Evading Stepping-Stone Detection with Enough Chaff

Henry Clausen, Michael S. Gibson, David Aspinall

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Stepping-stones are used extensively by attackers to hide their identity and access restricted targets. Many methods have been proposed to detect stepping-stones and resist evasive behaviour, but so far no benchmark dataset exists to provide a fair comparison of detection rates. We propose a comprehensive framework to simulate realistic stepping-stone behaviour that includes effective evasion tools, and release a large dataset, which we use to evaluate detection rates for eight state-of-the-art methods. Our results show that detection results for several methods fall behind the claimed detection rates, even without the presence of evasion tactics. Furthermore, currently no method is capable to reliably detect stepping-stone when the attacker inserts suitable chaff perturbations, disproving several robustness claims and indicating that further improvements of existing detection models are necessary.
Original languageEnglish
Title of host publicationNetwork and System Security
EditorsMirosław Kutyłowski, Jun Zhang, Chao Chen
Place of PublicationCham
PublisherSpringer International Publishing
Pages431-446
Number of pages16
ISBN (Electronic)978-3-030-65744-4
ISBN (Print)978-3-030-65744-4
DOIs
Publication statusPublished - 19 Dec 2020
Event14th International Conference on Network and System Security - Online, Melbourne, Australia
Duration: 25 Nov 202027 Nov 2020
http://nsclab.org/nss2020/

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume12570
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference14th International Conference on Network and System Security
Abbreviated titleNSS 2020
Country/TerritoryAustralia
CityMelbourne
Period25/11/2027/11/20
Internet address

Fingerprint

Dive into the research topics of 'Evading Stepping-Stone Detection with Enough Chaff'. Together they form a unique fingerprint.

Cite this