Detection of intermediary hosts through TCP latency propagation
MetadataVis full innførsel
Today people from all lifestyles, government officials, researchers and executives use internet. The people start to depend on internet for their daily life. However, the increased dependence comes with a great risk. The popularity and potential of internet attracts users with illegal intentions as well. The attackers generally establish a connection chain by logging in to a number of intermediary hosts before launching an attack at the victim host. These intermediary hosts are called as stepping-stones. On the victim side, it becomes hard to detect that the peer communicating with the victim is whether a real originator of the connection or it is merely acting as an intermediary host in the connection chain. This master dissertation proposed an approach based on Interarrival packet time to distinguish an incoming connection from a connection coming via some intermediary hosts. The proposed approach uses information available at the receiving end and applicable to encrypted traffic too. The approach was successfully tested for SSH, Telnet, FTP, HTTP and SMTP protocols and implemented in to an intrusion detection system for corresponding protocols. The main applications for the proposed approach are Manual intrusion detection, Tor usage detection and Spam messages detection. The approach is also applicable for the digital forensics investigations. Keywords : Network security, Stepping stone detection, Manual intrusion detection, Tor usage detection, Spam detection and Digital forensics investigation.