PACKET SCHEDULING AGAINST STEPPING-STONE ATTACKS WITH CHAFF

Ting He, Parvathinathan Venkitasubramaniam, and Lang Tongt

School of Electrical and Computer EngineeringCornell University

Email: {th255, pv45,

ABSTRACT

We consider scheduling packet transmissions in a network so thatthe efficiency of stepping-stone attacks can be severely restrainedwith the help of stepping-stone monitors. We allow the attackerto encrypt and pad the packets, perturb the timing of packets, andinsert chaff packets, but the timing perturbation is subject to amaximum delay constraint. We show that ifwe randomize packettransmissions, then the attacker has to insert a large amount ofchaff to evade detection completely. In particular, if all trans-missions are scheduled as Poisson processes, then the fraction ofattacking packets in the attacker's traffic decreases exponentiallywith the length of the intrusion path.

Index Terms - Stepping-stone attack, Network defense, Schedul-ing.

1. INTRODUCTION

Stepping-stone attacks are indirect network attacks in whichattacking commands are relayed through compromised hostscalled "stepping stones" [1]. Since each stepping stone hostonly sees its immediate predecessor and the victim only seesthe last host, it is difficult to find the origin of such attacks.The key to defending against stepping-stone attacks is tofind the intrusion path.

Although numerous detection schemes have been devel-oped to detect stepping-stone connections, a sophisticatedattacker can modify his traffic to evade detection. In partic-ular, he can encrypt and pad the packets so that no informa-tion is revealed by the bit patterns or the lengths of packets;he can also perturb the timing of packets by adding ran-dom delay or packet reshuffling. Furthermore, the attackercan repacketize the commands, or mix attacking traffic withother traffic or dummy traffic called "chaff'. The insertionof chaff makes the detection of stepping-stone traffic espe-cially challenging. We refer to the traffic of attacking pack-ets as attacking traffic, and the mixture of attacking traffic

tThis work is supported in part by TRUST (The Team for Research in Ubiq-uitous Secure Technology), which receives support from the National ScienceFoundation (NSF award number CCF-0424422) and the following organizations:Cisco, ESCHER, HP, IBM, Intel, Microsoft, ORNL, Qualcomm, Pirelli, Sun andSymantec, and the U. S. Army Research Laboratory under the Collaborative Tech-nology Alliance Program, Cooperative Agreement DAAD19-01-2-001 1. The U.S. Government is authorized to reproduce and distribute reprints for Governmentpurposes notwithstanding any copyright notation thereon.

1t35}@cornell . edu

and chaff stepping-stone traffic.

1.1. Related Work

Staniford and Heberlein [1] were the first to consider theproblem ofdetecting stepping-stone connections. Early tech-niques are based on the content ofthe traffic; see, e.g., [1,2].These techniques, however, are not applicable to detectingencrypted connections. An alternative is to exploit timingcharacteristics of the traffic; examples include [3-5]. Thedrawback of these schemes is that they are vulnerable toactive timing perturbation by the attacker.

There are a few results on detecting encrypted, timingperturbed stepping-stone connections; see [6-9]. The keyassumption of these methods is that the attacker is able toperform a packet-conserving transformation subject to cer-tain constraints.

Packet conservation is too restrictive without consider-ing the presence of chaff. We are only aware of a few re-sults dealing with the attacker's insertion of chaff packets.Peng et al. in [10] proposed an active detection schemewhich combines watermarking with packet matching to de-tect stepping-stone traffic with chaff. They assumed thatpackets have bounded delays, and chaff only appears inthe outgoing stream. Their scheme injects watermarks inthe incoming stream, and finds a subsequence in the out-going stream, whose watermark is closest to the injectedone. Such a scheme, however, requires the active manipu-lation of traffic. Donoho et al. [6] pointed out that in prin-ciple it is possible to correlate stepping-stone traffic evenif both (bounded) delay and independent chaff are intro-duced during the relay. Blum et al. [8] proposed an algo-rithm called "DETECT-ATTACKS-CHAFF" (DAC) to de-tect stepping-stone traffic with limited chaff when attackingtraffic has bounded delay and bounded peak rate. AlgorithmDAC monitors the difference in the number of packets inthe incoming and the outgoing streams, and makes detec-tion if the difference exceeds a certain threshold. The algo-rithm achieves robustness against a limited number of chaffpackets by choosing a threshold larger than necessary. Thedrawback is that the increase of threshold causes increasedfalse alarm probability, and the attacker can still evade de-

1 of 7

Authorized licensed use limited to: Cornell University. Downloaded on October 7, 2008 at 15:32 from IEEE Xplore. Restrictions apply.

tection by adding a fixed number of chaff packets. In arecent paper [11], Zhang et al. proposed packet matchingschemes to detect stepping-stone traffic with bounded de-lay perturbation and chaff. They proposed to match everyarrival with the first departure subject to causality and thedelay constraint. They proved that this strategy has expo-nentially decaying false alarm probability for independentPoisson streams. Their schemes can detect stepping-stonetraffic if chaff is only inserted in the departing stream. Ifchaff can be inserted in the incoming stream, however, onechaff packet suffices to evade their schemes.

1.2. Summary of Results and Organization

In this paper, we show that there are fundamental limits tostepping-stone attacks even if the attacker can encrypt andpad the packets, perturb the timing, and mix attacking pack-ets with chaff. Based on these limits, we propose a random-ized packet scheduling strategy to defend against stepping-stone attacks more efficiently.

We consider encrypted stepping-stone attacks with boundeddelay perturbation and chaff. We first analyze the funda-mental limits on how fast the attacker can send attackingtraffic without being detected by any stepping-stone detec-tor. We propose optimal strategies to schedule the trans-mission of attacking packets for given realizations of arrivalprocesses while inserting the minimum number of chaffpack-ets. Then the fundamental limits on the rate of the attack-ing traffic are obtained by characterizing the performanceof the proposed chaff-inserting algorithms. We show thatalthough the attacker does not lose much rate in one-hopstepping-stone attacks, the rate of attacking traffic decreasesexponentially as the number of hops increases. This resultsuggests that in detecting stepping-stone traffic, we shouldjointly consider streams at multiple locations rather than do-ing local detection separately.

We then compare the achievable rates of the attackingtraffic under randomized packet scheduling versus deter-ministic scheduling. The comparison suggests that random-ized packet transmissions can make the network much morerobust to stepping-stone attacks.

The rest of the paper is organized as follows. Section 2defines the problem. Section 3 gives a limit on the rate of at-tacking traffic passing through a single stepping-stone host.In Section 4, the result is generalized to the case of multi-ple stepping-stone hosts. Section 5 presents how random-ized packet scheduling can facilitate stepping-stone detec-tion. Finally, Section 6 concludes the paper with commentson its limitation.

2. PROBLEM STATEMENT

Let the packet arrivals on stream i be represented by a pointprocess

Si = (sl M2 s3 ..) i = 1 , 2, ....where s(i) is the kth arrival epoch of stream i. Let I={s(),s(i,. . } be the set ofthe elements in Si. Let SI be anincoming stream ofthe first host, and Si+± (i = 1, . . ., n) bea outgoing stream at the ith host. The outgoing stream at theith host is different from the incoming stream at the i + ithhost due to perturbations from clock skews and propagationdelay. We assume that these perturbations are known.

Normally, Si's are independent. If, however, (S,)n+l isa sequence of stepping-stone streams on the same intrusionpath, then they will satisfy certain relation as defined below.

Definition 1 A sequence ofstreams (SI,..., Sn+±) is nor-mal traffic if they are independent. It is attacking trafficif there exist biections gi: i AT+I (i = 1,..., n)such that gi(s) -s > Ofor all s EE §i. Furthermore, ifthere exists a constant A < oo such that the bijections sat-isfy gi(s) -s < A for all s EE §1 (i = 1,..., n), then(SI, . . ., Sn+ ) is attacking traffic with bounded delay A.

The bijection gi is a mapping between the arrival andthe departure times of packets at the ith host, allowing per-mutation of packets during the relay. The condition that giis a bijection imposes apacket-conservation constraint, i.e.,no packets are generated or dropped at the stepping stones.The condition gi(s) -s > 0 is the causality constraint,which means that a packet cannot leave a host before it ar-rives. The condition gi(s) -s < A means that packetscan stay at a stepping-stone host for at most A, where A isreferred to as the maximum tolerable delay. The boundeddelay constraint is usually imposed by physical constraintson the communication link or the need of the attacker.

If the attacker can insert chaff into his traffic, then theabove constraints only apply to the fraction of the trafficmade of attacking packets, as stated in the following defini-tion.

Definition 2 A sequence ofstreams (SI ... S,+± ) is stepping-stone traffic if it is the superposition ofattacking traffic anda sequence of chaff streams (CI,..., C,+1). Stepping-stone traffic with bounded delay is similarly defined as thesuperposition of chaff and attacking traffic with boundeddelay.

Stream C (i 1,..., n+1) cnsists ofdummy packetscalled chaff which do not need to arrive at the destination.

2 of 7

Authorized licensed use limited to: Cornell University. Downloaded on October 7, 2008 at 15:32 from IEEE Xplore. Restrictions apply.

Chaff packets can be generated or dropped at any steppingstones without affecting the attack. They are artificially in-serted by the attacker to evade detection.

We consider the centralized detection of the followinghypotheses:

'Ho: (S1, ..., Sn+1) is normal traffic,K1t: (SI,..., Sn+I) is stepping-stone traffic,

by observing ((i, 32i), . A(1)= chaff; m = m + 1;

else(S(1) (2)(Sm , sn1) a valid pair;

m + 1; n = n + 1;end

endend

Remark. The theorem implies that the attacker can sendattacking traffic at rate A2A/(1 + AA), while keeping histraffic identical to independent Poisson processes of rate Aby inserting chaffpackets. For large A, the attacker can sendattacking traffic at rather high rate without possibly beingdetected by any activity-based detector.

4. FUNDAMENTAL LIMIT ON MULTI-HOPSTEPPING-STONE ATTACKS

The result in Section 3 is pessimistic in that it seems possi-ble that the detector has no way to detect encrypted one-hopstepping-stone attacks even if the attacker only transmitsa small amount of chaff; it shows the weakness of detect-ing stepping-stone attacks on a local scale. If, however, thestepping-stone attack involves multiple hops, and there is acentral detector which makes decisions based on the incom-ing and outgoing traffic at each hop, then the capability ofthe attacker to evade detection will be severely limited. Weproceed by introducing a few definitions related to multi-hop stepping-stone attacks.

Definition 3 A relay path through a sequence of streams(SI,..., S,+±1) is a sequence of epochs from each of thestreams (ti E Si)n+'. A relay path (tl, . . ., t,2+) is validfordelaybound/A ift ti E [O, \A]for alli = 1,..., n.A set ofrelay paths is feasible ifall the relay paths in it aredisjoint and valid. A feasible set of relay paths is order-preserving ifany two paths in it (ti)n=+ and (tl)n+ I satisfyeither ti < tl for all i or ti > tl for all i.

A valid relay path represents a sequence of timestampsat which an attacking packet is emitted from each of the

3 of 7

Authorized licensed use limited to: Cornell University. Downloaded on October 7, 2008 at 15:32 from IEEE Xplore. Restrictions apply.

stepping-stone hosts. To schedule the transmission of at-tacking packets, the attacker must find a feasible set of re-lay paths, and schedule the transmission of each attackingpacket according to a different relay path. The requirementthat paths in a feasible set are disjoint is because we do notallow the combining of multiple packets into a single relaypacket. If a set of relay paths is order-preserving, then therewill be no intersection between the paths, which greatly re-duces the complexity in searching for a desired set of relaypaths.

Proposition 1 Among all the feasible sets of relay pathswith the largest cardinality, there always exists a set whichis order-preserving.

Remark. By Proposition 1, we only need to search amongorder-preserving sets to find a largest feasible set of relaypaths.

Proof: The proof is by direct observation. As illus-trated inFig. 1, suppose (¼(l): S 2) S(3)) and (s(1), 's(2), (3))are valid relay paths. By switching the intersected part,we obtain two order-preserving paths (8(l)1S(2), S(3)) and('S(1) S(2) S(3)) which are also valid. We can restructure anylargest feasible set of relay paths into an order-preserving

packets. It is easy to see that the set of relay paths found byGRE is feasible. The optimality of GRE is guaranteed bythe following proposition.

Proposition 2 Given a realization ofpointprocesses (Si) +'GREfinds the largestfeasible set ofrelay paths from Si toSn+l -

Proof: See Appendix. U

Since GRE is optimal in the sense that it requires thetransmission of the minimum number of chaff packets, theperformance of GRE gives fundamental limits to the at-tacker's capability of sending attacking packets. By ana-lyzing GRE, we bound the attacker's ability to send attack-ing traffic while keeping his traffic completely undetectableto activity-based detectors by adding chaff, as stated in thefollowing theorem.

Theorem 2 Suppose the attacker wants all the streams onthe intrusion path to mimic independent Poisson processeswith equal rate A. Thenfor an intrusionpath oflength n, therate ofattacking traffic is upper bounded by A (1 e- AA )n.

Proof: See Appendix. U

Remark. Theorem 2 says that if the attacker wants tocompletely hide the intrusion path, the rate of attacking traf-fic decays exponentially with the increase in the length ofthe intrusion path. This result guarantees that the attacker'scapability of launching attacks is severely constrained bythe number of hops he takes in the chain of stepping stones.To send attacking commands at a sufficiently high rate, Theattacker has to either leave some connections on the in-trusion path correlated, or reduce the number of steppingstones on the intrusion paths, both of which makes the at-tacker vulnerable to detection and tracing.

5. RANDOMIZING PACKET SCHEDULING TODEFEND AGAINST STEPPING-STONE ATTACKS

In Section 4, we have established a fundamental limit onthe rate of attacking traffic through multiple stepping stones.The result requires that the attacker wants his traffic to mimicPoisson processes. Although we can not control the at-tacker's decision, as the network designer, we can force theattacker to choose Poisson processes by scheduling othertraffic as Poisson. Suppose normal traffic can be modelledas Poisson processes. Then we can install local detectors atthe hosts to test whether the interarrival distribution is ex-ponential; all traffic with non-exponential interarrival distri-butions will be considered abnormal. Next, a global detec-tor can test the dependency among connections to detect

stepping-stone traffic. The global detection can be doneeither in a centralized fashion at a fusion center, or in adistributed fashion by conferencing among local detectors.Using this framework, we show that, at least in principle,scheduling packet transmissions as Poisson processes al-lows us to restrain the efficiency of stepping-stone attacks.

We note that the key to impeding stepping-stone attacksis to randomize packet transmissions. Randomization giveseach traffic flow distinct timing characteristics which canbe used to trace the flow. On the other hand, determinis-tic scheduling does not provide uniqueness in timing, andis therefore vulnerable to encrypted stepping-stone attacks.For example, consider a deterministic scheduling where pack-ets are transmitted after constant interarrival times D. Ifthetransmissions are synchronized, then there is no way to dis-tinguish the relay stream from any other stream. Even ifthe transmissions in streams belonging to independent flowsdiffer by a random time uniformly distributed in [0, D],it is still impossible to distinguish streams with differencewithin A (assume A < D). This comparison shows thatrandomization in transmission times is needed to facilitatethe defense against stepping-stone attacks.

The feasibility of the scheduling strategy is also a sig-nificant concern. Suppose the ingress traffic of the networkcan be modelled as Poisson processes. Then it is easy tosee that it requires infinite delay and memory to implementa deterministic transmission scheduling, which is infeasiblein practice. We point out that Poisson scheduling is not theoptimal scheduling to defeat stepping-stone attacks. Takethe bounded delay stepping-stone traffic for example; it canbe shown that with infinite peak rate (i.e., infinite packetscan be transmitted in infinitesimal time), we can design ascheduling strategy to make it almost impossible to embedtraffic into independent processes. That is, for any e > 0,there exists A, such that there is a scheduling with peak ratebounded by A, and the maximum traffic rate through twoindependent processes is less than c. Such a bursty schedul-ing, however, is infeasible in practice because it requiresinfinite delay and memory to implement as the determin-istic scheduling does. Therefore, for large scale networkswhere the ingress traffic is approximately Poisson, Poissonscheduling is a convenient and effective method to defendagainst stepping-stone attacks.

6. CONCLUSION

In this paper, we show that randomization in packet trans-missions facilitates the defense against stepping-stone at-tacks. The drawback is that such randomization may beundesirable in certain time-sensitive applications such as

5 of 7

Authorized licensed use limited to: Cornell University. Downloaded on October 7, 2008 at 15:32 from IEEE Xplore. Restrictions apply.

multi-media transmissions. On the other hand, the detectionof relayed traffic in time-sensitive applications is an easierproblem because the attacker cannot afford to perturb thetiming either; see [3].

7. APPENDIX

7.1. Proof of Proposition 2

By Proposition 1, it suffices to show that GRE finds thelargest set of relay paths among all the feasible sets of relaypaths that preserve the order of incoming packets.

Let 7P be the set of relay paths found by GRE, and 7P*a largest feasible set of relay paths that is order-preserving.Suppose sI E S,+ I is the endpoint of a relay path p* E 7P,as illustrated in Fig. 2, but there is no relay path in 7P leadingto sl. Then in 7P there must be relay path(s) having someoverlap with p*, and leading to point(s) in S1+, before s1;otherwise. GRE would have chosen p* or some path no laterthan p* to lead to sl. Let the latest ofthese points be S2, andits path in 7P be p1. Ifs2 does not correspond to any relaypath in P9, we stop tracing; otherwise, let p2 E 7P* leadto 82. We know that there have to be relay path(s) in 7Ppartly overlapping with p2; if not, GRE would have chosena path no later than p2 to lead to 82, but this path would nothave overlap with p*, which is a contradiction. We continuetracing by alternately choosing the latest path pi in 7P whichhas partial overlap with pi, and then finding a path p*1 E7P* with the same endpoint as pi for i = 2, 3,. Thetracing continues until we find a point which has a relaypath in 7P but not P*, or we reach a relay path Pm in 7Pleading to a point sm±+ which is before the endpoint sm ofthe first relay path pm in 7P9.

Pm \ Pi

p

P22-I

SI

Sn+1Sm+1 Sm 83 82 Si

Fig. 2: Every relay path in 7P* corresponds to a path in 7P;solid line: paths in 7P*; dashed line: paths in 7P.

Therefore, we see that every relay path in 7P* corre-sponds to a relay path in 7P. This proves that 7P is also alargest feasible set of relay paths.

U

7.2. Proof of Theorem 2

We bound the rate of attacking traffic by obtaining an up-per bound on the asymptotic fraction of attacking packetsin SI. We first show that this fraction is upper bounded bythe probability that the first incoming packet can be an at-tacking packet, and then bounded this probability.

Be Proposition 2, it suffices to bound the fraction of at-tacking packets scheduled by GRE. For an incoming packet

S(k) (k > 2), given a feasible and order-preserving set ofrelay paths for incoming packets before s(l) found by GRE,the conditional probability for s(l) to have a valid relay pathis equal to

Pr{3(ti E S 1 ti C [max(ti-1, ti), ti-I + A]},

where t1 = s( t' representsthe order-preserving requirement. We can easily bound thisprobability from above by

Pr{3(t, EC S,)n , ti E [ti-1, ti-I + A]},

which is equal to the probability that s(1) has a valid relaypath.

Next we prove by induction that the probability for s(1)to have a valid relay path of length n is equal to (1 -e AA )n.Let t1 = s(). For n= 1,we have

Pr{3t2 E S2, t2 E [tl t1 + A]} 1 e

Assume that the result holds for relay path of length n- 1(n > 2). Then we have

Pr{3(t, ESC)n+2, ti E [ti-1, ti-I + A]}IAAe-

0

-Ax Pr{3(t, E S,)n+2, ti E [ti-1, ti-I + A]

|t2 -tl= x}dx

(1)IA

Ae-Ax(i eAA)n-rldx(1 e -AA)n,

where we use the induction assumption in (1).Combining the facts that SI has rate A, and at most (1-

e- A\),fraction of the packets are attacking packets, weconclude that the rate of attacking traffic is upper boundedby A(le AA)12

U

6 of 7

Authorized licensed use limited to: Cornell University. Downloaded on October 7, 2008 at 15:32 from IEEE Xplore. Restrictions apply.

8. REFERENCES

[1] S. Staniford-Chen and L. Heberlein, "Holding intrud-ers accountable on the internet," in Proc. the 1995IEEE Symposium on Security and Privacy, (Oakland,CA), pp. 39-49, May 1995.

[2] X. Wang, D. Reeves, S. Wu, and J. Yuill, "Sleepy wa-termark tracing: An active network-based intrusion re-sponse framework," in Proc. ofthe 16th InternationalInformation Security Conference, pp. 369-384, 2001.

[3] Y. Zhang and V. Paxson, "Detecting stepping stones,"in Proc. the 9th USENIX Security Symposium,pp. 171-184, August 2000.

[4] K. Yoda and H. Etoh, "Finding a connection chainfor tracing intruders," in 6th European Symposiumon Research in Computer Security, Lecture Notes inComputer Science 1895, (Toulouse, France), October2000.

[10] P. Peng, P. Ning, D. Reeves, and X. Wang, "ActiveTiming-Based Correlation of Perturbed Traffic Flowswith Chaff Packets," in Proc. 25th IEEE InternationalConference on Distributed Computing Systems Work-shops, (Columbus, OH), pp. 107-113, June 2005.

[11] L. Zhang, A. Persaud, A. Johson, and Y. Guan, "De-tection of Stepping Stone Attack under Delay andChaff Perturbations," in Proc. of the 25th IEEE In-ternational Performance Computing and Communica-tions Conference (IPCCC 2006), (Phoenix, AZ), April2006.

[12] T. He and L. Tong, "Detecting Stepping-Stone Traffic in Chaff: Fundamental Limitsand Robust Algorithms," Tech. Rep. ACSP-TR-06-06-01, Cornell University, June 2006.http://acsp.ece. cornell .edu/pubR. html.

[5] X. Wang, D. Reeves, and S. Wu, "Inter-packet delay-based correlation for tracing encrypted connectionsthrough stepping stones," in 7th European Symposiumon Research in Computer Security, Lecture Notes inComputer Science 2502, pp. 244-263, 2002.

[6] D. Donoho, A. Flesia, U. Shankar, V. Paxson, J. Coit,and S. Staniford, "Multiscale stepping-stone detec-tion: Detecting pairs ofjittered interactive streams byexploiting maximum tolerable delay," in 5th Interna-tional Symposium on Recent Advances in IntrusionDetection, Lecture Notes in Computer Science 2516,2002.

[7] X. Wang and D. Reeves, "Robust correlation of en-crypted attack traffic through stepping stones by ma-nipulation of inter-packet delays," in Proc. ofthe 2003ACM Conference on Computer and CommunicationsSecurity, pp. 20-29, 2003.

[8] A. Blum, D. Song, and S. Venkataraman, "Detec-tion of Interactive Stepping Stones: Algorithms andConfidence Bounds," in Conference of Recent Ad-vance in Intrusion Detection (RAID), (Sophia Antipo-lis, French Riviera, France), September 2004.

[9] T. He and L. Tong, "A Signal Processing Perspectiveto Stepping-stone Detection," in Proc. 2006 Confer-ence on Information Sciences and Systems, (Princeton,NJ), March 2006.

The views and conclusions contained in this document are those ofthe authors and should not be interpreted as representing the official poli-cies, either expressed or implied, ofthe Army Research Laboratory or theU. S. Government.

7 of 7

Authorized licensed use limited to: Cornell University. Downloaded on October 7, 2008 at 15:32 from IEEE Xplore. Restrictions apply.