Identify Encrypted Packets to Detect Stepping-Stone Intrusion

Most attackers exploit stepping-stone to launch their attacks to avoid being captured. An encrypted TCP session established by attackers using ssh makes stepping-stone intrusion detection harder than non-encrypted sessions. Even though the contents of an encrypted packet are not readable, its header fields in different layers are not encrypted. In this paper, we propose a novel algorithm to detect stepping-stone intrusion based on IP address, port number, TCP packet flags, and the length of an encrypted packet. A preliminary experimental result in a local area network shows that the proposed algorithm cannot only detect stepping-stone intrusion, but also resist intruders’ session manipulation.