Probabilistic analysis of an algorithm to compute TCP packet round-trip time for intrusion detection

Estimating the length of a connection chain is challenging and critical in detecting stepping-stone intrusion. In this paper, we propose a novel method, called standard deviation-based clustering approach (SDBA), to estimate the length of an interactive connection chain by computing round-trip time (RTT). SDBA takes advantage of RTTs distribution and inter-arrival distribution of “send” packets. We prove that the probability of making a correct selection of RTT through SDBA is bounded by 1 − (1/q2), where q is a number related to standard deviation of RTTs distribution and send packets inter-arrival distribution. Experimental results showed that SDBA can compete against the best known algorithm in packet-matching rate and accuracy. This paper also presents the restrictions of SDBA.