Explore Utilizing Network Traffic Distribution to Detect Stepping-Stone Intrusion

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

In this paper, the authors explore a novel approach to detecting stepping-stone intrusions through the distribution of computer network traffic. While the approach is interesting, it is important to clarify the contribution of the novel algorithm by contrasting the obtained results with those of other works. Although there is a preliminary section, further comparisons are not included in the results and discussion. Additionally, the algorithm needs to be explained more thoroughly, including a justification for its use.

Author Response

In this paper, the authors explore a novel approach to detecting stepping-stone intrusions through the distribution of computer network traffic. While the approach is interesting, it is important to clarify the contribution of the novel algorithm by contrasting the obtained results with those of other works. Although there is a preliminary section, further comparisons are not included in the results and discussion. Additionally, the algorithm needs to be explained more thoroughly, including a justification for its use.

Response:

1. One paragraph has been added to make comparison (refer to Section 5.5).
2. More details about the detection algorithm have been added.  

Reviewer 2 Report

Comments and Suggestions for Authors

The authors in this work propose a method to detect stepping-stone intrusion using the distribution of round-trip time of network traffic. My comments are as follows:

1. Please consider moving some of the raw data in Table 3-11 to an Appendix section to improve the readability of the manuscript.

2. In these experiments, the authors should consider using a confidence interval test to determine the sample size to ascertain the number of tests per attacker. This is to ensure that the standard deviation metrics are correctly implemented and the statistical insights have reasonable accuracy.

3. In the attackers' scripts, please include more comments in the code and explanations - this is to ensure that the scripts could be easily understood and reproduced by other researchers.

4. Please include the weakness/trade-offs or potential setbacks of the proposed detection method. Additionally, please include the authors viewpoint on improving/overcoming these setbacks. This would fuel future research works in this field.

Author Response

The authors in this work propose a method to detect stepping-stone intrusion using the distribution of round-trip time of network traffic. My comments are as follows:

1. Please consider moving some of the raw data in Table 3-11 to an Appendix section to improve the readability of the manuscript.

Response:

Yes, Table 3-11 are all moved Appendix B.

2. In these experiments, the authors should consider using a confidence interval test to determine the sample size to ascertain the number of tests per attacker. This is to ensure that the standard deviation metrics are correctly implemented and the statistical insights have reasonable accuracy.

Response:

Confidence interval test, statistically, can determine an appropriate sample size. However, in this research, the sample size is determined by the attacker’s attacking operation. The algorithm tries its best to capture all the attacking packets, match them, and calculate the standard deviation of the RTTs. Basically, the more attacking packets captured, the higher possibility and less efficient to detect intrusion.

 

3. In the attackers' scripts, please include more comments in the code and explanations - this is to ensure that the scripts could be easily understood and reproduced by other researchers.

Response:

Yes, more comments and explanations have been added to the attackers’ scripts.

4. Please include the weakness/trade-offs or potential setbacks of the proposed detection method. Additionally, please include the authors viewpoint on improving/overcoming these setbacks. This would fuel future research works in this field.

Response:

The weakness/potential setbacks have been described in the conclusion section. This can result in future research work (refer to Section 6).

Reviewer 3 Report

Comments and Suggestions for Authors

The paper's central question is: How can the distribution of network traffic's round-trip time (RTT) effectively detect stepping-stone intrusion, particularly in a way that resists intruders' session manipulation techniques?

This paper proposes a novel approach to detecting stepping-stone intrusion using the RTT distribution. It uses the ratio between standard deviations between Send and Echo and Send and Ack packets to predict intrusion presence.

The article has potential. Using the RTT distribution to detect stepping-stone intrusions is a novel approach. It differs from traditional methods, which may be more susceptible to session manipulation by intruders. So, this is the article's strong point.

However, I have one doubt and question. Detection methods must be scalable to deal with large amounts of network traffic in real-time. It should be investigated whether the proposed method can be efficiently applied to large networks. How about the efficiency of your method?

Other remarks:

• no related works section that will show research in the context of other works
• conclusion section is poor
• please reconsider formatting parts like: 1643041500.815242 IP 168.27.2.106.40946 > 168.27.2.103.22: Flags [P.], seq 441 2409120754:2409120790, ack 3129783136, win 501, options [nop,nop,TS val 1613436092 ecr 442 2848772024], length 36, they should be highlighted somehow

 

Author Response

The paper's central question is: How can the distribution of network traffic's round-trip time (RTT) effectively detect stepping-stone intrusion, particularly in a way that resists intruders' session manipulation techniques?

Response:

The reason that the distribution of network traffic’s RTT can be used to detect stepping-stone intrusion is based on the following observation: the longer a connection chain, the more inconsistency the network traffic RTTs.

The reason that this method can resist intruders’ session manipulation, such as Chaff-Perturbation, is that the approach to match Send and Echo packets can filter out the chaffed packets.

This paper proposes a novel approach to detecting stepping-stone intrusion using the RTT distribution. It uses the ratio between standard deviations between Send and Echo and Send and Ack packets to predict intrusion presence.

The article has potential. Using the RTT distribution to detect stepping-stone intrusions is a novel approach. It differs from traditional methods, which may be more susceptible to session manipulation by intruders. So, this is the article's strong point.

However, I have one doubt and question. Detection methods must be scalable to deal with large amounts of network traffic in real-time. It should be investigated whether the proposed method can be efficiently applied to large networks. How about the efficiency of your method?

Response:

Yes, it can apply to a large amount of network traffic, but the more packets captured, the less efficient of the detection.

One paragraph has been added to analysis the efficiency of the method using Big O notation (refer to section 4.3).

Other remarks:

• no related works section that will show research in the context of other works
• conclusion section is poor

Response:

The conclusion section has been rewritten.

• please reconsider formatting parts like: 1643041500.815242 IP 168.27.2.106.40946 > 168.27.2.103.22: Flags [P.], seq 441 2409120754:2409120790, ack 3129783136, win 501, options [nop,nop,TS val 1613436092 ecr 442 2848772024], length 36, they should be highlighted somehow

Response:

Important fields have been highlighted to improve its readability. 

Round 2

Reviewer 3 Report

Comments and Suggestions for Authors

Everything is ok