A framework for attack patterns' discovery in honeynet data

Olivier Thonnard, Marc Dacier

Research output: Contribution to journalArticle

39 Citations (Scopus)

Abstract

Collecting data related to Internet threats has now become a relatively common task for security researchers and network operators. However, the huge amount of raw data can rapidly overwhelm people in charge of analyzing such data sets. Systematic analysis procedures are thus needed to extract useful information from large traffic data sets in order to assist the analyst's investigations. This work describes an analysis framework specifically developed to gain insights into honeynet data. Our forensics procedure aims at finding, within an attack data set, groups of network traces sharing various kinds of similar patterns. In our exploratory data analysis, we seek to design a flexible clustering tool that can be applied in a systematic way on different feature vectors characterizing the attacks. In this paper, we illustrate the application of our method by analyzing one specific aspect of the honeynet data, i.e. the time series of the attacks. We show that clustering attack patterns with an appropriate similarity measure provides very good candidates for further in-depth investigation, which can help us to discover the plausible root causes of the underlying phenomena. The results of our clustering on time series analysis enable us to identify the activities of several worms and botnets in the collected traffic.

Original languageEnglish
JournalDigital Investigation
Volume5
Issue numberSUPPL.
DOIs
Publication statusPublished - Sep 2008
Externally publishedYes

Fingerprint

Time series analysis
Cluster Analysis
Time series
Internet
Research Personnel
traffic
analysis procedure
time series analysis
Botnet
Datasets
time series
data analysis
candidacy
threat
cause

Keywords

  • Attack patterns
  • Honeypot forensics
  • Knowledge discovery
  • Security data mining
  • Traffic analysis

ASJC Scopus subject areas

  • Computer Science (miscellaneous)
  • Engineering (miscellaneous)
  • Law

Cite this

A framework for attack patterns' discovery in honeynet data. / Thonnard, Olivier; Dacier, Marc.

In: Digital Investigation, Vol. 5, No. SUPPL., 09.2008.

Research output: Contribution to journalArticle

@article{c6df61f3b6e64eeaade897f09ca41821,
title = "A framework for attack patterns' discovery in honeynet data",
abstract = "Collecting data related to Internet threats has now become a relatively common task for security researchers and network operators. However, the huge amount of raw data can rapidly overwhelm people in charge of analyzing such data sets. Systematic analysis procedures are thus needed to extract useful information from large traffic data sets in order to assist the analyst's investigations. This work describes an analysis framework specifically developed to gain insights into honeynet data. Our forensics procedure aims at finding, within an attack data set, groups of network traces sharing various kinds of similar patterns. In our exploratory data analysis, we seek to design a flexible clustering tool that can be applied in a systematic way on different feature vectors characterizing the attacks. In this paper, we illustrate the application of our method by analyzing one specific aspect of the honeynet data, i.e. the time series of the attacks. We show that clustering attack patterns with an appropriate similarity measure provides very good candidates for further in-depth investigation, which can help us to discover the plausible root causes of the underlying phenomena. The results of our clustering on time series analysis enable us to identify the activities of several worms and botnets in the collected traffic.",
keywords = "Attack patterns, Honeypot forensics, Knowledge discovery, Security data mining, Traffic analysis",
author = "Olivier Thonnard and Marc Dacier",
year = "2008",
month = "9",
doi = "10.1016/j.diin.2008.05.012",
language = "English",
volume = "5",
journal = "Digital Investigation",
issn = "1742-2876",
publisher = "Elsevier Limited",
number = "SUPPL.",

}

TY - JOUR

T1 - A framework for attack patterns' discovery in honeynet data

AU - Thonnard, Olivier

AU - Dacier, Marc

PY - 2008/9

Y1 - 2008/9

N2 - Collecting data related to Internet threats has now become a relatively common task for security researchers and network operators. However, the huge amount of raw data can rapidly overwhelm people in charge of analyzing such data sets. Systematic analysis procedures are thus needed to extract useful information from large traffic data sets in order to assist the analyst's investigations. This work describes an analysis framework specifically developed to gain insights into honeynet data. Our forensics procedure aims at finding, within an attack data set, groups of network traces sharing various kinds of similar patterns. In our exploratory data analysis, we seek to design a flexible clustering tool that can be applied in a systematic way on different feature vectors characterizing the attacks. In this paper, we illustrate the application of our method by analyzing one specific aspect of the honeynet data, i.e. the time series of the attacks. We show that clustering attack patterns with an appropriate similarity measure provides very good candidates for further in-depth investigation, which can help us to discover the plausible root causes of the underlying phenomena. The results of our clustering on time series analysis enable us to identify the activities of several worms and botnets in the collected traffic.

AB - Collecting data related to Internet threats has now become a relatively common task for security researchers and network operators. However, the huge amount of raw data can rapidly overwhelm people in charge of analyzing such data sets. Systematic analysis procedures are thus needed to extract useful information from large traffic data sets in order to assist the analyst's investigations. This work describes an analysis framework specifically developed to gain insights into honeynet data. Our forensics procedure aims at finding, within an attack data set, groups of network traces sharing various kinds of similar patterns. In our exploratory data analysis, we seek to design a flexible clustering tool that can be applied in a systematic way on different feature vectors characterizing the attacks. In this paper, we illustrate the application of our method by analyzing one specific aspect of the honeynet data, i.e. the time series of the attacks. We show that clustering attack patterns with an appropriate similarity measure provides very good candidates for further in-depth investigation, which can help us to discover the plausible root causes of the underlying phenomena. The results of our clustering on time series analysis enable us to identify the activities of several worms and botnets in the collected traffic.

KW - Attack patterns

KW - Honeypot forensics

KW - Knowledge discovery

KW - Security data mining

KW - Traffic analysis

UR - http://www.scopus.com/inward/record.url?scp=48749129421&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=48749129421&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2008.05.012

DO - 10.1016/j.diin.2008.05.012

M3 - Article

VL - 5

JO - Digital Investigation

JF - Digital Investigation

SN - 1742-2876

IS - SUPPL.

ER -