Detecting stepping-stone intrusion using association rule mining
Version of Record online: 14 MAR 2013
Copyright © 2013 John Wiley & Sons, Ltd.
Security and Communication Networks
Volume 6, Issue 10, pages 1225–1235, October 2013
How to Cite
Hsiao, H.-W., Sun, H.-M. and Fan, W.-C. (2013), Detecting stepping-stone intrusion using association rule mining. Security Comm. Networks, 6: 1225–1235. doi: 10.1002/sec.692
- Issue online: 23 SEP 2013
- Version of Record online: 14 MAR 2013
- detecting stepping-stones;
- association rules;
- network attack;
- information security;
- data mining
Hackers generally do not use their own computers to launch attacks on the Internet to avoid exposing their actual locations. The trick involves an intruder connecting to a victim indirectly through a sequence of hosts called stepping-stone, which makes network managers difficult to detect the intrusion, often results in serious injuries. In this study, a detection method of stepping-stone based on the association rule mining of network traffic records is proposed. The association rules establish a model for detecting stepping-stones in accordance with collecting the connecting records in the governed network. Test records are gathered from the source and destination addresses of Internet protocol in a fixed time interval, which are then analyzed with the association rules algorithm to filter out the transmission characteristics of stepping-stone attacks. In the experimental results, empirical evaluation under 5 min of test records shows that the accuracy rate, the precision rate, and the recall rate are 83.81%, 84.26%, and 83.16%, respectively. When the test record gathering time is extended to 20 min, with the same detecting method, the three evaluations achieve 99.9%. The proposed detection method may be helpful to network management for detecting suspected stepping-stone attacks. Copyright © 2013 John Wiley & Sons, Ltd.