TY - JOUR
T1 - A framework for attack patterns' discovery in honeynet data
AU - Thonnard, Olivier
AU - Dacier, Marc
N1 - Generated from Scopus record by KAUST IRTS on 2022-09-12
PY - 2008/1/1
Y1 - 2008/1/1
N2 - Collecting data related to Internet threats has now become a relatively common task for security researchers and network operators. However, the huge amount of raw data can rapidly overwhelm people in charge of analyzing such data sets. Systematic analysis procedures are thus needed to extract useful information from large traffic data sets in order to assist the analyst's investigations. This work describes an analysis framework specifically developed to gain insights into honeynet data. Our forensics procedure aims at finding, within an attack data set, groups of network traces sharing various kinds of similar patterns. In our exploratory data analysis, we seek to design a flexible clustering tool that can be applied in a systematic way on different feature vectors characterizing the attacks. In this paper, we illustrate the application of our method by analyzing one specific aspect of the honeynet data, i.e. the time series of the attacks. We show that clustering attack patterns with an appropriate similarity measure provides very good candidates for further in-depth investigation, which can help us to discover the plausible root causes of the underlying phenomena. The results of our clustering on time series analysis enable us to identify the activities of several worms and botnets in the collected traffic. © 2008 Digital Forensic Research Workshop.
AB - Collecting data related to Internet threats has now become a relatively common task for security researchers and network operators. However, the huge amount of raw data can rapidly overwhelm people in charge of analyzing such data sets. Systematic analysis procedures are thus needed to extract useful information from large traffic data sets in order to assist the analyst's investigations. This work describes an analysis framework specifically developed to gain insights into honeynet data. Our forensics procedure aims at finding, within an attack data set, groups of network traces sharing various kinds of similar patterns. In our exploratory data analysis, we seek to design a flexible clustering tool that can be applied in a systematic way on different feature vectors characterizing the attacks. In this paper, we illustrate the application of our method by analyzing one specific aspect of the honeynet data, i.e. the time series of the attacks. We show that clustering attack patterns with an appropriate similarity measure provides very good candidates for further in-depth investigation, which can help us to discover the plausible root causes of the underlying phenomena. The results of our clustering on time series analysis enable us to identify the activities of several worms and botnets in the collected traffic. © 2008 Digital Forensic Research Workshop.
UR - https://linkinghub.elsevier.com/retrieve/pii/S1742287608000431
UR - http://www.scopus.com/inward/record.url?scp=48749129421&partnerID=8YFLogxK
U2 - 10.1016/j.diin.2008.05.012
DO - 10.1016/j.diin.2008.05.012
M3 - Article
SN - 1742-2876
VL - 5
JO - Digital Investigation
JF - Digital Investigation
IS - SUPPL.
ER -