The WOMBAT attack attribution method

Some results

Marc Dacier, Van H. Pham, Olivier Thonnard

Research output: Chapter in Book/Report/Conference proceedingConference contribution

17 Citations (Scopus)

Abstract

In this paper, we present a new attack attribution method that has been developed within the WOMBAT project. We illustrate the method with some real-world results obtained when applying it to almost two years of attack traces collected by low interaction honeypots. This analytical method aims at identifying large scale attack phenomena composed of IP sources that are linked to the same root cause. All malicious sources involved in a same phenomenon constitute what we call a Misbehaving Cloud (MC). The paper offers an overview of the various steps the method goes through to identify these clouds, providing pointers to external references for more detailed information. Four instances of misbehaving clouds are then described in some more depth to demonstrate the meaningfulness of the concept.

Original languageEnglish
Title of host publicationLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Pages19-37
Number of pages19
Volume5905 LNCS
DOIs
Publication statusPublished - 2009
Externally publishedYes
Event5th International Conference on Information Systems Security, ICISS 2009 - Kolkata
Duration: 14 Dec 200918 Dec 2009

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5905 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other5th International Conference on Information Systems Security, ICISS 2009
CityKolkata
Period14/12/0918/12/09

Fingerprint

Attack
Honeypot
Analytical Methods
Trace
Roots
Interaction
Demonstrate
Concepts

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Dacier, M., Pham, V. H., & Thonnard, O. (2009). The WOMBAT attack attribution method: Some results. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 5905 LNCS, pp. 19-37). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5905 LNCS). https://doi.org/10.1007/978-3-642-10772-6_3

The WOMBAT attack attribution method : Some results. / Dacier, Marc; Pham, Van H.; Thonnard, Olivier.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 5905 LNCS 2009. p. 19-37 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5905 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dacier, M, Pham, VH & Thonnard, O 2009, The WOMBAT attack attribution method: Some results. in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). vol. 5905 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5905 LNCS, pp. 19-37, 5th International Conference on Information Systems Security, ICISS 2009, Kolkata, 14/12/09. https://doi.org/10.1007/978-3-642-10772-6_3
Dacier M, Pham VH, Thonnard O. The WOMBAT attack attribution method: Some results. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 5905 LNCS. 2009. p. 19-37. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-10772-6_3
Dacier, Marc ; Pham, Van H. ; Thonnard, Olivier. / The WOMBAT attack attribution method : Some results. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 5905 LNCS 2009. pp. 19-37 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{8df002674f114545b7f521895947c78a,
title = "The WOMBAT attack attribution method: Some results",
abstract = "In this paper, we present a new attack attribution method that has been developed within the WOMBAT project. We illustrate the method with some real-world results obtained when applying it to almost two years of attack traces collected by low interaction honeypots. This analytical method aims at identifying large scale attack phenomena composed of IP sources that are linked to the same root cause. All malicious sources involved in a same phenomenon constitute what we call a Misbehaving Cloud (MC). The paper offers an overview of the various steps the method goes through to identify these clouds, providing pointers to external references for more detailed information. Four instances of misbehaving clouds are then described in some more depth to demonstrate the meaningfulness of the concept.",
author = "Marc Dacier and Pham, {Van H.} and Olivier Thonnard",
year = "2009",
doi = "10.1007/978-3-642-10772-6_3",
language = "English",
isbn = "3642107710",
volume = "5905 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "19--37",
booktitle = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

}

TY - GEN

T1 - The WOMBAT attack attribution method

T2 - Some results

AU - Dacier, Marc

AU - Pham, Van H.

AU - Thonnard, Olivier

PY - 2009

Y1 - 2009

N2 - In this paper, we present a new attack attribution method that has been developed within the WOMBAT project. We illustrate the method with some real-world results obtained when applying it to almost two years of attack traces collected by low interaction honeypots. This analytical method aims at identifying large scale attack phenomena composed of IP sources that are linked to the same root cause. All malicious sources involved in a same phenomenon constitute what we call a Misbehaving Cloud (MC). The paper offers an overview of the various steps the method goes through to identify these clouds, providing pointers to external references for more detailed information. Four instances of misbehaving clouds are then described in some more depth to demonstrate the meaningfulness of the concept.

AB - In this paper, we present a new attack attribution method that has been developed within the WOMBAT project. We illustrate the method with some real-world results obtained when applying it to almost two years of attack traces collected by low interaction honeypots. This analytical method aims at identifying large scale attack phenomena composed of IP sources that are linked to the same root cause. All malicious sources involved in a same phenomenon constitute what we call a Misbehaving Cloud (MC). The paper offers an overview of the various steps the method goes through to identify these clouds, providing pointers to external references for more detailed information. Four instances of misbehaving clouds are then described in some more depth to demonstrate the meaningfulness of the concept.

UR - http://www.scopus.com/inward/record.url?scp=71549158205&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=71549158205&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-10772-6_3

DO - 10.1007/978-3-642-10772-6_3

M3 - Conference contribution

SN - 3642107710

SN - 9783642107719

VL - 5905 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 19

EP - 37

BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

ER -