Multiscale Stepping Stone Detection

Tuesday, August 7, 2001 - 3:00pm - 3:30pm
Keller 3-180
David Donoho (Stanford University)
Joint work with Vern Paxson and Umesh Shankar (at ACIRI & Lawrence Berkeley Labs) Stuart Staniford, Jason Coit, and Gary Grim (Silicon Defense).

We discuss the problem of detecting network intruders who use universities and similar facilities as third-party launching pads (stepping stones) for attacks against other facilities (the attack seems to be coming from the university, not the true source). Staniford, Paxson and colleagues have been developing tools that allow one to recognize that an interactive stream coming into the university and another interactive stream coming out of the university are the same (modulo IP delays). The most recent development is an idea to defeat the intruder who tries to `mask' the interactive session by attempting local jittering of packet arrival times so they won't be identical. By using wavelets we can still detect the similarity of the streams at an appropriately long time scale and so, in theory, defeat this countermeasure.