Extracting inter-arrival time based behaviour from honeypot traffic using cliques

Saleh Almotairi, Andrew Clark, Marc Dacier, Corrado Leita, George Mohay, Van Hau Pham, Olivier Thonnard, Jacob Zimmermann

Research output: Chapter in Book/Report/Conference proceedingConference contribution

8 Citations (Scopus)

Abstract

The Leurre.com project is a worldwide network of honeypot environments that collect traces of malicious Internet traffic every day. Clustering techniques have been utilized to categorize and classify honeypot activities based on several traffic features. While such clusters of traffic provide useful information about different activities that are happening in the Internet, a new correlation approach is needed to automate the discovery of refined types of activities that share common features. This paper proposes the use of packet inter-arrival time (IAT) as a main feature in grouping clusters that exhibit commonalities in their IAT distributions. Our approach utilizes the cliquing algorithm for the automatic discovery of cliques of clusters. We demonstrate the usefulness of our methodology by providing several examples of IAT cliques and a discussion of the types of activity they represent. We also give some insight into the causes of these activities. In addition, we address the limitation of our approach, through the manual extraction of what we term supercliques, and discuss ideas for further improvement.

Original languageEnglish
Title of host publicationProceedings of the 5th Australian Digital Forensics Conference
Pages79-87
Number of pages9
Publication statusPublished - 2007
Externally publishedYes
Event5th Australian Digital Forensics Conference - Perth, WA
Duration: 3 Dec 20073 Dec 2007

Other

Other5th Australian Digital Forensics Conference
CityPerth, WA
Period3/12/073/12/07

Fingerprint

Internet

Keywords

  • Clustering
  • Honeypots
  • Inter-arrival times
  • Internet traffic analysis

ASJC Scopus subject areas

  • Information Systems

Cite this

Almotairi, S., Clark, A., Dacier, M., Leita, C., Mohay, G., Pham, V. H., ... Zimmermann, J. (2007). Extracting inter-arrival time based behaviour from honeypot traffic using cliques. In Proceedings of the 5th Australian Digital Forensics Conference (pp. 79-87)

Extracting inter-arrival time based behaviour from honeypot traffic using cliques. / Almotairi, Saleh; Clark, Andrew; Dacier, Marc; Leita, Corrado; Mohay, George; Pham, Van Hau; Thonnard, Olivier; Zimmermann, Jacob.

Proceedings of the 5th Australian Digital Forensics Conference. 2007. p. 79-87.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Almotairi, S, Clark, A, Dacier, M, Leita, C, Mohay, G, Pham, VH, Thonnard, O & Zimmermann, J 2007, Extracting inter-arrival time based behaviour from honeypot traffic using cliques. in Proceedings of the 5th Australian Digital Forensics Conference. pp. 79-87, 5th Australian Digital Forensics Conference, Perth, WA, 3/12/07.
Almotairi S, Clark A, Dacier M, Leita C, Mohay G, Pham VH et al. Extracting inter-arrival time based behaviour from honeypot traffic using cliques. In Proceedings of the 5th Australian Digital Forensics Conference. 2007. p. 79-87
Almotairi, Saleh ; Clark, Andrew ; Dacier, Marc ; Leita, Corrado ; Mohay, George ; Pham, Van Hau ; Thonnard, Olivier ; Zimmermann, Jacob. / Extracting inter-arrival time based behaviour from honeypot traffic using cliques. Proceedings of the 5th Australian Digital Forensics Conference. 2007. pp. 79-87
@inproceedings{eaf6ea228b1e4c8ea4e0dc7d68864ca5,
title = "Extracting inter-arrival time based behaviour from honeypot traffic using cliques",
abstract = "The Leurre.com project is a worldwide network of honeypot environments that collect traces of malicious Internet traffic every day. Clustering techniques have been utilized to categorize and classify honeypot activities based on several traffic features. While such clusters of traffic provide useful information about different activities that are happening in the Internet, a new correlation approach is needed to automate the discovery of refined types of activities that share common features. This paper proposes the use of packet inter-arrival time (IAT) as a main feature in grouping clusters that exhibit commonalities in their IAT distributions. Our approach utilizes the cliquing algorithm for the automatic discovery of cliques of clusters. We demonstrate the usefulness of our methodology by providing several examples of IAT cliques and a discussion of the types of activity they represent. We also give some insight into the causes of these activities. In addition, we address the limitation of our approach, through the manual extraction of what we term supercliques, and discuss ideas for further improvement.",
keywords = "Clustering, Honeypots, Inter-arrival times, Internet traffic analysis",
author = "Saleh Almotairi and Andrew Clark and Marc Dacier and Corrado Leita and George Mohay and Pham, {Van Hau} and Olivier Thonnard and Jacob Zimmermann",
year = "2007",
language = "English",
isbn = "0729806464",
pages = "79--87",
booktitle = "Proceedings of the 5th Australian Digital Forensics Conference",

}

TY - GEN

T1 - Extracting inter-arrival time based behaviour from honeypot traffic using cliques

AU - Almotairi, Saleh

AU - Clark, Andrew

AU - Dacier, Marc

AU - Leita, Corrado

AU - Mohay, George

AU - Pham, Van Hau

AU - Thonnard, Olivier

AU - Zimmermann, Jacob

PY - 2007

Y1 - 2007

N2 - The Leurre.com project is a worldwide network of honeypot environments that collect traces of malicious Internet traffic every day. Clustering techniques have been utilized to categorize and classify honeypot activities based on several traffic features. While such clusters of traffic provide useful information about different activities that are happening in the Internet, a new correlation approach is needed to automate the discovery of refined types of activities that share common features. This paper proposes the use of packet inter-arrival time (IAT) as a main feature in grouping clusters that exhibit commonalities in their IAT distributions. Our approach utilizes the cliquing algorithm for the automatic discovery of cliques of clusters. We demonstrate the usefulness of our methodology by providing several examples of IAT cliques and a discussion of the types of activity they represent. We also give some insight into the causes of these activities. In addition, we address the limitation of our approach, through the manual extraction of what we term supercliques, and discuss ideas for further improvement.

AB - The Leurre.com project is a worldwide network of honeypot environments that collect traces of malicious Internet traffic every day. Clustering techniques have been utilized to categorize and classify honeypot activities based on several traffic features. While such clusters of traffic provide useful information about different activities that are happening in the Internet, a new correlation approach is needed to automate the discovery of refined types of activities that share common features. This paper proposes the use of packet inter-arrival time (IAT) as a main feature in grouping clusters that exhibit commonalities in their IAT distributions. Our approach utilizes the cliquing algorithm for the automatic discovery of cliques of clusters. We demonstrate the usefulness of our methodology by providing several examples of IAT cliques and a discussion of the types of activity they represent. We also give some insight into the causes of these activities. In addition, we address the limitation of our approach, through the manual extraction of what we term supercliques, and discuss ideas for further improvement.

KW - Clustering

KW - Honeypots

KW - Inter-arrival times

KW - Internet traffic analysis

UR - http://www.scopus.com/inward/record.url?scp=84867723998&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84867723998&partnerID=8YFLogxK

M3 - Conference contribution

SN - 0729806464

SN - 9780729806466

SP - 79

EP - 87

BT - Proceedings of the 5th Australian Digital Forensics Conference

ER -