Extracting inter-arrival time based behaviour from honeypot traffic using cliques

Saleh Almotairi, Andrew Clark, Marc Dacier, Corrado Leita, George Mohay, Van Hau Pham, Olivier Thonnard, Jacob Zimmermann

Research output: Chapter in Book/Report/Conference proceedingConference contribution

8 Citations (Scopus)

Abstract

The Leurre.com project is a worldwide network of honeypot environments that collect traces of malicious Internet traffic every day. Clustering techniques have been utilized to categorize and classify honeypot activities based on several traffic features. While such clusters of traffic provide useful information about different activities that are happening in the Internet, a new correlation approach is needed to automate the discovery of refined types of activities that share common features. This paper proposes the use of packet inter-arrival time (IAT) as a main feature in grouping clusters that exhibit commonalities in their IAT distributions. Our approach utilizes the cliquing algorithm for the automatic discovery of cliques of clusters. We demonstrate the usefulness of our methodology by providing several examples of IAT cliques and a discussion of the types of activity they represent. We also give some insight into the causes of these activities. In addition, we address the limitation of our approach, through the manual extraction of what we term supercliques, and discuss ideas for further improvement.

Original languageEnglish
Title of host publicationProceedings of the 5th Australian Digital Forensics Conference
Pages79-87
Number of pages9
Publication statusPublished - 1 Dec 2007
Event5th Australian Digital Forensics Conference - Perth, WA, Australia
Duration: 3 Dec 20073 Dec 2007

Publication series

NameProceedings of the 5th Australian Digital Forensics Conference

Conference

Conference5th Australian Digital Forensics Conference
CountryAustralia
CityPerth, WA
Period3/12/073/12/07

    Fingerprint

Keywords

  • Clustering
  • Honeypots
  • Inter-arrival times
  • Internet traffic analysis

ASJC Scopus subject areas

  • Information Systems

Cite this

Almotairi, S., Clark, A., Dacier, M., Leita, C., Mohay, G., Pham, V. H., Thonnard, O., & Zimmermann, J. (2007). Extracting inter-arrival time based behaviour from honeypot traffic using cliques. In Proceedings of the 5th Australian Digital Forensics Conference (pp. 79-87). (Proceedings of the 5th Australian Digital Forensics Conference).