A framework for attack patterns' discovery in honeynet data

Olivier Thonnard, Marc Dacier

Research output: Chapter in Book/Report/Conference proceedingConference contribution

16 Citations (Scopus)

Abstract

Collecting data related to Internet threats has now become a relatively common task for security researchers and network operators. However, the huge amount of raw data can rapidly overwhelm people in charge of analyzing such data sets. Systematic analysis procedures are thus needed to extract useful information from large traffic data sets in order to assist the analyst's investigations. This work describes an analysis framework specifically developed to gain insights into honeynet data. Our forensics procedure aims at finding, within an attack data set, groups of network traces sharing various kinds of similar patterns. In our exploratory data analysis, we seek to design a flexible clustering tool that can be applied in a systematic way on different feature vectors characterizing the attacks. In this paper, we illustrate the application of our method by analyzing one specific aspect of the honeynet data, i.e. the time series of the attacks. We show that clustering attack patterns with an appropriate similarity measure provides very good candidates for further in-depth investigation, which can help us to discover the plausible root causes of the underlying phenomena. The results of our clustering on time series analysis enable us to identify the activities of several worms and botnets in the collected traffic.

Original languageEnglish
Title of host publicationDFRWS 2008 Annual Conference
Publication statusPublished - 2008
Externally publishedYes
Event8th Annual Digital Forensic Research Workshop, DFRWS 2008 - Baltimore, MD
Duration: 11 Aug 200813 Aug 2008

Other

Other8th Annual Digital Forensic Research Workshop, DFRWS 2008
CityBaltimore, MD
Period11/8/0813/8/08

Fingerprint

Time series analysis
Time series
Internet
Botnet

Keywords

  • Attack patterns
  • Honeypot forensics
  • Knowledge discovery
  • Security data mining
  • Traffic analysis

ASJC Scopus subject areas

  • Information Systems

Cite this

Thonnard, O., & Dacier, M. (2008). A framework for attack patterns' discovery in honeynet data. In DFRWS 2008 Annual Conference

A framework for attack patterns' discovery in honeynet data. / Thonnard, Olivier; Dacier, Marc.

DFRWS 2008 Annual Conference. 2008.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Thonnard, O & Dacier, M 2008, A framework for attack patterns' discovery in honeynet data. in DFRWS 2008 Annual Conference. 8th Annual Digital Forensic Research Workshop, DFRWS 2008, Baltimore, MD, 11/8/08.
Thonnard O, Dacier M. A framework for attack patterns' discovery in honeynet data. In DFRWS 2008 Annual Conference. 2008
Thonnard, Olivier ; Dacier, Marc. / A framework for attack patterns' discovery in honeynet data. DFRWS 2008 Annual Conference. 2008.
@inproceedings{413bc6d333e54cc883e1e62d71f1c0ea,
title = "A framework for attack patterns' discovery in honeynet data",
abstract = "Collecting data related to Internet threats has now become a relatively common task for security researchers and network operators. However, the huge amount of raw data can rapidly overwhelm people in charge of analyzing such data sets. Systematic analysis procedures are thus needed to extract useful information from large traffic data sets in order to assist the analyst's investigations. This work describes an analysis framework specifically developed to gain insights into honeynet data. Our forensics procedure aims at finding, within an attack data set, groups of network traces sharing various kinds of similar patterns. In our exploratory data analysis, we seek to design a flexible clustering tool that can be applied in a systematic way on different feature vectors characterizing the attacks. In this paper, we illustrate the application of our method by analyzing one specific aspect of the honeynet data, i.e. the time series of the attacks. We show that clustering attack patterns with an appropriate similarity measure provides very good candidates for further in-depth investigation, which can help us to discover the plausible root causes of the underlying phenomena. The results of our clustering on time series analysis enable us to identify the activities of several worms and botnets in the collected traffic.",
keywords = "Attack patterns, Honeypot forensics, Knowledge discovery, Security data mining, Traffic analysis",
author = "Olivier Thonnard and Marc Dacier",
year = "2008",
language = "English",
booktitle = "DFRWS 2008 Annual Conference",

}

TY - GEN

T1 - A framework for attack patterns' discovery in honeynet data

AU - Thonnard, Olivier

AU - Dacier, Marc

PY - 2008

Y1 - 2008

N2 - Collecting data related to Internet threats has now become a relatively common task for security researchers and network operators. However, the huge amount of raw data can rapidly overwhelm people in charge of analyzing such data sets. Systematic analysis procedures are thus needed to extract useful information from large traffic data sets in order to assist the analyst's investigations. This work describes an analysis framework specifically developed to gain insights into honeynet data. Our forensics procedure aims at finding, within an attack data set, groups of network traces sharing various kinds of similar patterns. In our exploratory data analysis, we seek to design a flexible clustering tool that can be applied in a systematic way on different feature vectors characterizing the attacks. In this paper, we illustrate the application of our method by analyzing one specific aspect of the honeynet data, i.e. the time series of the attacks. We show that clustering attack patterns with an appropriate similarity measure provides very good candidates for further in-depth investigation, which can help us to discover the plausible root causes of the underlying phenomena. The results of our clustering on time series analysis enable us to identify the activities of several worms and botnets in the collected traffic.

AB - Collecting data related to Internet threats has now become a relatively common task for security researchers and network operators. However, the huge amount of raw data can rapidly overwhelm people in charge of analyzing such data sets. Systematic analysis procedures are thus needed to extract useful information from large traffic data sets in order to assist the analyst's investigations. This work describes an analysis framework specifically developed to gain insights into honeynet data. Our forensics procedure aims at finding, within an attack data set, groups of network traces sharing various kinds of similar patterns. In our exploratory data analysis, we seek to design a flexible clustering tool that can be applied in a systematic way on different feature vectors characterizing the attacks. In this paper, we illustrate the application of our method by analyzing one specific aspect of the honeynet data, i.e. the time series of the attacks. We show that clustering attack patterns with an appropriate similarity measure provides very good candidates for further in-depth investigation, which can help us to discover the plausible root causes of the underlying phenomena. The results of our clustering on time series analysis enable us to identify the activities of several worms and botnets in the collected traffic.

KW - Attack patterns

KW - Honeypot forensics

KW - Knowledge discovery

KW - Security data mining

KW - Traffic analysis

UR - http://www.scopus.com/inward/record.url?scp=84868520675&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84868520675&partnerID=8YFLogxK

M3 - Conference contribution

BT - DFRWS 2008 Annual Conference

ER -