{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,21]],"date-time":"2026-01-21T17:32:30Z","timestamp":1769016750946,"version":"3.49.0"},"reference-count":35,"publisher":"Wiley","issue":"1","license":[{"start":{"date-parts":[[2021,3,3]],"date-time":"2021-03-03T00:00:00Z","timestamp":1614729600000},"content-version":"vor","delay-in-days":61,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100010930","name":"Columbus State University","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100010930","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100009226","name":"National Security Agency","doi-asserted-by":"publisher","award":["H98230-20-1-0293"],"award-info":[{"award-number":["H98230-20-1-0293"]}],"id":[{"id":"10.13039\/100009226","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["onlinelibrary.wiley.com"],"crossmark-restriction":true},"short-container-title":["Wireless Communications and Mobile Computing"],"published-print":{"date-parts":[[2021,1]]},"abstract":"<jats:p>Intruders on the Internet usually launch network attacks through compromised hosts, called stepping stones, in order to reduce the chance of being detected. With stepping\u2010stone intrusions, an attacker uses tools such as SSH to log in several compromised hosts remotely and create an interactive connection chain and then sends attacking packets to a target system. An effective method to detect such an intrusion is to estimate the length of a connection chain. In this paper, we develop an efficient algorithm to detect stepping\u2010stone intrusion by mining network traffic using the <jats:italic>k<\/jats:italic>\u2010means clustering. Existing approaches for connection\u2010chain\u2010based stepping\u2010stone intrusion detection either are not effective or require a large number of TCP packets to be captured and processed and, thus, are not efficient. Our proposed detection algorithm can accurately determine the length of a connection chain without requiring a large number of TCP packets being captured and processed, so it is more efficient. Our proposed detection algorithm is also easier to implement than all existing approaches for stepping\u2010stone intrusion detection. The effectiveness, correctness, and efficiency of our proposed detection algorithm are verified through well\u2010designed network experiments.<\/jats:p>","DOI":"10.1155\/2021\/6632671","type":"journal-article","created":{"date-parts":[[2021,3,4]],"date-time":"2021-03-04T01:50:10Z","timestamp":1614822610000},"update-policy":"https:\/\/doi.org\/10.1002\/crossmark_policy","source":"Crossref","is-referenced-by-count":9,"title":["Mining Network Traffic with the <i>k<\/i>\u2010Means Clustering Algorithm for Stepping\u2010Stone Intrusion Detection"],"prefix":"10.1155","volume":"2021","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4965-5510","authenticated-orcid":false,"given":"Lixin","family":"Wang","sequence":"first","affiliation":[]},{"given":"Jianhua","family":"Yang","sequence":"additional","affiliation":[]},{"given":"Xiaohua","family":"Xu","sequence":"additional","affiliation":[]},{"given":"Peng-Jun","family":"Wan","sequence":"additional","affiliation":[]}],"member":"311","published-online":{"date-parts":[[2021,3,3]]},"reference":[{"key":"e_1_2_9_1_2","doi-asserted-by":"crossref","unstructured":"WangL. YangJ. MccormickM. WanP.-J. andXuX. Detect stepping-stone intrusion by mining network traffic usingk-means clustering 39th IEEE International Performance Computing and Communications Conference (IEEE IPCCC 2020) November 2020.","DOI":"10.1109\/IPCCC50635.2020.9391521"},{"key":"e_1_2_9_2_2","unstructured":"MathewB. UNIX security: threats and solutions Invited talk given at the 1995 system administration networking and security conference April 1995 Washington DC."},{"key":"e_1_2_9_3_2","doi-asserted-by":"crossref","unstructured":"Staniford-ChenS.andHeberleinL. T. Holding intruders accountable on the Internet Proceedings 1995 IEEE Symposium on Security and Privacy 1995 Oakland CA USA 39\u201349 https:\/\/doi.org\/10.1109\/SECPRI.1995.398921.","DOI":"10.1109\/SECPRI.1995.398921"},{"key":"e_1_2_9_4_2","doi-asserted-by":"publisher","DOI":"10.1109\/90.392383"},{"key":"e_1_2_9_5_2","doi-asserted-by":"publisher","DOI":"10.1186\/s13638-018-1303-2"},{"key":"e_1_2_9_6_2","unstructured":"ZhangY.andPaxsonV. Detecting stepping-stones Proceedings of the 9th USENIX Security Symposium August 2000 Denver CO 67\u201381."},{"key":"e_1_2_9_7_2","doi-asserted-by":"crossref","unstructured":"YangJ. LeeB. andHuangS. S.-H. Monitoring network traffic to detect stepping-stone intrusion 22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008) March 2008 Okinawa Japan 56\u201361 https:\/\/doi.org\/10.1109\/WAINA.2008.30 2-s2.0-50249168309.","DOI":"10.1109\/WAINA.2008.30"},{"key":"e_1_2_9_8_2","doi-asserted-by":"crossref","unstructured":"YangJ. ZhangY. KingR. andTolbertT. Sniffing and chaffing network traffic in stepping-stone intrusion detection 2018 32nd International Conference on Advanced Information Networking and Applications Workshops (WAINA) May 2018 Krakow 515\u2013520 https:\/\/doi.org\/10.1109\/WAINA.2018.00137 2-s2.0-85056256853.","DOI":"10.1109\/WAINA.2018.00137"},{"key":"e_1_2_9_9_2","doi-asserted-by":"crossref","unstructured":"HuangS. S. H. LychevR. andYangJ. Stepping-stone detection via request-response traffic analysis 4th IEEE International Conference on Automatic and Trusted Computing July 2007 Hong Kong China 276\u2013285.","DOI":"10.1007\/978-3-540-73547-2_29"},{"key":"e_1_2_9_10_2","doi-asserted-by":"crossref","unstructured":"HuangS. S. H. ZhangH. andPhayM. Detecting stepping-stone intruders by identifying crossover packets in SSH connections 2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA) 2016 Crans-Montana 1043\u20131050 https:\/\/doi.org\/10.1109\/AINA.2016.132 2-s2.0-84988933889.","DOI":"10.1109\/AINA.2016.132"},{"key":"e_1_2_9_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSP.2006.890881"},{"key":"e_1_2_9_12_2","doi-asserted-by":"crossref","unstructured":"YodaK.andEtohH. Finding connection chain for tracing intruders Proceedings of the 6th European Symposium on Research in Computer Security September 2000 Toulouse France 31\u201342.","DOI":"10.1007\/10722599_12"},{"key":"e_1_2_9_13_2","doi-asserted-by":"crossref","unstructured":"BlumA. SongD. andVenkataramanS. Detection of interactive stepping-stones: algorithms and confidence bounds Proceedings of International Symposium on Recent Advance in Intrusion Detection (RAID) September 2004 Sophia Antipolis France 20\u201335 https:\/\/doi.org\/10.1007\/978-3-540-30143-1_14.","DOI":"10.1007\/978-3-540-30143-1_14"},{"key":"e_1_2_9_14_2","unstructured":"BhattacherjeeD. Stepping stone detection for tracing attack sources in software-defined networks 2016 Degree Project in Electrical Engineering Stockholm Sweden."},{"key":"e_1_2_9_15_2","doi-asserted-by":"crossref","unstructured":"DonohoD. FlesiaA. ShankarU. PaxsonV. CoitJ. andStanifordS. Multiscale stepping-stone detection: detecting pairs of jittered interactive streams by exploiting maximum tolerable delay 5th International Symposium on Recent Advances in Intrusion Detection Lecture Notes in Computer Science 2002 Berlin Heidelberg https:\/\/doi.org\/10.1007\/3-540-36084-0_2 2-s2.0-84958977733.","DOI":"10.1007\/3-540-36084-0_2"},{"key":"e_1_2_9_16_2","doi-asserted-by":"crossref","unstructured":"DingW. HausknechtM. J. HuangS. H. S. andRiggleZ. Detecting stepping-stone intruders with long connection chains 2009 Fifth International Conference on Information Assurance and Security 2009 Xi\u2032an 665\u2013669 https:\/\/doi.org\/10.1109\/IAS.2009.123 2-s2.0-74049111153.","DOI":"10.1109\/IAS.2009.123"},{"key":"e_1_2_9_17_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2010.35"},{"key":"e_1_2_9_18_2","unstructured":"ChenY.andWangS. A novel network flow watermark embedding model for efficient detection of stepping-stone intrusion based on entropy Proceedings of the International Conference on e-Learning e-Business Enterprise Information Systems and e-Government (EEE) 2016."},{"key":"e_1_2_9_19_2","doi-asserted-by":"crossref","unstructured":"YungK. H. Detecting long connecting chains of interactive terminal sessions Proceedings of International Symposium on Recent Advance in Intrusion Detection (RAID) October 2002 Zurich Switzerland 1\u201316.","DOI":"10.1007\/3-540-36084-0_1"},{"key":"e_1_2_9_20_2","doi-asserted-by":"crossref","unstructured":"YangJ.andHuangS.-H. S. A real-time algorithm to detect long connection chains of interactive terminal sessions Proceedings of 3rd ACM International Conference on Information Security (Infosecu\u201904) November 2004 Shanghai China 198\u2013203.","DOI":"10.1145\/1046290.1046331"},{"key":"e_1_2_9_21_2","unstructured":"YangJ.andHuangS. H. S. Matching TCP packets and its application to the detection of long connection chains Proceedings of 19th IEEE International Conference on Advanced Information Networking and Applications (AINA 2005) March 2005 Taipei Taiwan China 1005\u20131010."},{"key":"e_1_2_9_22_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2007.07.001"},{"key":"e_1_2_9_23_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-09259-1_2"},{"key":"e_1_2_9_24_2","unstructured":"Data clustering algorithms:k-means clustering algorithm https:\/\/sites.google.com\/site\/dataclusteringalgorithms\/k-means-clustering-algorithm."},{"key":"e_1_2_9_25_2","doi-asserted-by":"publisher","DOI":"10.1007\/s00453-001-0110-y"},{"key":"e_1_2_9_26_2","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2002.1017616"},{"key":"e_1_2_9_27_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.iot.2018.08.011"},{"key":"e_1_2_9_28_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2019.112845"},{"key":"e_1_2_9_29_2","doi-asserted-by":"crossref","unstructured":"ClausenH. GibsonM. S. andAspinallD. Evading stepping-stone detection with enough chaff 14th International Conference 2020 Melbourne VIC Australia 431\u2013446 https:\/\/doi.org\/10.1007\/978-3-030-65745-1_26.","DOI":"10.1007\/978-3-030-65745-1_26"},{"key":"e_1_2_9_30_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.3026543"},{"key":"e_1_2_9_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/TNSE.2018.2830307"},{"key":"e_1_2_9_32_2","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2020.2980802"},{"key":"e_1_2_9_33_2","doi-asserted-by":"crossref","unstructured":"CaiZ.andHeZ. Trading private range counting over big IoT data 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS) 2019 Dallas TX USA 144\u2013153 https:\/\/doi.org\/10.1109\/ICDCS.2019.00023.","DOI":"10.1109\/ICDCS.2019.00023"},{"key":"e_1_2_9_34_2","doi-asserted-by":"crossref","unstructured":"LiQ.andMillsD. L. On the long-range dependence of packet round-trip delays in Internet 2 ICC\u203298. 1998 IEEE International Conference on Communications. Conference Record. Affiliated with SUPERCOMM\u203298 (Cat. No. 98CH36220) 1998 1185\u20131191 https:\/\/doi.org\/10.1109\/ICC.1998.685196 2-s2.0-0031632265.","DOI":"10.1109\/ICC.1998.685196"},{"key":"e_1_2_9_35_2","doi-asserted-by":"crossref","unstructured":"YangJ. HuangS.-H. S. andWanM. D. A clustering-partitioning algorithm to find TCP packet round-trip time for intrusion detection 1 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA\u203206) 2006 Vienna https:\/\/doi.org\/10.1109\/AINA.2006.13 2-s2.0-33751112790.","DOI":"10.1109\/AINA.2006.13"}],"container-title":["Wireless Communications and Mobile Computing"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/downloads.hindawi.com\/journals\/wcmc\/2021\/6632671.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/downloads.hindawi.com\/journals\/wcmc\/2021\/6632671.xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/onlinelibrary.wiley.com\/doi\/pdf\/10.1155\/2021\/6632671","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,8,7]],"date-time":"2024-08-07T10:54:32Z","timestamp":1723028072000},"score":1,"resource":{"primary":{"URL":"https:\/\/onlinelibrary.wiley.com\/doi\/10.1155\/2021\/6632671"}},"subtitle":[],"editor":[{"given":"Wenzhong","family":"Li","sequence":"additional","affiliation":[]}],"short-title":[],"issued":{"date-parts":[[2021,1]]},"references-count":35,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,1]]}},"alternative-id":["10.1155\/2021\/6632671"],"URL":"https:\/\/doi.org\/10.1155\/2021\/6632671","archive":["Portico"],"relation":{},"ISSN":["1530-8669","1530-8677"],"issn-type":[{"value":"1530-8669","type":"print"},{"value":"1530-8677","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,1]]},"assertion":[{"value":"2020-12-15","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-02-06","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-03-03","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"6632671"}}