{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T02:31:44Z","timestamp":1760236304482,"version":"build-2065373602"},"reference-count":27,"publisher":"MDPI AG","issue":"22","license":[{"start":{"date-parts":[[2021,11,10]],"date-time":"2021-11-10T00:00:00Z","timestamp":1636502400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100009226","name":"National Security Agency","doi-asserted-by":"publisher","award":["H98230-20-1-0293"],"award-info":[{"award-number":["H98230-20-1-0293"]}],"id":[{"id":"10.13039\/100009226","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>A long interactive TCP connection chain has been widely used by attackers to launch their attacks and thus avoid detection. The longer a connection chain, the higher the probability the chain is exploited by attackers. Round-trip Time (RTT) can represent the length of a connection chain. In order to obtain the RTTs from the sniffed Send and Echo packets in a connection chain, matching the Sends and Echoes is required. In this paper, we first model a network traffic as the collection of RTTs and present the rationale of using the RTTs of a connection chain to represent the length of the chain. Second, we propose applying MMD data mining algorithm to match TCP Send and Echo packets collected from a connection. We found that the MMD data mining packet-matching algorithm outperforms all the existing packet-matching algorithms in terms of packet-matching rate including sequence number-based algorithm, Yang\u2019s approach, Step-function, Packet-matching conservative algorithm and packet-matching greedy algorithm. The experimental results from our local area networks showed that the packet-matching accuracy of the MMD algorithm is 100%. The average packet-matching rate of the MMD algorithm obtained from the experiments conducted under the Internet context can reach around 94%. The MMD data mining packet-matching algorithm can fix the issue of low packet-matching rate faced by all the existing packet-matching algorithms including the state-of-the-art algorithm. It is applicable to network-based stepping-stone intrusion detection.<\/jats:p>","DOI":"10.3390\/s21227464","type":"journal-article","created":{"date-parts":[[2021,11,11]],"date-time":"2021-11-11T23:04:46Z","timestamp":1636671886000},"page":"7464","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Applying MMD Data Mining to Match Network Traffic for Stepping-Stone Intrusion Detection"],"prefix":"10.3390","volume":"21","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2745-8524","authenticated-orcid":false,"given":"Jianhua","family":"Yang","sequence":"first","affiliation":[{"name":"TSYS School of Computer Science, Columbus State University, Columbus, GA 31907, USA"}]},{"given":"Lixin","family":"Wang","sequence":"additional","affiliation":[{"name":"TSYS School of Computer Science, Columbus State University, Columbus, GA 31907, USA"}]}],"member":"1968","published-online":{"date-parts":[[2021,11,10]]},"reference":[{"key":"ref_1","unstructured":"Zhang, Y., and Paxson, V. (2000, January 14\u201317). Detecting Stepping-Stones. Proceedings of the 9th USENIX Security Symposium, Denver, CO, USA."},{"key":"ref_2","unstructured":"Staniford-Chen, S., and Heberlein, L.T. (1995, January 8\u201310). Holding intruders accountable on the internet. Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Yang, J., and Huang, S.-H.S. (2004, January 14\u201316). A Real-Time Algorithm to Detect Long Connection Chains of Interactive Terminal Sessions. Proceedings of the 3rd ACM International Conference on Information Security (Infosecu\u201904), Shanghai, China.","DOI":"10.1145\/1046290.1046331"},{"key":"ref_4","unstructured":"Yang, J., and Huang, S.-H.S. (2005, January 25\u201330). Matching TCP Packets and Its Application to the Detection of Long Connection Chains. Proceedings of the 19th IEEE International Conference on Advanced Information Networking and Applications (AINA 2005), Taipei, Taiwan."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"226","DOI":"10.1109\/90.392383","article-title":"Wide area traffic: The failure of Poisson modeling","volume":"3","author":"Paxson","year":"1995","journal-title":"IEEE\/ACM Trans. Netw."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"479","DOI":"10.1016\/j.cose.2007.07.001","article-title":"Mining TCP\/IP packets to detect stepping-stone intrusion","volume":"26","author":"Yang","year":"2007","journal-title":"Comput. Secur."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Yang, J. (2020). Stepping-Stone Intrusion Detection and Its Integration into Cybersecurity Curriculum. Innovations in Cybersecurity Education, Springer International Publishing.","DOI":"10.1007\/978-3-030-50244-7_13"},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"1612","DOI":"10.1109\/TSP.2006.890881","article-title":"Detecting Encrypted Stepping-Stone Connections","volume":"55","author":"He","year":"2007","journal-title":"IEEE Trans. Signal Process."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"434","DOI":"10.1109\/TDSC.2010.35","article-title":"Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking","volume":"8","author":"Wang","year":"2010","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Yung, K.H. (2002, January 16\u201318). Detecting Long Connecting Chains of Interactive Terminal Sessions. Proceedings of the International Symposium on Recent Advance in Intrusion Detection (RAID), Zurich, Switzerland.","DOI":"10.1007\/3-540-36084-0_1"},{"key":"ref_11","unstructured":"Yang, J., and Lee, B. (2008, January 23\u201325). Detecting Stepping-Stone Intrusion and Resisting Evasion through TCP\/IP Packets Cross-Matching. Proceedings of the 5th IEEE International Conference on Automatic and Trusted Computing, Oslo, Norway."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Zhang, Y., Yang, J., Bediga, S., and Huang, S.-H.S. (2010, January 20\u201323). Resist Intruders\u2018 Manipulation via Context-based TCP\/IP Packet Matching. Proceedings of the 24th IEEE International Conference on Advanced Information Networking and Applications (AINA 2010), Perth, Australia.","DOI":"10.1109\/AINA.2010.12"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Kuo, Y.-W., Huang, S.-H.S., Ding, W., Kern, R., and Yang, J. (2010, January 20\u201323). Using Dynamic Programming Techniques to Detect Multi-Hop Stepping-Stone Pairs in a Connection Chain. Proceedings of the 24th IEEE International Conference on Advanced Information Networking and Applications (AINA 2010), Perth, Australia.","DOI":"10.1109\/AINA.2010.132"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Yang, J., Ray, L., and Zhao, G. (2011, January 22\u201325). Detecting Stepping-stone Insider Attacks by Network Traffic Mining and Dynamic Programming. Proceedings of the 25th IEEE International Conference on Advanced Information Networking and Applications (AINA 2011), Singapore.","DOI":"10.1109\/AINA.2011.33"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Sheng, Y., Zhang, Y., and Yang, J. (2012, January 26\u201329). Mining Network Traffic Efficiently to Detect Stepping-Stone Intrusion. Proceedings of the 26th IEEE International Conference on Advanced Information Networking and Applications, Fukuoka, Japan.","DOI":"10.1109\/AINA.2012.16"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Yang, J. (2016, January 23\u201325). Resistance to Chaff Attack through TCP\/IP Packet Cross-Matching and RTT-based Random Walk. Proceedings of the 30th IEEE International Conference on Advanced Information Networking and Applications, Crans-Montana, Switzerland.","DOI":"10.1109\/AINA.2016.17"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Clausen, H., Michael, S.G., and Aspinall, D. (2020, January 25\u201327). Evading stepping-stone detection with enough chaff. Proceedings of the 14th International Conference on Network and System Security, Melbourne, Australia.","DOI":"10.1007\/978-3-030-65745-1_26"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Yang, J., Zhang, Y., King, R., and Tolbert, T. (2018, January 16\u201318). Sniffing and Chaffing Network Traffic in Stepping-Stone Intrusion Detection. Proceedings of the 32nd IEEE International Conference on Advanced Information Networking and Applications, Krakow, Poland.","DOI":"10.1109\/WAINA.2018.00137"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Wang, L., Yang, J., Mccormick, M., Wan, P.-J., and Xu, X. (2020, January 6\u20138). Detect Stepping-stone Intrusion by Mining Network Traffic using k-Means Clustering. Proceedings of the 39th IEEE International Performance Computing and Communications Conference (IEEE IPCCC 2020), Austin, TX, USA.","DOI":"10.1109\/IPCCC50635.2020.9391521"},{"key":"ref_20","first-page":"1","article-title":"A Framework to Test Resistency of Detection Algorithms for Stepping-Stone Intrusion on Time-Jittering Manipulation","volume":"2021","author":"Wang","year":"2021","journal-title":"Wirel. Commun. Mob. Comput."},{"key":"ref_21","first-page":"432","article-title":"Effective algorithms to detect stepping-stone intrusion by removing outliers of packet RTTs. Tsinghua Science and","volume":"27","author":"Wang","year":"2021","journal-title":"Technology"},{"key":"ref_22","first-page":"273","article-title":"Analysis of Stepping-Stone Attacks in Internet of Things Using Dynamic Vulnerability Graphs","volume":"Volume 1","author":"Kamhoua","year":"2020","journal-title":"Modeling and Design of Secure Internet of Things"},{"key":"ref_23","first-page":"1011","article-title":"Improving the Efficiency of Genetic-Based Incremental Local Outlier Factor Algorithm for Network Intrusion Detection. Advances in Artificial Intelligence and Applied Cognitive Computing","volume":"Volume 1","author":"Arabnia","year":"2021","journal-title":"Transactions on Computational Science and Computational Intelligence"},{"key":"ref_24","unstructured":"(2018, February 12). The History of TCP\/IP. Available online: https:\/\/scos.training\/history-of-tcp-ip."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Friedman, M., and Kandel, A. (1999). Introduction to Pattern Recognition: Statistical, Structural, Neural, and Fuzzy Logic Approaches. River Edge, London: NJ World Scientific Publishing Company, World Scientific Publishing Company.","DOI":"10.1142\/3641"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Mirkin, B. (1996). Mathematical Classification and Clustering, Springer Science & Business Media.","DOI":"10.1007\/978-1-4613-0457-9"},{"key":"ref_27","unstructured":"Jain, A.K., and Dubes, R.C. (1988). Algorithms for Clustering Data, Prentice-Hall, Inc."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/21\/22\/7464\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T07:28:34Z","timestamp":1760167714000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/21\/22\/7464"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,10]]},"references-count":27,"journal-issue":{"issue":"22","published-online":{"date-parts":[[2021,11]]}},"alternative-id":["s21227464"],"URL":"https:\/\/doi.org\/10.3390\/s21227464","relation":{},"ISSN":["1424-8220"],"issn-type":[{"type":"electronic","value":"1424-8220"}],"subject":[],"published":{"date-parts":[[2021,11,10]]}}}