Anomaly Techniques in Stepping Stone Detection (SSD): A Review


  • Ali Yusny Daud School of Computing, College of Arts and Sciences, Universiti Utara Malaysia
  • Osman Ghazali School of Computing, College of Arts and Sciences, Universiti Utara Malaysia
  • Mohd Nizam Omar School of Computing, College of Arts and Sciences, Universiti Utara Malaysia


Anomaly, Attack, Stepping-Stone Detection, Trace Back,


Stepping Stone Detection (SSD) can be used to trace back the real attacker in stepping-stone connection. Anomaly techniques are capable of identifying between normal and abnormal traffic. The collaboration of SSD and anomaly techniques enhanced the capability of detection of steppingstone connection. Several SSD approaches and anomaly techniques have been proposed in the literature. In this paper, we review these approaches and techniques. Furthermore, we suggest a potential future of anomaly techniques in SSD.


Y. Kuo, “Algorithms to detect stepping-stone intrusions in the presence of evasion techniques,” (Doctoral dissertation), Available from ProQuest Dissertations and Theses database (UMI No. 3492359), 2011.

S. Staniford-Chen and L. T. Heberlein, “Holding intruders accountable on the internet,” in Security and Privacy, 1995, 1995, pp. 39–49.

Y. Zhang and V. Paxson, “Detecting stepping stones,” 9th USENIX Secur. Symp., vol. 171, pp. 1–11, 2000.

A. Kampasi, Y. Zhang, G. Di Crescenzo, A. Ghosh, and R. Talpade, “Improving stepping stone detection algorithms using anomaly detection techniques,” Rep. TR-07-28 (regular report), no. The University of Texas at Austin, 2007.

X. Wang, D. Reeves, and S. Wu, “Inter-packet delay based correlation for tracing encrypted connections through stepping stones,” Comput. Secur. 2002, pp. 1–20, 2002.

D. L. Donoho, A. G. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford, “Multiscale stepping-stone detection: detecting pairs of jittered interactive streams by exploiting maximum tolerable delay,” in International Symposium on Recent Advances in Intrusion Detection, 2002, vol. 2516, pp. 16–18.

A. Blum, D. Song, and S. Venkataraman, “Detection of interactive stepping stones: Algorithms and confidence bounds,” Recent Adv. Intrusion Detect. Springer Berlin Heidelb., pp. 258–277, 2004.

L. Zhang, A. G. Persaud, A. Johnson, and Y. Guan, “Detection of stepping stone attack under delay and chaff perturbations,” in Conference Proceedings of the IEEE International Performance, Computing, and Communications Conference, 2006, vol. 2006, pp. 247–256.

T. He and L. Tong, “A signal processing perspective to stepping-stone detection,” in 2006 IEEE Conference on Information Sciences and Systems, CISS 2006 - Proceedings, 2007, pp. 687–692.

T. He and L. Tong, “Detecting encrypted stepping-stone connections,” IEEE Trans. Signal Process., vol. 55, no. 5 I, pp. 1612–1623, 2007.

J. Yang and S. S. Huang, “Matching TCP packets and its application to the detection of long connection chains on the internet,” in Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05), 2005, vol. 1, pp. 1005–1010.

Y. Kuo and S. S. Huang, “Detecting Stepping-Stone Connection Using Association Rule Mining,” 2009 Int. Conf. Availability, Reliab. Secur., pp. 90–97, 2009.

K. Yoda and H. Etoh, “Finding a connection chain for tracing intruders,” in Computer Security-ESORICS 2000, Springer, 2000, pp. 191–205.

J. Yang and E. Bosworth, “An efficient TCP/IP packet matching algorithm to detect stepping-stone intrusion,” 2009 Inf. Secur. Curric. Dev. Conf. - InfoSecCD ’09, p. 1, 2009.

X. Wang, S. Chen, and S. Jajodia, “Tracking anonymous peer-to-peer VoIP calls on the internet,” in Proceedings of the 12th ACM conference on Computer and communications security, 2005, pp. 81–91.

Y. H. Park and D. S. Reeves, “Adaptive Watermarking against Deliberate Random Delay for Attack Attribution through Stepping Stones,” in Proc. Of the Ninth International Conference on Information and Communications Security (ICICS 2007), 2007.

X. Wang, S. Chen, and S. Jajodia, “Network flow watermarking attack on low-latency anonymous communication systems,” in Proceedings - IEEE Symposium on Security and Privacy, 2007, pp. 116–130.

X. Wang and D. S. Reeves, “Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays,” Proc. 10th ACM Conf. Comput. Commun. Secur. - CCS ’03, p. 20, 2003.

A. Bates, B. Mood, J. Pletcher, H. Pruse, M. Valafar, and K. Butler, “Detecting Co-Residency with Active Traffic Analysis Techniques Categories and Subject Descriptors,” in Proceedings of the 2012 ACM Workshop on Cloud computing security workshop - CCSW ’12, 2012, pp. 1–12.

P. Peng, P. Ning, and D. S. Reeves, “On the secrecy of timing-based active watermarking trace-back techniques,” in Proceedings - IEEE Symposium on Security and Privacy, 2006, vol. 2006, pp. 334–348.

P. Peng, P. Ning, D. S. Reeves, and X. Wang, “Active timing-based correlation of perturbed traffic flows with chaff packets,” 25th IEEE Int. Conf. Distrib. Comput. Syst. Work., 2005.

Y. J. Pyun, Y. H. Park, X. Wang, D. S. Reeves, and P. Ning, “Tracing traffic through intermediate hosts that repacketize flows,” in Proceedings of 26th IEEE International Conference on Computer Communications, 2007, pp. 634–642.

X. Wang and D. S. Reeves, “Robust correlation of encrypted attack traffic through stepping stones by flow watermarking,” IEEE Trans. Dependable Secur. Comput., vol. 8, no. 3, pp. 434–449, 2011.

X. Wang, J. Luo, and M. Yang, “An efficient sequential watermark detection model for tracing network attack flows,” in Proceedings of the 2012 IEEE 16th International Conference on Computer Supported Cooperative Work in Design, 2012, pp. 236–243.

K. H. Yung, “Detecting long connection chains of interactive terminal sessions,” in Proceedings of the 5th International Conference on Recent Advances in Intrusion Detection, 2002, pp. 1–16.

J. Yang and S. S. Huang, “A real-time algorithm to detect long connection chains of interactive terminal sessions,” in Proceedings of the 3rd international conference on Information security, 2004, pp. 198–203.

J. Yang and S. S. Huang, “Matching TCP / IP Packets to Detect Stepping-Stone,” IJCNCS Int. J. Comput. Sci. Netw. Secur., vol. 6, no. 10, pp. 269–277, 2006.

J. Yang, S. H. S. Huang, and M. D. Wan, “A clustering-partitioning algorithm to find TCP packet round-trip time for intrusion detection,” 20th Int. Conf. Adv. Inf. Netw. Appl. AINA, vol. 1, pp. 231–236, 2006.

Y. Sheng, Y. Zhang, and J. Yang, “Mining Network Traffic Efficiently to Detect Stepping-Stone Intrusion,” in 2012 IEEE 26th International Conference on Advanced Information Networking and Applications, 2012, pp. 862–867.

W. Ding and S. H. S. Huang, “Detecting intruders using a long connection chain to connect to a host,” in Proceedings - International Conference on Advanced Information Networking and Applications, AINA, 2011, pp. 121–128.

D. E. Denning and P. G. Neumann, “Requirements and model for IDES—a real-time intrusion detection expert system,” 1985.

N. Ye, S. M. Emran, Q. Chen, and S. Vilbert, “Multivariate statistical analysis of audit trails for host-based intrusion detection,” IEEE Trans. Comput., vol. 51, no. 7, pp. 810–820, 2002.

S. C. Chin, A. Ray, and V. Rajagopalan, “Symbolic time series analysis for anomaly detection: A comparative evaluation,” Signal Processing, vol. 85, no. 9, pp. 1859–1868, 2005.

C. Kruegel, D. Mutz, W. Robertson, and F. Valeur, “Bayesian event classification for intrusion detection,” in Proceedings of 19th Annual Computer Security Applications Conference, 2003, 2003, pp. 14–23.

M. V Mahoney and P. K. Chan, “Learning nonstationary models of normal network traffic for detecting novel attacks,” in Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining KDD 02, 2002, pp. 376–385.

J. M. Estévez-Tapiador, P. García-Teodoro, and J. E. Díaz-Verdejo, “Detection of web-based attacks through Markovian protocol parsing,” in Proceedings - IEEE Symposium on Computers and Communications, 2005, no. Iscc, pp. 457–462.

V. Chandola, A. Banerjee, and V. Kumar, “Anomaly detection: A survey,” ACM Comput. Surv., vol. 41, no. 3, pp. 1–58, 2009.

H. Debar, M. Becker, and D. Siboni, “A neural network component for an intrusion detection system,” Proc. 1992 IEEE Comput. Soc. Symp. Res. Secur. Priv., 1992.

S. Mukkamala, G. Janoski, and a. Sung, “Intrusion detection using neural networks and support vector machines,” Proc. 2002 Int. Jt. Conf. Neural Networks. IJCNN’02, pp. 1702–1707, 2002.

P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and E. Vázquez, “Anomaly-based network intrusion detection: Techniques, systems and challenges,” Comput. Secur., vol. 28, no. 1–2, pp. 18–28, 2009.

S. M. Bridges and R. B. Vaughn, “Fuzzy Data Mining and Genetic Algorithms Applied To Intrusion Detection,” in 23rd National Information Systems Security Conference, 2000, pp. 13–31.

J. E. Dickerson and J. a. Dickerson, “Fuzzy network profiling for intrusion detection,” PeachFuzz 2000. 19th Int. Conf. North Am. Fuzzy Inf. Process. Soc. - NAFIPS (Cat. No.00TH8500), pp. 301–306, 2000.

W. Li, “Using genetic algorithm for network intrusion detection,” in Proceedings of the United States Department of Energy Cyber Security Group 2004 Training Conference, Kansas City, Kansas, 2004, pp. 24– 27.

L. Portnoy, E. Eskin, and S. Stolfo, “Intrusion detection with unlabeled data using clustering,” in Proceedings of ACM CSS Workshop on Data Mining Applied to Security Philadelphia PA, 2001, pp. 1–25.

K. Sequeira and M. Zaki, “ADMIT: anomaly-based data mining for intrusions,” in ACM SIGKDD international conference on Knowledge discovery and data mining, 2002, pp. 386–395.

J. M. Estevez-Tapiador, P. Garcia-Teodoro, and J. E. Diaz-Verdejo, “Stochastic protocol modeling for anomaly based network intrusion detection,” in First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings., 2003, pp. 3–12.

W. Wang and R. Battiti, “Identifying intrusions in computer networks with principal component analysis,” in Proceedings - First International Conference on Availability, Reliability and Security, ARES 2006, 2006, vol. 2006, pp. 270–277.

W. W. Cohen, “Fast Effective Rule Induction,” in Proceedings of the 12th international conference on machine learning, 1995, pp. 115–123.

A. Almulhem and I. Traore, “A survey of connection-chains detection techniques,” in IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, 2007. PacRim 2007., 2007, pp. 219–222.

G. Di Crescenzo, A. Ghosh, A. Kampasi, R. Talpade, and Y. Zhang, “Detecting anomalies in active insider stepping stone attacks,” J. Wirel. Mob. Networks, Ubiquitous Comput. Dependable Appl., vol. 2, no. 1, pp. 103–120, 2011.

S. S. Huang and Y. Kuo, “Detecting chaff perturbation on steppingstone connection,” 2011 IEEE 17th Int. Conf. Parallel Distrib. Syst., pp. 660–667, Dec. 2011.

Mohd Nizam Omar, “Approach for solving active pertubation attacks problem in stepping stone detection,” (Unpublished Doctoral thesis). Universiti Sains Malaysia, Malaysia, 2011.

Mohd Nizam Omar, “Intelligent host-based stepping stone detection ( I-HSSD ): Comparison between self-organization map and data mining approach,” Int. J. Intell. Inf. Technol. Appl., vol. 2, no. 6, pp. 256–263, 2009.

Mohd Nizam Omar and Rahmat Budiarto, “Stepping stone detection ( SSD ): Towards to provide future SSD-based research,” MASAUM J. Basic Appl. Sci., vol. 1, no. 2, 2009.

Mohd Nizam Omar, Lelyzar Siregar, and Rahmat Budiarto, “Hybrid stepping stone detection method,” 2008 First Int. Conf. Distrib. Framew. Appl., pp. 134–138, Oct. 2008.

J. I. Gilbert, “Scalable wavelet-based active network stepping stone detection,” (Master’s thesis, Air Force Institute of Technology, Air University, USA, 2012.

J. I. Gilbert, D. J. Robinson, J. W. Butts, and T. H. Lacey, “Scalable wavelet-based active network detection of stepping stones,” in SPIE Defense, Security, and Sensing, 2012, p. 84080I--84080I.




How to Cite

Daud, A. Y., Ghazali, O., & Omar, M. N. (2018). Anomaly Techniques in Stepping Stone Detection (SSD): A Review. Journal of Telecommunication, Electronic and Computer Engineering (JTEC), 10(1-10), 61–66. Retrieved from

Most read articles by the same author(s)