Abstract
A main concern for network intrusion detection systems is the ability of an intruder to evade the detection by routing through a chain of intermediate stepping-stone hosts. The intruders have developed some evasion techniques such as injecting chaff packets or timing jitter. Such evasion techniques cause most of the previous timing-based detection algorithms to fail. In this paper, we address these issues and devise a methodology to defeat these counter measures. Our algorithm uses modified association rule mining to detect stepping-stones. It is based on finding as many matched pairs of packets as possible within the fixed length intervals and then decide whether it is a stepping-stone connection by the matched rate. This algorithm allows checking multiple connections at once and therefore greatly increasing the efficiency compared to others. We examine the selected parameters and provide different trade-offs among false rates. Our experiments report a very good performance with very high detection rate and low false detection rate when using carefully selected parameter values.