An effective method to detect stepping-stone intrusion(SSI)is to estimate the length of a connection chain.This type of detection method is referred to as a network-based detection approach.Existing network-based SSI detection methods are either ineffective in the context of the Internet because of the presence of outliers in the packet round-trip times(RTTs)or inefficient,as many packets must be captured and processed.Because of the high fluctuation caused by the intermediate routers on the Internet,it is unavoidable that the RTTs of the captured packets contain outlier values.In this paper,we first propose an efficient algorithm to eliminate most of the possible RTT outliers of the packets captured in the Internet environment.We then develop an efficient SSI detection algorithm by mining network traffic using an improved version of k-Means clustering.Our proposed detection algorithm for SSI is accurate,effective,and efficient in the context of the Internet.Well-designed network experiments are conducted in the Internet environment to verify the effectiveness,correctness,and efficiency of our proposed algorithms.Our experiments show that the effective rate of our proposed SSI detection algorithm is higher than 85.7％in the context of the Internet.

Lixin Wang;Jianhua Yang;Michael Workman;Pengjun Wan

TSYS School of Computer Science,Columbus State University,Columbus,GA 31907,USA;Department of Computer Science,Illinois Institute of Technology,Chicago,IL 60616,USA

清华大学学报自然科学版（英文版）

[1]Lixin Wang;Jianhua Yang;Michael Workman;Pengjun Wan-.Effective Algorithms to Detect Stepping-Stone Intrusion by Removing Outliers of Packet RTTs)[J].清华大学学报自然科学版（英文版）,2022(02):432-442

Outliers,RTTs

Effective,Algorithms,Detect,Stepping,Stone,Intrusion,by,Removing,Packet,An,stepping,stone,intrusion,SSI,estimate,length,connection,chain,This,type,detection,referred,network,approach,Existing,methods,are,either,ineffective,context,Internet,because,presence,outliers,round,trip,times,inefficient,many,packets,must,captured,processed,Because,fluctuation,caused,intermediate,routers,unavoidable,that,contain,values,this,paper,we,first,eliminate,most,possible,environment,then,develop,mining,traffic,using,improved,version,Means,clustering,Our,proposed,accurate,Well,designed,experiments,conducted,verify,effectiveness,correctness,efficiency,our,algorithms,show,higher,than

0.492264