Detecting Stepping-stone intrusion, especially resisting in intruders evasion has been widely and deeply studied and explored since 1995. In this paper, we propose a method by counting matched TCP/IP packets to detect stepping-stone intrusion. Our study shows that this approach not only can detect stepping-stone intrusion with an improved performance, but also can resist in intruders’ evasion, such as time-jittering, and chaff-perturbation.
We model stepping-stone intrusion detection as a one dimensional random-walk process. Theoretical analysis shows that in order to obtain the same false positive rate, this approach needs less number of packets monitored than Blum’s approach which is considered state-of-the-art method. The simulation results show that this approach can resist in intruders chaff-perturbation up to 50%.