Mining and detecting connection-chains in network traffic

Ahmad Almulhem; Issa Traore

doi:10.1007/978-0-387-73655-6_4

Mining and detecting connection-chains in network traffic

Ahmad Almulhem^*, Issa Traore

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

3 Scopus citations

Abstract

A connection-chain refers to the set of connections created by sequentially logging into a series of hosts. Attackers typically use connection chains to indirectly carry their attacks and stay anonymous. In this paper, we proposed a host-based algorithm to detect connection chains by passively monitoring inbound and outbound packets. In particular, we employ concepts from association rule mining in the data mining literature. The proposed approach is first explained in details. We then present our evaluations of the approach in terms of real-time and detection performance. Our experimentations suggest that the algorithm is suitable for real-time operation, because the average processing time per packet is both constant and low. We also show that by appropriately setting underlying parameters we can achieve perfect detection.

Original language	English
Title of host publication	Trust Management
Subtitle of host publication	Proceedings of IFIPTM 2007: Joint iTrust and PST Conferences on Privacy, Trust Management and Security, July 30- August 2, 2007, New Brunswick, Canada
Editors	Sandro Etalle, Stephen Marsh
Pages	47-57
Number of pages	11
DOIs	https://doi.org/10.1007/978-0-387-73655-6_4
State	Published - 2007
Externally published	Yes

Publication series

Name	IFIP International Federation for Information Processing
Volume	238
ISSN (Print)	1571-5736

Keywords

Connection chain
Network security
Networkforensics
Stepping stone
Traceback
Tracing

ASJC Scopus subject areas

Information Systems and Management

Access to Document

10.1007/978-0-387-73655-6_4

Cite this

Almulhem, A., & Traore, I. (2007). Mining and detecting connection-chains in network traffic. In S. Etalle, & S. Marsh (Eds.), Trust Management: Proceedings of IFIPTM 2007: Joint iTrust and PST Conferences on Privacy, Trust Management and Security, July 30- August 2, 2007, New Brunswick, Canada (pp. 47-57). (IFIP International Federation for Information Processing; Vol. 238). https://doi.org/10.1007/978-0-387-73655-6_4

Almulhem, Ahmad ; Traore, Issa. / Mining and detecting connection-chains in network traffic. Trust Management: Proceedings of IFIPTM 2007: Joint iTrust and PST Conferences on Privacy, Trust Management and Security, July 30- August 2, 2007, New Brunswick, Canada. editor / Sandro Etalle ; Stephen Marsh. 2007. pp. 47-57 (IFIP International Federation for Information Processing).

@inproceedings{469307f7e36b4d07af6864788f28dc82,

title = "Mining and detecting connection-chains in network traffic",

abstract = "A connection-chain refers to the set of connections created by sequentially logging into a series of hosts. Attackers typically use connection chains to indirectly carry their attacks and stay anonymous. In this paper, we proposed a host-based algorithm to detect connection chains by passively monitoring inbound and outbound packets. In particular, we employ concepts from association rule mining in the data mining literature. The proposed approach is first explained in details. We then present our evaluations of the approach in terms of real-time and detection performance. Our experimentations suggest that the algorithm is suitable for real-time operation, because the average processing time per packet is both constant and low. We also show that by appropriately setting underlying parameters we can achieve perfect detection.",

keywords = "Connection chain, Network security, Networkforensics, Stepping stone, Traceback, Tracing",

author = "Ahmad Almulhem and Issa Traore",

year = "2007",

doi = "10.1007/978-0-387-73655-6\_4",

language = "English",

isbn = "9780387736549",

series = "IFIP International Federation for Information Processing",

pages = "47--57",

editor = "Sandro Etalle and Stephen Marsh",

booktitle = "Trust Management",

}

Almulhem, A & Traore, I 2007, Mining and detecting connection-chains in network traffic. in S Etalle & S Marsh (eds), Trust Management: Proceedings of IFIPTM 2007: Joint iTrust and PST Conferences on Privacy, Trust Management and Security, July 30- August 2, 2007, New Brunswick, Canada. IFIP International Federation for Information Processing, vol. 238, pp. 47-57. https://doi.org/10.1007/978-0-387-73655-6_4

Mining and detecting connection-chains in network traffic. / Almulhem, Ahmad; Traore, Issa.
Trust Management: Proceedings of IFIPTM 2007: Joint iTrust and PST Conferences on Privacy, Trust Management and Security, July 30- August 2, 2007, New Brunswick, Canada. ed. / Sandro Etalle; Stephen Marsh. 2007. p. 47-57 (IFIP International Federation for Information Processing; Vol. 238).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Mining and detecting connection-chains in network traffic

AU - Almulhem, Ahmad

AU - Traore, Issa

PY - 2007

Y1 - 2007

N2 - A connection-chain refers to the set of connections created by sequentially logging into a series of hosts. Attackers typically use connection chains to indirectly carry their attacks and stay anonymous. In this paper, we proposed a host-based algorithm to detect connection chains by passively monitoring inbound and outbound packets. In particular, we employ concepts from association rule mining in the data mining literature. The proposed approach is first explained in details. We then present our evaluations of the approach in terms of real-time and detection performance. Our experimentations suggest that the algorithm is suitable for real-time operation, because the average processing time per packet is both constant and low. We also show that by appropriately setting underlying parameters we can achieve perfect detection.

AB - A connection-chain refers to the set of connections created by sequentially logging into a series of hosts. Attackers typically use connection chains to indirectly carry their attacks and stay anonymous. In this paper, we proposed a host-based algorithm to detect connection chains by passively monitoring inbound and outbound packets. In particular, we employ concepts from association rule mining in the data mining literature. The proposed approach is first explained in details. We then present our evaluations of the approach in terms of real-time and detection performance. Our experimentations suggest that the algorithm is suitable for real-time operation, because the average processing time per packet is both constant and low. We also show that by appropriately setting underlying parameters we can achieve perfect detection.

KW - Connection chain

KW - Network security

KW - Networkforensics

KW - Stepping stone

KW - Traceback

KW - Tracing

UR - https://www.scopus.com/pages/publications/36649007036

U2 - 10.1007/978-0-387-73655-6_4

DO - 10.1007/978-0-387-73655-6_4

M3 - Conference contribution

AN - SCOPUS:36649007036

SN - 9780387736549

T3 - IFIP International Federation for Information Processing

SP - 47

EP - 57

BT - Trust Management

A2 - Etalle, Sandro

A2 - Marsh, Stephen

ER -

Almulhem A, Traore I. Mining and detecting connection-chains in network traffic. In Etalle S, Marsh S, editors, Trust Management: Proceedings of IFIPTM 2007: Joint iTrust and PST Conferences on Privacy, Trust Management and Security, July 30- August 2, 2007, New Brunswick, Canada. 2007. p. 47-57. (IFIP International Federation for Information Processing). doi: 10.1007/978-0-387-73655-6_4

Mining and detecting connection-chains in network traffic

Abstract

Publication series

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this