1 / 1

DETECTING TIME-JITTERING IN A CONNECTION CHAIN

DETECTING TIME-JITTERING IN A CONNECTION CHAIN. Khoa Le, Stephen Huang, Yingwei Kuo. Introduction. Hypothesis. Measuring Jittering. Based on our experiment and analysis, we have determined that the detection rate depends on the following three factors:

nay
Download Presentation

DETECTING TIME-JITTERING IN A CONNECTION CHAIN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DETECTING TIME-JITTERING IN A CONNECTION CHAIN Khoa Le, Stephen Huang, YingweiKuo Introduction Hypothesis Measuring Jittering • Based on our experiment and analysis, we have determined that the detection rate depends on the following three factors: • the percentage of packets that are being delayed, • the mean of the delay probability distribution, and • the standard deviation of the distribution. • Thus we define the three values (r, m, s) as the jittering amount. • In a stepping-stone intrusion, the attacker disguises their location by connecting through a series of intermediate machines (stepping-stones) before connecting to the victim. • Since the attacker have full control over those intermediate hosts, they can erase logs on those machine. Therefore, the victim machine can only know the nearest host from that it received the packets. We hypothesis that the distributions of the inter-arrival time in the jittered and the original flows are different. In other words, the normal and jittered traffic do not have the same fitness when tested against a certain distribution. The Algorithm Training Phase Testing Phase Training data (non-jittered) Testing data Distribution Parameter Estimation (MLE Algorithm) Distribution Parameter Estimation (MLE Algorithm) V Result A 4 2 1 3 A stepping-stone chain. For a fixed mean and standard deviation, the accuracy is proportional to the jittered rate using a Poisson distribution for delay. Parameter of the Model Parameter of the Model Time Jittering Distribution GOF Test (KS Test or AD Test) Distribution GOF Test (KS Test or AD Test) • To detect if a host is being used as a stepping-stone, we normally use a correlation based algorithm that compares an incoming stream and an outgoing stream for similarities. • Time jittering is imposing an extra delay on the outgoing packets according to some probability distribution. That will disrupt the similarity comparison. Test Statistic Test Statistic Threshold Testing Profile Building (Threshold Calculation) Jittered Un-jittered Objectives • We designed a learning-based profile algorithm to capture the profile of the normal traffic. • We need to seek the most likely parameters values. The method for estimation we used is Maximum Likelihood Estimates which computes the maximization of the log-likelihood function of both training and testing model. • Using K-S test, we calculate the D-value for both training and testing data and build a threshold to separate them. Any distribution that has the D-value fall in to the area of training data will be tagged as jittered. • Design a way to measure the amount of jittering • Develop an algorithm that can, by monitoring network traffic at routers or gateways, determine if a stream of packets has been jittered. • The accuracy of our algorithm is proportional to the amount of jittering Conclusions • The detection rate is proportional to the jitter rate (number of packet delayed). • For high jittered rate, the accuracy is proportional to the standard deviation. • For low jittered rate, the accuracy is proportional to the mean.

More Related