Detect Stepping-stone Intrusion by Mining Network Traffic using k-Means Clustering

Attackers on the Internet often launch network intrusions through compromised hosts, called stepping-stones, in order to reduce the chance of being detected. In a stepping-stone attack, an attacker uses a chain of hosts on the Internet as relay machines and remotely login these hosts using tools such as SSH. An effective method to detect stepping-stone intrusion is to estimate the length of a connection chain. In this paper, we develop an efficient algorithm to detect stepping-stone intrusion by mining network traffic using the k-Means clustering algorithm. Our proposed detection algorithm does not require a large number of TCP packets to be captured and processed. The length of a connection chain can be accurately determined by using our proposed detection method. Our proposed detection algorithm is more efficient and easier to implement than all of the existing connection-chain based approaches for stepping-stone intrusion detection. The effectiveness and correctness of our proposed detection algorithm are verified through well-designed network experiments.