Enhance Student Learning Experience in Cybersecurity Education by Designing Hands-on Labs on Stepping-stone Intrusion Detection

A R T I C L E I N F O A B S T R A C T Article history: Received: 07 June, 2021 Accepted: 09 August, 2021 Online: 26 August, 2021 Stepping-stone intrusion has been widely used by professional hackers to launch their attacks. Unfortunately, this important and typical offensive skill has not been taught in most colleges and universities. In this paper, after surveying the most popular detection techniques in stepping-stone intrusion, we develop 10 hands-on labs to enhance studentlearning experience in cybersecurity education. The goal is not only to teach students offensive skills and the techniques to detect and prevent stepping-stone intrusion, but also to train them to be successfully adaptive to the fast-changing dynamic cybersecurity world.


Cybersecurity Significance
We live in a world where digital technologies are needed for various daily activities. The Internet has revolutionized data communications and significantly changed our daily lives. However, hackers can now easily launch cyberattacks using the Internet. As cyberattacks continue to grow, it is important to secure our critical infrastructures, organizations, business and networks.

The Importance of Stepping-stone Intrusion Detection
Intrusion techniques are widely used by intruders to invade a computing system. Intrusion detection systems (IDS) are installed on a lot of computer and network systems. Intruders tend to use several compromised hosts, called stepping-stones, to send attacking commands to a remote target host, in order to avoid being detected. Attacks that are launched through a chain of stepping-stone host are called stepping-stone intrusion. With a stepping-stone attack, intruders remotely login to such steppingstones using tools such as SSH, rlogin, or telnet, and then send the attacking packets to the remote target host.
In this paper, after the survey of many known detection techniques for the stepping-stone intrusion, we propose ten handson labs which are developed based on the cutting-edge techniques in stepping-stone intrusion detection. The goal is to help students to learn the techniques of stepping-stone intrusion detection. We aim at educating learners to be qualified professionals in cybersecurity in order to defend various digital data and resources. It is also expected to enhance students' learning in cybersecurity education by conducting the hands-on labs designed.

Key Challenges
Before designing the hands-on labs on stepping-stone intrusion and its detection, we discuss how challenge the known detection approaches for stepping-stone intrusion are integrated into cybersecurity curricula. In order to educate learners to be qualified professionals in cybersecurity, it is necessary to teach offensive skills in college cybersecurity major curriculum.
Integrating stepping-stone intrusion and its detection techniques into cybersecurity curriculum can make us move forward a big step to achieve this goal. Although a great number of detection approaches for stepping-stone intrusion have been proposed since the emerging of the Internet, there are still a lot of challenges to integrate these detection approaches into cybersecurity curricula at the college level. The first challenge is why we need to teach college students ethical hacking skills. Would it be possible educate our students to become a hacker against us, not for us? The second challenge is that, since there are ASTESJ ISSN: 2415-6698 too many algorithms for stepping-stone intrusion detection proposed in the literature, which approaches among them are suitable to our college students as learning materials? The third challenge is what hands-on labs can be developed and integrated into cybersecurity curriculum. We all know that the difficulty in teaching cybersecurity is not at the delivery of the theory and techniques; it is at the development of hands-on labs for students to practice hacking and defensive skills. Considering the limited budget in each four-year college, the cost is an important factor when designing these hands-on labs. However, we still want to motivate our students to learn cybersecurity skills via hands-on learning experience.

The Rationale to Teach Ethical Hacking Skills
Should we teach ethical hacking skills to cybersecurity major students? To the best of our knowledge, even though some fouryear institutions have included ethical hacking skills as part of their cybersecurity curriculum, there are still some concerns and doubts from students' parents and local communities about the possibility that teaching ethical hacking skills would make their kids to conduct some malicious activities, and commit crimes. We must convince students' parents as well as the local communities with the following advice: 1) the word 'hacker' has long been understood negatively. Hacking actually involves computing skills to find vulnerabilities of a system, penetrate a system, and be able to remove evidence of accessing to a system [1]. Similar to the case that doctors who might criminally abuse their medical skills to hurt humans, a hacker who knows some special offensive hacking skills might also misuse their techniques. However, we should not define the term hacking by its misuse; 2) cybersecurity is a two-edged sword: offensive and defensive. To be effective at defence, students must fully understand the capabilities of hackers and the way how hackers perform cyberattacks; 3) it is widely believed that including both perspectives of "defender" and "attacker" and the related skills could make the cybersecurity curriculum more meaningful and practical [2]. On the other hand, teaching hacking skills can make cybersecurity professionals be equipped with offensive techniques, and well prepared to defend their computing and network system; 4) regardless of teaching hacking skills or not, hackers were out there, and will still be out there. Should hacking skills be integrated into cybersecurity curricula, it would be possible to promote conscious ethical practices and minimize the likelihood that students would misuse the skills.

Challenging to Integrate the Techniques to a 3-Credit Hours Course
What techniques should be selected to train our students with cybersecurity skills, as there are tons of approaches that have been proposed to detect stepping-stone intrusion since 1995? In a regular course with 48 academic credit hours, it is infeasible to cover all the techniques developed so far, but we do want to train our students not only to have an overall picture of the techniques on stepping-stone intrusion detection, but also to deeply understand some specific and typical intrusion detection approaches. The challenge is to develop contents modules and design hands-on lab exercises. In this paper, we only focus on the designing the hands-on labs on stepping-stone intrusion and its detection. Refer to our prior work [3] for the course modules we developed for integration of detection techniques for steppingstone intrusion into cybersecurity curricula.

Challenge on Developing Hands-on Labs of Stepping-stone Intrusion and its Detection
The most difficult part of teaching cybersecurity courses is to design appropriate hands-on labs. We all know the importance of hands-on labs in cybersecurity education. Without the practicing of the techniques covered in cybersecurity class, it is hard to make our students to digest the cybersecurity skills. Conducting cybersecurity hands-on labs needs hardware and software that are more likely not free. Most colleges are equipped with good hardware, such as computers, routers, switches, and different type of servers, but lack of appropriate software. One reason is that some software helping students to practice cybersecurity skills are usually not free, and may be extremely expensive, such as Cyberrange, its price can be as high as more than one million dollars. Therefore, the challenge is how to design appropriate hands-on labs not only can help students to practice stepping-stone intrusion and its detection techniques, but also can reduce the cost to make labs affordable to most colleges.

Survey of the Techniques on Stepping-stone Intrusion and its Detection
Many methods have been proposed to detect stepping-stone intrusion. In [4], the authors proposed a thumbprint method to detect stepping-stone intrusion in 1995. This method was developed to compare the contents of TCP/IP packets from the incoming and outgoing sessions of a computer that is chosen to be the sensor for detection. In [5], the authors proposed a detection approach for stepping-stone intrusion by considering the time gaps between the packets captured from the outgoing connection and the incoming connection from a host. In [6], the authors proposed another method for stepping-stone intrusion detection. Their method did not follow the idea of using time-based thumbprints. Instead, the authors in [6] used the deviation between the incoming and outgoing sessions of a computer.
After 2000, a lot more methods were proposed for steppingstone intrusion detection. One popular approach is to compare the number of packets from the incoming connection with that from the outgoing connection. For the details of this type of approach, please refer to the references [7][8][9]. A watermark correlation technique was proposed for stepping-stone intrusion detection [10][11][12]. The idea of using a watermark in stepping-stone intrusion detection is to insert a watermark in the incoming connection of a detection sensor, and then pay attention to the outgoing connections to see if the same watermark can be found in any of these outgoing connections. The rationale used in the papers [10][11][12] is to analyse and compare the incoming and outgoing connections of a sensor to see if there is any relayed pair. A sensor is defined as a computer host in which all the packets are captured and a detection program runs. If an incoming connection of a sensor is relayed with an outgoing connection, the sensor is considered as a stepping-stone host. However, a user might sometimes use a host as a stepping-stone legitimately due to some special applications. If so, the watermark approach discussed in [10][11][12] for stepping-stone intrusion detection may produce false positive errors, since this method simply compares an incoming connection with an outgoing one. A significant research conducted in [5] has shown that very few professional software employs three or more stepping-stones to access a remote server, although certain legal applications may utilize one or two stepping-stones to access a remote server. Therefore, in order to produce smaller false-positive errors to detect stepping-stone intrusion, an effective method is to estimate the length of a connection chain of stepping-stones. It is extremely challenging to estimate the length of an upper stream connection chain (from the attacker's host to the sensor in the connection chain). Thus, it is impossible to estimate the length of a whole connection chain. By far, most proposed approaches in the literature could only calculate the length of the downstream connection chain (from the sensor to the victim host). This approach to estimate the length of a downstream detection chain was investigated first in [13].
In [13], the authors studied the ratio between the Ack-RTT value and the Echo-RTT. Ack-RTT is defined as the gap between the time to send a packet out and the time to receive its corresponding acknowledgement packet. Echo-RTT is defined as the gap between the time to send a packet out and the time to receive its echo packet. In this way, the length of a downstream connection chain can be approximately estimated. However, this approach could incur false-negative errors.
In [14], the authors proposed a step-function approach motivated by the work that was done in [13] with the purpose of more accurately calculate the length of a downstream connection chain. In [15], the authors proposed another approach by mining network traffic to estimate the number of stepping-stones of a downstream connection chain in 2007. A couple of other methods were also developed in recent years for stepping-stone intrusion detection, including the method using the RTT-based random walk [16], and the method using the idea of RTT Cross-Matching [17].
The stepping-stone intrusion detection approaches have been investigated for about twenty-five years since 1995, unfortunately by far, these important methods have not yet been integrated into cybersecurity curricula at the college level in the U.S. It is vital to educate learners about the known detection approaches for stepping-stone intrusion as more and more professional attackers tend to launch their cyberattacks by using a chain of steppingstones. Most universities/colleges' professors support to teach the skills and topics of ethical hacking and integrate them into the cybersecurity curricula due to two reasons. First, as far as we know, very few well-educated college students became malicious intruders; second, teaching offensive skills of ethical hacking for college students may produce more and more well-qualified professionals of cybersecurity workforce [18]. We propose ten hands-on labs that allow students to practice in various steppingstone intrusion detection topics and help them better understand the topics included in the well-designed cybersecurity modules. These hands-on labs will also help enhance students' learning engagement significantly and greatly improve their hands-on experience in cybersecurity.

Hands-on Lab Development
Five modules for students to study stepping-stone intrusion and its detection techniques have been proposed and integrated into cybersecurity curriculum [3]. In these five modules, the most popular and the most recently developed techniques have been included. In order to help students to digest the detection and prevention techniques included in the five modules quickly and thoroughly, we design ten hands-on labs as the following, 1) setting up a stepping-stone intrusion connection chain; 2) capturing network traffic; 3) make C# code to capture network traffic; 4) content-based thumbprint detection; 5) time-based thumbprint detection; 6) step-function detection; 7) packet matching; 8) RTT-based random-walk detection; 9) estimating the length of a long connection chain; 10) intrusion detection using crossover packets.
We apply two rules including relevance and affordability to examine each hands-on lab developed. Relevance means if the lab is closely tied to the modules developed. Affordability means all the labs designed do not use expensive hardware and software. An ideal scenario is that students only need to use the Internet, and free download software to conduct the labs designed. This designing rule can make it possible for most teachingfocus colleges/universities to offer the labs to cybersecurity majors. Depending on the curriculum design in different institutions, it is not necessary to adopt all the ten labs. However, Lab 1 and Lab 2 are not optional. All the computer hosts used in each lab must be connected in a local area network (LAN). Student must have login credential for each host. All the following labs share the same lab setup as below, Hardware: • Each computer must have minimally 4G memory and 500G hard drive capacity.
• Wired or Wireless computer network connection. Software: • Ubuntu server or any other type of Linux/Unix installed in each host.
• SSH/OpenSSH client side tool must be installed.
• Each host must have SSH server installed.
• Wireshark, or TcpDump Login Credentials: • User Name: Student (Assumed) • Password: cpsc4166 (Assumed) All the labs proposed in this paper need students to make a connection chain and to capture TCP/IP packets. A connection chain can be established using OpenSSH under Linux OS which can be a physically installed, or virtual one, such as an OS from VirtualBox, or VMware. It does not need too much memory and second storage. We tried computers with different memory sizes and storage capacity, and found that 4G memory and 500G storage are the minimized requirements. As for the software, TcpDump/Wireshark, SSH client and SSH server package are required minimally.

Lab objectives
1. Understand TCP/IP protocol; 2. Know how to establish a long interactive connection chain spanning multiple hosts; 3.
Understand the concept of Stepping-stones; 4. Obtain the knowledge how an intruder lunches attacks over stepping-stones.

Network topology
It is the same topology as shown in Figure 1.

Lab instructions
1) Start up from any computer in the LAN, and login to a computer that is assumed the Intruder's host with the above credentials.
2) Please open a terminal at the Intruder's host.
3) Browse the current folder, and take a screenshot for the files in the folder. 4) Run SSH to connect to a local host S1: ssh Student@S1 (this can also be the IP address of S1 if host name S1 is not known) in the LAN.

5)
As long as connecting to S1, you are prompted to input the password for the user.
6) If connected to S1 successfully, please browse the current folder, and take a screenshot including the folder's name, and all the files in the current folder. Run "ifconfig" to show the IP address and other network related information of S1. Take a screenshot of "ifconfig" results.

7)
Compare the screenshot taken at the Intruder's host with the one taken at S1 to see if they are the same.
10) If sniffing the packets at Victim's host, we can see all of the packets are from host S4 other than Intruder's host even though we know all the packets come from the Intruder's host originally. So in this way, intruders can protect themselves via the compromised hosts, such as the hosts S1, S2, S3 and S4.

Network topology
Refer to Figure 2.

Lab instructions
1) Select any three computer hosts in your local area network, and login to each host with the credentials given.
2) Run "ifconfig" to get the IP address at the three computers respectively and take a screenshot at each host.
3) Follow the instructions in Lab 1 to set up a connection chain as shown in Figure 2. This connection chain spans three computer hosts including Intruder's host, S1, and Victim's host.
4) Type some Linux/Unix commands at Intruder's host to make network traffic from Intruder's host to Victim's host via S1.

Network topology
It has the same network topology as Figure 2 in Lab 4.2.

Mechanism on making the code to sniff network traffic
In order to make a code to capture network packets like what Wireshark does, Libpcap package must be installed in the Ubuntu server. If Windows server is used, please install WinPcap. The way to make a code to sniff computer network traffic is to call the functions built in Libpcap (packet capture) package. Libpcap provides an application-programming interface (API) for capturing network traffic.
We take an example, capturing raw IP packets, to examine the steps to sniff packets by making a program under Linx/Unix system. For the details of the code, please refer to the reference [19]. It has four steps to sniff computer network packets: 1) open a packet capture socket; 2) start packet capture loop; 3) parse and display packets; 4) Terminate capture program.
Open a packet capture socket: A socket is an endpoint for network communication that is identified in a program with a socket descriptor. Opening a packet capture socket involves a series of Libpcap calls that are encapsulated in open_pcap_socket() function. There are a couple of steps needed to open a packet capture socket. The first step is to select a network device using function pcap_lookupdev(). The second step is to open the network device selected for live capture using function pcap_open_live(). The third step is to call function pcap_lookupnet() to get the network address and subnet mask. The fourth step is to compile a packet capture filter by calling function pcap_compile(). The last step is to install the compiled packet filter program into the packet capture device. This causes Libpcap to start collecting the packets with selected filter. The sample code in Figure 3-(a) shows the four steps in opening a packet capture socket.
Start packet capture loop: Libpcap provides three functions to capture packets: pcap_next(), pcap_dispatch(), and pcap_loop(). Since function pcap_next() can only grab one packet at the time to be called. So the program must call this function in a loop to receive multiple packets. The other two functions pcap_loop and pcap_dispatch() can loop automatically to receive multiple packets. Datalink type can be determined by calling pcap_datalink(), and then start packet capture. The sample program shown in Figure 3-(b) uses pcap_loop() to sniff multiple packets. In this code, first to determine the datalink type by calling pcap_datalink(), and then start packet capture loop.

Parse and display packets:
The general technique for parsing packets is to set a character pointer to the beginning of the packet buffer then advance this pointer to a particular protocol header by the size in bytes of the header that precede it in the packet. The header can then be mapped to an IP, TCP, UDP, and ICMP header structure by casting the character pointer to a protocol specific structure pointer. A parse_packet() function starts off by defining pointers to IP, TCP, UDP and ICMP header structures. The packet pointer is advanced past the datalink header by the number of bytes corresponding to the datalink type determined in capture_loop(). Casting the packet pointer to struct tcphdr and struct udphdr pointers gives us access to TCP and UDP header fields respectively. The struct icmphdr pointer enables us to display ICMP packet type and code along with the source and destination IP addresses. The sample code in Figure 3-(c) shows the steps to parse and display packets, such as TCP packets that are used to detect stepping-stone intrusion.
Terminate Capturing: The last step is to terminate the packet capture by interrupt signals SIGNIT, SIGTERM, and SIGQUIT through calling function bailout() which displays the packet count, closes the packet capture socket then exits the program.

Lab instructions
1) Start up running your code, and select the interface to sniff 2) Click "Start" button to start packet sniffing 3) Display the following information for each packet captured: source/destination IP address, source/destination port number, packet type, sequence number, acknowledge number, TCP flags, fragmentation information, checksum, receive window, TTL, upper layer protocol, timestamps in format of mm/dd/yy. 4) Click one TCP/IP packet captured to show the details in each of its header field. Take a screenshot for the header details. 5) Store captured packet in a .txt file that can be opened by WordPad, or any other text editor tool.

1) Ethical Issue Discussion:
Would it trigger any ethical issue to capture other users' network traffic using self-made code under a host with legal login? 2) What is the difference between Winpcap and Libpcap?

Network topology
The network topology used in this lab is the same as Figure 2 in Lab 4.2.

Lab instructions
1) Select any three computers in your local area network and name them to be Intruder's host, S1, and Victim's host.
2) Start up the computers in Linux and login to each host with given credentials. Open a terminal in each host.
3) Run "ifconfig" to get the IP address for each host, and take a screenshot from each host.

4) Run SSH from
Intruder's host to connect to S1, then to Victim's host just as shown in Figure 2. An interactive session is set up spanning three hosts with S1 working as a Stepping-stone.
5) Students will monitor the traffic of the incoming connection from Intruder's host, and the traffic of the outgoing connection to Victim's host from S1. Here we use the number of TCP packets to represent the corresponding network traffic.
6) Run TcpDump at host S1 to monitor the TCP packets coming to/from Intruder's host but to S1 with destination/source port 22 and store all the packets in IncomingTCP.txt, and also monitor the TCP packets going to Victim's host or come back to S1 with destination/source port 22, and store all the collected packets to OutgoingTCP.txt. 12) The rules to determine Send or Echo packet at S1 are as the following, a. Send packet is a packet in the incoming link that comes to S1 with Flag.P set up, but in the outgoing link that leaves S1 to Victim's host with Flag.P set up;

7) In either
b. Echo packet is a packet in the incoming link that leaves S1 to Intruder's host with Flag.P set up, but in the outgoing link that comes to S1 with Flag.P set up.
13) Compare if the following relation maintains, a. In-S is close to Out-S, and b. In-E is close to Out-E, and c. The sum of In-S and In-E is close to the sum of Out-S and Out-E 14) Please draw your conclusion based on the results from Steps 10) and 13).

1) Ethical Issue Discussion:
If a user has a legal login to a host, captures network packets, and obtains the contents of each packet, would the user's action result in an ethical issue?
2) What is the TcpDump command to sniff the packets in the incoming link?
3) What is the TcpDump command to sniff the packets in the outgoing link? 4) What conclusion you can make based on the information you have in step 10) of the Lab Instructions above? Why? 5) What conclusion you can make based on the information you have in step 13) of the Lab Instructions above? Why? 6) Write a TcpDump command to sniff the packets only acknowledge the requests from Intruders' Host at S1.

Lab objectives
1. Understand using time-based thumbprint to detect stepping-stone intrusion; 2. Learn how to generate time-based thumbprint; 3. Know how to compare time-based thumbprint; 4. Understand the efficiency of thumbprint comparison algorithm.

Network topology
The network topology used in this lab is the same as Figure 2 in Lab 4.2.

Lab instructions
1) Refer to Lab 1 to make an interactive TCP session with at least one host in between attacker and victim machines.
2) On either of the machine of your choice except the target, filter the network capture & save the incoming and outgoing packets including timestamp information for each packet through TcpDump.
3) Examine the packets for the incoming connection and look for the timestamp there and list those timestamps in a sequence.

4) Repeat
Step 3 but for the outgoing connection 5) For the incoming connection sequence (list) of timestamps, find the difference in neighboring timestamps and list them in a sequence. This can give a sequence of time gaps for this connection. Find difference using the equation: |pi -p(i+1)|, here pi is the timestamps of i th packet captured.

6) Repeat
Step 5 but for the outgoing connection.

7)
Compare the two sequences to get a similarity. If the similarity is larger than a predefined threshold, the host is used as a stepping-stone. Otherwise, not.

1) Ethical Issue Discussion:
If a user has a legal login to a host, captures network packets, and but could not obtain the contents of each packet due to encryption, would the user's action result in an ethical issue? 2) Please describe what a time session-based thumbprint is in your own words. 3) Why would an individual want to perform this method to detect a stepping-stone over other methods? 4) Why do we compare the two sequences of time gaps in our own algorithm as oppose to the Longest Common Subsequence algorithm which can also help to measure similarity? 5) Do you have a better method of comparing the sequences' similarity? 6) Would a time session-based thumbprint be effective with an encrypted connection? If yes, explain why.

Network topology
The network topology used in this lab is the same as the one shown in Figure 1 of Lab 4.1.

1) Start up with any computers in the LAN, and login to the
Intruder's host, Victim's host, S1, S2, S3, and S4 with the appropriate credentials to make a connection chain.
2) Open a terminal on Intruder's host and S1.

5)
As long as S1 is reachable, you will be prompted to input the password for the user "Student".

1) Ethical Issue Discussion:
If a user has a legal login to a host, captures network packets, obtains the round-trip time between matched Send and Echo packets, but could not identify the contents of each packet due to encryption, would the user's action result in an ethical issue? 2) What is the purpose of tcp-push != 0 in the above capture?
3) Explain the difference in the grep statements listed above.
Why does the first point to Send packets, while the second points to Echo packets? 4) Did you notice any effects to performance (positive/negative) as more links were introduced to the connection chain? Explain.

5)
Would there be any difference to this analysis if the data were clear text, sent using Telnet, or encrypted like in SSH? Justify.
6) Can you determine the length of the entire connection chain with this method? If so, explain why. If not, which portion can you determine the length?

Lab objectives
1. Understand the significance of packet matching; 2. Determine the differences in the different packet matching algorithms; 3. Learn how to apply packet matching to detect stepping-stone intrusion; 4. Distinguish the limits of different packet matching algorithms.

Network topology
The network topology used in this lab is the same as the one shown in Figure 2 of Lab 4.2.

Lab instructions
1) Start up any computers in the LAN, and login to the computer, which assumes to be called Intruder's host with the above credentials.
2) On desired sensor host (S1 for initial run), start TcpDump to dump captured packets to a file along with any further options a) ###.###.###.###.X is Sensor IP Address and X is port number

Network topology
The network topology used in this lab is the same as the one shown in Figure 2 of Lab 4.2.

Lab instructions
1) Refer to Lab 1 to make an interactive TCP session including at least one stepping -stone host that is used as a sensor.
2) On the sensor, filter the network capture & save the incoming and outgoing packets through TcpDump.
3) Examine the packets for the incoming connection, and match the Send & Echo packets using conservative packet matching algorithm from Lab 4.7, and obtain the number of RTTs from matched packets for this connection, N RTT in.

4) Repeat
Step 3) for the packets collected from the outgoing connection, and obtain N RTT out.

5)
Take the difference of N RTT in and N RTT out . N RTT in-out = |N RTT in -N RTT out| 6) Compare N RTT in-out to a predefined upper bound. If it is less than the upper bound, then the incoming & outgoing connections are a relayed pair. The sensor is used as a stepping-stone. If not then, the machine is not used as a stepping-stone.

1) Ethical Issue Discussion:
If a user has a legal login to a host, captures network packets, obtains the round-trip time between matched Send and Echo packets, but could not identify the contents of each packet due to encryption, would the user's action result in an ethical issue? 2) Please describe how a RTT-based Random-Walk Detection works in your own words. 3) Why would an individual want to perform this method to detect a stepping-stone over other methods? 4) Could an intruder manipulate this approach to give a false negative? 5) Would this method be effective with an encrypted connection? If yes, explain why. 6) Perform a network capture by following the above instructions with the predefined threshold, , being equal 30. From the results, is the machine a stepping-stone?

Lab objectives
1. Understand the RTTs of the packets from the same connection chain can be mined to the same cluster; 2. Learn the number of compromised hosts is equal to the number of outstanding clusters; 3. Demonstrate the approach to estimate the length of a connection chain; 4. Obtain the knowledge on how clustering-partitioning algorithm can resist intruders' evasion.

Network topology
The network topology used in this lab is the same as the one shown in Figure 1 of Lab 4.1.

Lab instructions
1) Start up any computers in the LAN, and login to the computer that assumes to be called Intruder's host with the above credentials.
2) We will use at least 5 hosts in this connection chain. Decide which 5 hosts you want to use, and designate the 2nd host as a sensor host 3) On the sensor host, begin packet capture prior to making any of the connections.

4)
Please open a terminal at Intruder's host.

5)
Run SSH to connect to a remote host S1 (sensor host): ssh Student@S1 (this can also be the IP address of S1 if host name S1 is not known).

6)
As long as connected to S1, you must be prompted to input the password for the user.

7)
Repeat steps 4), 5), to connect to computer hosts S2, S3, S4, and the last one respectively. The last host you connect to remotely is called Victim's host.

8)
So far you have remotely connected to Victim's host spanning hosts S1, S2, S3, and S4. Hosts S1, S2, S3, and S4 are used as stepping-stones in this lab. Know the reason of generating crossover packets; 3. Obtain the relation between the length of a connection chain and the number of crossover packets; 4. Learn how to identify crossover packets.

Network topology
The network topology used in this lab is the same as the one shown in Figure 1 of Lab 4.1.

Lab instructions
We assume Intruder's Host is called iHost, and Victim's host is called vHost. After a connection chain is established, please type the following information at iHost to make some network traffic for each of the following: "This is s test from Hands-on lab 10. Please discard all the wrong messages!" 1) Make a connection chain from iHost to vHost via S1 only.
Type the above information at iHost and capture Send and Echo packets at S1 from its outgoing connection. Store the packets to PacketFile1.
2) Make another connection chain from iHost to vHost, but via S1 and S2. Type the above information at iHost and capture Send and Echo packets at S1 from its outgoing connection. Store the packets to PacketFile2.
3) Make the third connection chain from iHost to vHost, but via S1, S2, and S3. Type the above information at iHost and capture Send and Echo packets at S1 from its outgoing connection. Store the packets to PacketFile3.

4)
Make the fourth connection chain from iHost to vHost, but via S1, S2, S3, and S4. Type the above information at iHost and capture Send and Echo packets at S1 from its outgoing connection. Store the packets to PacketFile4.

5)
Count the number Crossover packets in each file and compare them. Please conclude what you would find from the comparing the results.

1) Ethical Issue Discussion:
If a user has a legal login to a host, captures network packets, obtains the crossover packets, but could not identify the contents of each packet due to encryption, would the user's action result in an ethical issue? 2) Why is it unlikely that you will observe much, if any, Crossover in a LAN environment? 3) Does increasing the connection chain length increase or decrease the likelihood of observing packet Crossover? Why or why not? 4) Does packet Crossover help or hinder packet matching? Why? 5) Why are you more likely to observe packet Crossover in a WAN environment? 6) What information about a connection chain can you gather from detecting many packet Crossovers?

Discussion on the Labs Designed
In this session, we will discuss the innovation, contribution, and the effectiveness of the proposed work.
All the hands-on labs were designed based on some research papers. To the best of our knowledge, the is the first time that stepping-stone intrusion detection techniques are integrated into cybersecurity curriculum. The contribution is that college students can learn complex stepping-stone intrusion detection techniques and enhance their experience by conducting the handson labs. The labs designed are suitable for teaching-focus colleges who may have limited budget for their cybersecurity curriculum.
Each lab proposed has a critical thinking practice component including discussions about ethical issues, and the questions to train students to be qualified professionals of cybersecurity workforce. Most of the labs proposed were adopted in the course of "Intrusion Detection and Prevention" at Columbus State University, GA from 2018 to 2019. The instructors did class survey to ask the students if they agree with the labs adopted for the class. The survey results are shown in Table 1. From the survey results, we can see that over four years, more than 90 percent of the students like the labs. Their comments and feedback are positive. There are also some negative comments and feedback. The following are some negative feedback extracted from the surveys:1) the time given to finish the labs are not enough; 2) most students prefer to use a physically installed Linux system to conduct the lab, other than a virtual Linux system because it is hard to copy the results out; 3) too many packets are required to capture which costs their too much time; 4) some students expect to have the first lab to refresh the Linux command, other than to make a connection chain.

Summary
In order to help college students to learn stepping-stone intrusion detection and prevention techniques and enhance their hands-on learning experience, we developed ten hands-on labs based on the significant results published in the area of steppingstone intrusion detection since 1995. For making these hands-on labs be easily adopted by university professors in undergraduate cybersecurity courses, we used the following strategies while designing these hands-on labs: 1) save budgets for learners; 2) simplify the requirements for required hardware and software; 3) clear step-by-step instructions; 4) easy assessments by evaluators; 5) easy adoption by instructors.
Most of the hands-on labs we designed in this paper have been adopted in the undergraduate course of Intrusion Detection and Prevention at Columbus State University for four years. The average survey result shows that more than 90% of the students liked the labs and enjoyed the hand-on activities involved in the labs. The rate of disagreement/dislike is less than 10%. All the hands-on labs have been shared within the USA via the Clark system managed by Towson University, MD, USA. Records show that at least six colleges/universities downloaded the hands-on labs. We highly believe that our proposed hands-on labs in stepping-stone intrusion detection will help building the nation's cybersecurity workforce.
Cybersecurity is a rapidly changing and expending field. In order to make our students to be adaptable with fast changing cybersecurity techniques quickly after graduation, in the future, we will improve the proposed hands-on labs following NICE cybersecurity workforce framework initiated by NIST. In this framework, there are seven categories and each category contains one or more specialty areas. Each cybersecurity specialty area is composed of multiple work roles. Each work role includes Knowledge, Skills and Abilities (KSAs) and Tasks. The future hands-on labs will help our students to achieve three targets. First, they will obtain a body of information, which can be directly applied to the performance of a function. Second, they will enhance their skills needed for cybersecurity. Third, they will improve their competence to perform an observable behavior, which can result in an observable product.