Evading Existing Stepping Stone Detection Methods Using Buffering

To gain anonymity and complicate their apprehension, attackers launch attacks not from their own systems but from previously compromised systems called stepping stones. An effective way to detect stepping stones is by comparing of incoming and outgoing connections in a network to find correlations. For the sake of simplicity, earlier approaches ignore that an attacker can add chaff to a traffic stream. But in reality, the attacker may be able to modify applications to use cover traffic. We loosen some assumptions made by earlier researchers and propose a simple buffering technique that could be used by an attacker to evade detection. In our technique, packets are buffered, and chaff packets added to generate constant rate traffic. To test the effectiveness of our technique, we choose a watermark based correlation scheme designed to correlate constant rate traffic streams and perform simulations to show that our buffering technique can successfully evade detection.