On the Comparison of Network Attack Datasets: An Empirical Analysis

Network malicious activity can be collected and reported by various sources using different attack detection solutions. The granularity of these solutions provides either very detailed information (intrusion detection systems, honeypots) or high-level trends (CAIDA, SANS). The problem for network security operators is often to select the sources of information to better protect their network. How much information from these sources is redundant and how much is unique? The goal of this paper is to show empirically that while some global attack events can be correlated across various sensors, the majority of incoming malicious activity has local specificities. This study presents a comparative analysis of four different attack datasets offering three different levels of granularity: 1) two high interaction honeynets deployed at two different locations (i.e., a corporate and an academic environment); 2) ATLAS which is a distributed network telescope from Arbor; and 3) Internet Protecttrade which is a global alerting service from AT&T.

[1]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[2]  Marc Dacier,et al.  Comparative survey of local honeypot sensors to assist network forensics , 2005, First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'05).

[3]  Zhuoqing Morley Mao,et al.  Toward understanding distributed blackhole placement , 2004, WORM '04.

[4]  Klaus Julisch,et al.  Using root cause analysis to handle intrusion detection alarms , 2003 .

[5]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[6]  Radu State,et al.  Tracking global wide configuration errors , 2006 .

[7]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[8]  Vinod Yegneswaran,et al.  Toward a Query Language for Network Attack Data , 2006, 22nd International Conference on Data Engineering Workshops (ICDEW'06).

[9]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[10]  Van-Hau Pham,et al.  on the Advantages of Deploying a Large Scale Distributed Honeypot Platform , 2005 .

[11]  Vinod Yegneswaran,et al.  Using Honeynets for Internet Situational Awareness , 2005 .

[12]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[13]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[14]  Somesh Jha,et al.  Fusion and Filtering in Distributed Intrusion Detection Systems , 2004 .

[15]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[16]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .