Very long-lived connections could sometimes
  eventually generate consecutive coincidences just
  by chance
• Two connections that transmit data with
  periodicities P1 and P2. If P1 is slightly
  different from P2, then the offset between the
  ON/OFF periods of the two will drift in phase and
  occasionally the two will overlap

18
Criteria for Detecting Stepping Stones in short

19
Detecting Stepping Stones

• Introduction
• The Algorithm
• Performance Evaluation
• Discussion

20
Trace Descriptions

• Lbnl-telnet.trace
• 1 days worth of telnet/rlogin traffic at LBNL
  and more than 90 telnet
• 120 MB, 1.5M pkts, 3,831 conns
• 21 stepping stones
• Ucb-telnet.trace
• 5.5 hours worth of telnet/rlogin traffic at UCB
  during the afternoon busy period
• 390 MB, 5M pkts, 7,319 conns
• 79 stepping stones

21
Calibration Algorithms

• Brute-force content-based algorithm
• Extract the aggregate Telnet/Rlogin output
• Find connections with similar content by looking
  at lines in common using standard Unix utilities
• Identify stepping stones with additional manual
  inspection
• Simple content-based algorithms
• Looking for
• propagated DISPLAY
• propagated status line in the login dialog.
• Last login Fri Jun 18 125658 from
  host.x.y.z.com

22
Parameters

• d80ms
• Difference of two OFF ending times
• ? 30
• Percentage of correlated OFF ending times
• mincsc2 for direct or 4 for indirect
• Number of consecutive correlated OFF ending times
• ?20 for direct or 40 for indirect
• Percentage of consecutive correlated OFF ending
  times

23
Accuracy

• Very low False Positive/Negative
• Lbnl-telnet.trace FP 0, FN 2/21
• Both false negatives are quite short one lasts
  for 15 seconds and the other lasts for 34 seconds
• Ucb-telnet.trace FP 0, FN 5/79
• 3 of the 5 are very short either in terms of
  duration (less than 12 seconds) or in terms of
  the bytes typed (log on then immediately exit)
• Brute-force scheme missed 32

24
Efficiency

• Capable of real-time detection
• 400MHz Pentium II machine running FreeBSD 3.3
• 1.1 real-time minutes for lbnl-telnet.trace
• 1 day, 120MB
• 24 real-time minutes for ucb-telnet.trace
• 5.5 hours, 390MB

25
Impact of control parameters

• The proper choice of the control parameters is
  important for both the accuracy and the
  efficiency of the algorithm
• Current parameter settings are fairly optimal

FP/FN (?30)
FP/FN (?30)
Number of false positives (FP) and false
negatives (FN) for detecting indirect stepping
stones when ?30
Number of false positives (FP) and false
negatives (FN) for detecting direct stepping
stones when ?30
26
Impact of control parameters (cont.)

• The algorithm is fairly insensitive to the choice
  of Tidle
• Human keystroke inter-arrivals are well described
  by a Pareto distribution with fixed parameters
• Although the current choices of ? thresholds are
  very low, they suffice to eliminate those very
  long-lived connections that eventually generate
  consecutive coincidences just by chance, which is
  the only purpose for introducing

27
Impact of control parameters (cont.)

• Considerable room exists for varying the
  parameters in response to certain evasion threats

28
Failures

• Excessively small stepping stones
• Limits attackers to a few keystrokes
• Message broadcast applications lead to
  non-stepping-stone correlation
• Can filter out
• Phase-drift in periodic traffic leads to false
  coincidences
• Can filter out
• Large latency and its variation
• Change parameters

29
Operational Experience

• Nifty algorithm, clearly useful in some
  circumstances
• Large number of legitimate stepping stones
• An unanticipated security bonus
• Exposed password due to clear-text protocol
  upstream and encrypted protocol downstream
• Unfortunately, this happens all too often

30
Detecting Stepping Stones

• Introduction
• The Algorithm
• Performance Evaluation
• Discussion

31
Discussion

• Effectiveness?
• Many applications has this stepping stone
  phenomenon
• Overlay Multicast
• Crowds, Onion Routing, etc.
• Detecting backdoors may be a more direct way
• http//www.icir.org/vern/papers/backdoor/index.htm
  l

32
A More Recent Approach

• DP01 David Donoho Vern Paxson, Multiscale
  Stepping Stone Detection,Workshop on
  Multi-resolution Analysis of Global Internet,
  Sept 14, 2001

33
Thank You