Skip to Main Content
A common technique hackers use to break into a computer host is to route their traffic through a chain of stepping-stone hosts. There is no valid reason to use a long connection chain for remote login such as SSH connections. One way to protect a host of being attacked is to identify long connection chains connecting into the host. This paper proposes a novel method to identify long connection chains from short chains using a pre-computed short chain profile. Each new connection will be compared to the profile. Any connection that differs significantly from the profile will be considered as a suspicious long connection. Several methods are used to adjust with user's different typing speed. Validation results show that more than 80% long chains can be correctly detected for chains of length 4 or higher.