Usually network attackers conceal their real attacking paths by establishing interactive connections along a series of intermediate hosts (stepping stones) before they attack the final target. We propose two methods for detecting stepping stones by actively perturbing inter-packet delay of connections. Within the attacker’s perturbation range, the average value of the packets in the detecting window is set to increase periodically. The methods can construct correlations in attacking connection chains by analyzing the change of the average value of the inter-packet delay between the two connection chains. The methods can reduce the complexity of correlation computations and improve the efficiency of detecting stepping stones.