This work addresses the challenge of detecting stealthy intrusions where adversaries conceal their true origin by chaining compromised relay hosts. To this end, the authors propose ESPRESSO, a novel model that accurately correlates inbound and outbound traffic of relay hosts under extremely low false positive rates. ESPRESSO uniquely integrates Transformer-based feature extraction, time-aligned multi-channel inter-packet interval features, and online triplet metric learning, augmented with a link-length prediction module to distinguish malicious from benign relays. The study also introduces a synthetic traffic generation framework supporting five tunneling protocols—SSH, SOCAT, ICMP, DNS, and HTTP—for robust training and evaluation. Experimental results demonstrate that ESPRESSO significantly outperforms the DeepCoFFEA baseline in both host- and network-based settings, achieving a true positive rate exceeding 0.99 for bursty protocols in network mode while maintaining a false positive rate as low as 10⁻³.

Stepping-stone intrusions (SSIs) are a prevalent network evasion technique in which attackers route sessions through chains of compromised intermediate hosts to obscure their origin. Effective SSI detection requires correlating the incoming and outgoing flows at each relay host at extremely low false positive rates -- a stringent requirement that renders classical statistical methods inadequate in operational settings. We apply ESPRESSO, a deep learning flow correlation model combining a transformer-based feature extraction network, time-aligned multi-channel interval features, and online triplet metric learning, to the problem of stepping-stone intrusion detection. To support training and evaluation, we develop a synthetic data collection tool that generates realistic stepping-stone traffic across five tunneling protocols: SSH, SOCAT, ICMP, DNS, and mixed multi-protocol chains. Across all five protocols and in both host-mode and network-mode detection scenarios, ESPRESSO substantially outperforms the state-of-the-art DeepCoFFEA baseline, achieving a true positive rate exceeding 0.99 at a false positive rate of $10^{-3}$ for standard bursty protocols in network-mode. We further demonstrate chain length prediction as a tool for distinguishing malicious from benign pivoting, and conduct a systematic robustness analysis revealing that timing-based perturbations are the primary vulnerability of correlation-based stepping-stone detectors.