Extracting inter-arrival time based behaviour from honeypot traffic using cliques

Saleh Almotairi, Andrew Clark, Marc Dacier, Corrado Leita, George Mohay, Van Hau Pham, Olivier Thonnard, Jacob Zimmermann

Research output: Chapter in Book/Report/Conference proceedingConference contribution

8 Scopus citations

Abstract

The Leurre.com project is a worldwide network of honeypot environments that collect traces of malicious Internet traffic every day. Clustering techniques have been utilized to categorize and classify honeypot activities based on several traffic features. While such clusters of traffic provide useful information about different activities that are happening in the Internet, a new correlation approach is needed to automate the discovery of refined types of activities that share common features. This paper proposes the use of packet inter-arrival time (IAT) as a main feature in grouping clusters that exhibit commonalities in their IAT distributions. Our approach utilizes the cliquing algorithm for the automatic discovery of cliques of clusters. We demonstrate the usefulness of our methodology by providing several examples of IAT cliques and a discussion of the types of activity they represent. We also give some insight into the causes of these activities. In addition, we address the limitation of our approach, through the manual extraction of what we term supercliques, and discuss ideas for further improvement.
Original languageEnglish (US)
Title of host publicationProceedings of the 5th Australian Digital Forensics Conference
Pages79-87
Number of pages9
StatePublished - Dec 1 2007
Externally publishedYes

Fingerprint

Dive into the research topics of 'Extracting inter-arrival time based behaviour from honeypot traffic using cliques'. Together they form a unique fingerprint.

Cite this