![\begin{definition}[Connection Chain]
When a user on a computer $H_0$ logs into...
...s $C=\langle C_1, C_2, \ldots, C_n\rangle$ a connection chain.
\end{definition}](img13.gif)
is the source of an intruder and 
is the target.
and 
are step-through hosts the intruder logs in through sequentially.
is a TCP connection established between 
and 
.
![\begin{definition}[Upstream and Downstream Connection]
We say that $C_i$ is an ...
...ain $C=\langle\ldots,C_i,\ldots,C_j,\ldots\rangle$ and $i<j$.
\end{definition}](img22.gif)
At any particular point of time, a TCP connection is uniquely determined by a 4-tuple: source IP address, destination IP address, source port number, and destination port number, thus we can tell which connection a given packet belongs to by looking at the IP and TCP header of the packet.
An individual packet will either travel upstream or downstream.
If we denote a connection as a 4-tuple
, one direction is expressed as
and the other is expressed as
.
![\begin{definition}[Packet Stream]
A packet stream on a connection is a series of...
...moving in the same direction and listed in chronological order.
\end{definition}](img26.gif)
There are two packet streams in one connection for each of the directions, but we currently treat each of them independently.
Directions are defined with regards to an intruder's actual origin, so we say the direction of a packet stream is upstream if the packets are moving toward the intruder, and downstream if the packets are moving toward the target host.
![\includegraphics[scale=.5]{chain}](img21.gif)
th packet 
of 
is taken from 
.