Detecting stepping‐stone intrusion using association rule mining

Hackers generally do not use their own computers to launch attacks on the Internet to avoid exposing their actual locations. The trick involves an intruder connecting to a victim indirectly through a sequence of hosts called stepping‐stone, which makes network managers difficult to detect the intrusion, often results in serious injuries. In this study, a detection method of stepping‐stone based on the association rule mining of network traffic records is proposed. The association rules establish a model for detecting stepping‐stones in accordance with collecting the connecting records in the governed network. Test records are gathered from the source and destination addresses of Internet protocol in a fixed time interval, which are then analyzed with the association rules algorithm to filter out the transmission characteristics of stepping‐stone attacks. In the experimental results, empirical evaluation under 5 min of test records shows that the accuracy rate, the precision rate, and the recall rate are 83.81%, 84.26%, and 83.16%, respectively. When the test record gathering time is extended to 20 min, with the same detecting method, the three evaluations achieve 99.9%. The proposed detection method may be helpful to network management for detecting suspected stepping‐stone attacks. Copyright © 2013 John Wiley & Sons, Ltd.