The Research Of Stepping-stone Detection Method Based On The Characteristics Of Network Traffic

Accompanying with the development of the information technology and internet communications, in recent years a variety of network attacks comes up, which threat the safety of computer network safety, especially intrusion techniques exploiting stepping-stones. Internet attackers commonly relay their traffic through a number of(usually compromised) hosts in order to hide their identity and magnify the attack effect. Detecting such hosts, called stepping stones, with more concern on the stepping-stone intrusion problem, is therefore an important problem in computer security. The thesis analyzed of the research on stepping-stone detection based on traffic analysis technology at present. Several detection methods have been proposed based on chaos theory, entropy theory and traffic prediction model, after stepping-stones detection technology is deeply researched. The main contents of this thesis are as follows:First, an intrusion detection algorithm based on chaos theory for selecting the detection window size. In order to solve the context-based stepping-stone intrusion detection model(CBID) problems about low detection rate causing by lack of scientific basis for the selection of detection parameter, this paper proposes an novel approach for selecting detection parameter with chaos phase space reconstruction theory. By reconstructing the time series of network traffic to restore the hidden characteristics of network traffic, and then to obtain the optimal parameters, it improves the capability of detecting network intrusion. And correlation relation between current flow and target flow is also used to judge the stepping-stone intrusion.Second, a novel flow watermarking for detecting stepping-stone intrusion based on bit entropy. Entropy is the measure of the disorder or randomness of energy and matter in a system, and it can rapid response the change of the amount of traffic information carried. Combined the characteristic of information entropy, in order to solve the existing network flow watermarking problems about randomly embedding watermark to the target flow, this paper puts forward a novel watermarking detection scheme. The first thing is the time series qualitative and quantitative analysis of target flow, determine the optimal time interval for embedding watermark according to the characteristics of traffic and then precisely embed watermark signal. By looking for same watermark pattern in the current flow, whether it is a correlation relation between current flow and target flow, thereby the aim of detecting stepping-stones intrusion can be achieved.Third, an improved flow watermark embedding scheme for detecting stepping-stone intrusion based on traffic prediction and bit entropy. Considering the existing watermark embedding schemes for intrusion detection, there is lower data rate and lower robustness, this article first to obtain the prediction traffic of target flow according to traffic prediction model and analyzed the characteristic of the prediction flow based on bit entropy for selecting optimal time interval of watermark embedding. Then, an adaptive watermark embedding scheme can be used to generate watermark when the real traffic of target flow arrived at corresponding time interval of prediction flow. And before embedding, the target flow is processed, which is to enhance the robustness of the watermark.The thesis researches and designs the method of intrusion detection can detect effectively stepping-stone attack. Experimental result shows that the proposed methods can detect attack quickly and obtains lower false-positive rate than other similar methods, they can provide more accurate detection result and lower cost of time. These provided theoretical base and methods for detecting of stepping-stone intrusion, and it has importance significance to the maintenance of network security.