YAAS - On the Attribution of Honeypot Data

One of the major issues in digital forensics and attack analysis is the attribution of an attack to a type of malicious adversary. This is especially important to determine the relevance of an incident with respect to the threat it poses to a system. In this work, a holistic scheme to derive characteristics from honeypot data and to map this data to an attacker model is introduced. This scheme takes data that is provided by deception systems of any kind. After that, characteristics are derived that describe different attributes of an attacker. Those are used to categorise threats into one of nine attacker classes. This scheme has been evaluated with real world honeypot data. As expected, most attacks are rather harmless, but a few outliers have been identified. Keyword: Information Security, Network Security, Deception System, Honeypot, IT-Forensic, Visualisation.

[1]  Marc Dacier,et al.  A framework for attack patterns' discovery in honeynet data , 2008 .

[2]  Craig Valli,et al.  Visualisation of Honeypot Data Using Graphviz and Afterglow , 2009, J. Digit. Forensics Secur. Law.

[3]  Robin Berthier,et al.  Characterizing Attackers and Attacks: An Empirical Study , 2011, 2011 IEEE 17th Pacific Rim International Symposium on Dependable Computing.

[4]  Hans D. Schotten,et al.  Investigation of cyber crime conducted by abusing weak or default passwords with a medium interaction honeypot , 2017, 2017 International Conference on Cyber Security And Protection Of Digital Services (Cyber Security).

[5]  Philippe Owezarski A Near Real-Time Algorithm for Autonomous Identification and Characterization of Honeypot Attacks , 2015, AsiaCCS.

[6]  Hans D. Schotten,et al.  Data Mining in Long-Term Honeypot Data , 2017, 2017 IEEE International Conference on Data Mining Workshops (ICDMW).

[7]  Hiroki Takakura,et al.  Correlation Analysis Between Honeypot Data and IDS Alerts Using One-class SVM , 2011 .

[8]  Saleh Ibrahim Bakr Almotairi,et al.  Using honeypots to analyse anomalous Internet activities , 2009 .

[9]  Van-Hau Pham,et al.  Honeypot trace forensics: The observation viewpoint matters , 2011, Future Gener. Comput. Syst..

[10]  Shouhuai Xu,et al.  Characterizing Honeypot-Captured Cyber Attacks: Statistical Framework and Case Study , 2013, IEEE Transactions on Information Forensics and Security.

[11]  Hans D. Schotten,et al.  Introducing GAMfIS: A generic attacker model for information security , 2017, 2017 25th International Conference on Software, Telecommunications and Computer Networks (SoftCOM).

[12]  Marcin Nawrocki,et al.  A Survey on Honeypot Software and Data Analysis , 2016, ArXiv.

[13]  Ilona Bluemke,et al.  Data Mining Algorithms in the Analysis of Security Logs from a Honeypot System , 2016, DepCoS-RELCOMEX.

[14]  Marc Zimmermann,et al.  Distributed and highly-scalable WAN network attack sensing and sophisticated analysing framework based on Honeypot technology , 2017, 2017 7th International Conference on Cloud Computing, Data Science & Engineering - Confluence.

[15]  P. Jaccard,et al.  Etude comparative de la distribution florale dans une portion des Alpes et des Jura , 1901 .