• detecting stepping-stones;
  • association rules;
  • network attack;
  • information security;
  • data mining


Hackers generally do not use their own computers to launch attacks on the Internet to avoid exposing their actual locations. The trick involves an intruder connecting to a victim indirectly through a sequence of hosts called stepping-stone, which makes network managers difficult to detect the intrusion, often results in serious injuries. In this study, a detection method of stepping-stone based on the association rule mining of network traffic records is proposed. The association rules establish a model for detecting stepping-stones in accordance with collecting the connecting records in the governed network. Test records are gathered from the source and destination addresses of Internet protocol in a fixed time interval, which are then analyzed with the association rules algorithm to filter out the transmission characteristics of stepping-stone attacks. In the experimental results, empirical evaluation under 5 min of test records shows that the accuracy rate, the precision rate, and the recall rate are 83.81%, 84.26%, and 83.16%, respectively. When the test record gathering time is extended to 20 min, with the same detecting method, the three evaluations achieve 99.9%. The proposed detection method may be helpful to network management for detecting suspected stepping-stone attacks. Copyright © 2013 John Wiley & Sons, Ltd.