A framework for attack patterns' discovery in honeynet data

Thonnard, Olivier; Daciér, Marc

doi:10.1016/j.diin.2008.05.012

Cited by 74 publications

(36 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They were able to identify several types of botnets based on those features. Other authors employed Significant Event Discovery (Buda & Bluemke, 2016), Long-Range Dependency (Zhan & Xu, 2013), Support Vector Machines (Song et al, 2011), Principal Components Analysis (Sharma & Mandeep, 2010;Almotairi, 2009), Symbolic Aggregate Approximation (Thonnard & Dacier, 2008) and feature correlation (Pham & Dacier, 2011). All of them indicate that the forensic examination of honeypot data is executable by standard data mining techniques.…”

Section: Background and Related Workmentioning

confidence: 99%

YAAS – On the Attribution of Honeypot Data

Fraunholz¹,

Krohmer²,

Antón³

et al. 2017

IJCSA

View full text Add to dashboard Cite

One of the major issues in digital forensics and attack analysis is the attribution of an attack to a type of malicious adversary. This is especially important to determine the relevance of an incident with respect to the threat it poses to a system. In this work, a holistic scheme to derive characteristics from honeypot data and to map this data to an attacker model is introduced. This scheme takes data that is provided by deception systems of any kind. After that, characteristics are derived that describe different attributes of an attacker. Those are used to categorise threats into one of nine attacker classes. This scheme has been evaluated with real world honeypot data. As expected, most attacks are rather harmless, but a few outliers have been identified.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

YAAS – On the Attribution of Honeypot Data

Fraunholz¹,

Krohmer²,

Antón³

et al. 2017

IJCSA

View full text Add to dashboard Cite

show abstract

“…The correlation analysis is based on a linear regression models. Thonnard and Dacier proposed a framework for attack patterns' discovery from the honeynet collected data [11]. The aim of this approach is to find, within an attack dataset, groups of network traces sharing various kinds of similar patterns.…”

Section: Related Workmentioning

confidence: 99%

Behavior Analysis of Web Service Attacks

Ghourabi

Abbes

Bouhoula

2014

ICT Systems Security and Privacy Protection

View full text Add to dashboard Cite

Part 9: Malicious Behavior and FraudInternational audienceWith the rapid development of Internet and its services, cyber attacks are increasingly emerging and evolving nowadays. To be aware of new attacks and elaborate the appropriate protection mechanisms, an interesting idea is to attract attackers, then to automatically monitor their activities and analyze their behaviors. In this paper, we are particularly interested in detecting and learning attacks against web services. We propose an approach that describes the attacker’s behavior based on data collected from the deployment of a web service honeypot. The strengths of our approach are that (1) it offers a high interaction environment, able to collect valuable information about malicious activities; (2) our solution preprocesses the set of data attributes in order to keep only significant ones (3) it ensures two levels of clustering in order to produce more concise attack scenarios. In order to achieve these contributions, we employ three analysis techniques: Principal Component Analysis, Spectral Clustering and Sequence Clustering. Our experimental tests allow us discovering some attacks scenarios, such as SQL Injection and Denial of Services (DoS), that are modeled in Markov chains

show abstract

“…The work in [25] focuses on the identification of inter-relationships between these clusters to obtain additional characteristics of the attack tools used, e.g., association of some attack tools with certain geographical locations. Another clustering technique is presented in [26] that analyzes the time series of the network traces and finds groups of traces that are similar in time signatures, thereby identifying various worms and botnets. The authors in [27] proposed a method that integrates clustering structure visualization together with outlier detection, in order to provide a big picture of honeypot data patterns and to detect new botnets as they are deployed.…”

Section: Related Workmentioning

confidence: 99%

Attack Pattern Discovery in Forensic Investigation of Network Attacks

Zhu

2011

IEEE J. Select. Areas Commun.

View full text Add to dashboard Cite

Network attacks on systems perpetrated by remote hackers rarely occur in isolation; when a successful or merely detected attack occurs, it is often desirable to reconstruct the context of this security breach: all the events that lead up to and are related to the breach. We mine the logs of recent network traffic data to find these contexts of attacks -we call them attack patterns. We propose an iterative algorithm for discovering attack patterns; the logs are scanned to identify coherent groups of events (called bubbles) that are likely to constitute attacks, and via a feedback mechanism, the degrees of belief that the bubbles are attack instances are propagated to the next iteration in order to refine the search for bubbles related to the ones already found. Our simulations verify that the algorithm achieves accuracy in discovering attack patterns. Our attack pattern discovery has the additional advantage of being an unsupervised algorithm, e.g., it does not require a priori user-defined thresholds.

show abstract

A framework for attack patterns' discovery in honeynet data

Cited by 74 publications

References 9 publications

YAAS – On the Attribution of Honeypot Data

YAAS – On the Attribution of Honeypot Data

Behavior Analysis of Web Service Attacks

Attack Pattern Discovery in Forensic Investigation of Network Attacks

Contact Info

Product

Resources

About