Limitation of Honeypot/Honeynet Databases to Enhance Alert Correlation

“…The previous remarks on the heterogeneity and complementarity of the information carried by alerts coming from different domains of an ICS suggest that our main objective is to enrich the information gathered from one domain with information from the other domain. In traditional alert correlation approaches [7,24,25], alert enrichment objective is to add some missing contextual information. Enrichment approaches often rely on knowledge bases [26] which might include information such as the system's topology [24] and assets [7].…”

“…Enrichment approaches often rely on knowledge bases [26] which might include information such as the system's topology [24] and assets [7]. In the same vein, the approach in [25] uses honeypot databases for contextual information on malware propagation activity or the profile of web servers in order to enrich IDS alerts.…”

“…Such enrichment solutions are possible due to their confinement to a single domain where attributes are mainly homogeneous. For instance, while the approach in [25] aims at enriching local alerts raised by IDS with global threat information available in honeypot databases, all information belongs to the cyber domain and is represented using similar attributes (IP addresses, detection time, classification of attacks). In contrast, information carried by physical domain alerts is represented in terms of widely different attributes (actuator/sensor events and states) in comparison to information within cyber domain alerts.…”

Cross-domain alert correlation methodology for industrial control systems

“…The previous remarks on the heterogeneity and complementarity of the information carried by alerts coming from different domains of an ICS suggest that our main objective is to enrich the information gathered from one domain with information from the other domain. In traditional alert correlation approaches [7,24,25], alert enrichment objective is to add some missing contextual information. Enrichment approaches often rely on knowledge bases [26] which might include information such as the system's topology [24] and assets [7].…”

“…Enrichment approaches often rely on knowledge bases [26] which might include information such as the system's topology [24] and assets [7]. In the same vein, the approach in [25] uses honeypot databases for contextual information on malware propagation activity or the profile of web servers in order to enrich IDS alerts.…”

“…Such enrichment solutions are possible due to their confinement to a single domain where attributes are mainly homogeneous. For instance, while the approach in [25] aims at enriching local alerts raised by IDS with global threat information available in honeypot databases, all information belongs to the cyber domain and is represented using similar attributes (IP addresses, detection time, classification of attacks). In contrast, information carried by physical domain alerts is represented in terms of widely different attributes (actuator/sensor events and states) in comparison to information within cyber domain alerts.…”

Cross-domain alert correlation methodology for industrial control systems

The Performance Analysis of Honeypot Based Intrusion Detection System for Wireless Network

Wireless Rogue Access Point Detection Using Shadow Honeynet