Advanced Search

Browse by Discipline

Scientific Societies

E-print Alerts

Add E-prints

E-print Network

  Advanced Search  

Mining and Detecting Connection-Chains in Network Traffic

Summary: Mining and Detecting Connection-Chains in
Network Traffic
Ahmad Almulhem and Issa Traore
ISOT Research Lab,
ECE Department,
University of Victoria,
Victoria, CANADA
Summary. A connection-chain refers to the set of connections created by sequen-
tially logging into a series of hosts. Attackers typically use connection chains to
indirectly carry their attacks and stay anonymous. In this paper, we proposed a
host-based algorithm to detect connection chains by passively monitoring inbound
and outbound packets. In particular, we employ concepts from association rule min-
ing in the data mining literature. The proposed approach is first explained in details.
We then present our evaluations of the approach in terms of real-time and detec-
tion performance. Our experimentations suggest that the algorithm is suitable for
real-time operation, because the average processing time per packet is both constant
and low. We also show that by appropriately setting underlying parameters we can
achieve perfect detection.
Key words: Connection chain, Stepping stone, Tracing, Traceback, Network
forensics, Network security


Source: Almulhem, Ahmad - Computer Engineering Department, King Fahd University of Petroleum and Minerals


Collections: Computer Technologies and Information Sciences