Internet attack knowledge discovery via clusters and cliques of attack traces

There is an increasing awareness of the growing influence of organized entities involved in today's Internet attacks. However, there is no easy way to discriminate between the observed malicious activities of script kiddies and professional organizations, for example. For more than two years, the Leurre.com project has collected data on a worldwide scale amenable to such analysis. Previous publications have highlighted the usefulness of so called attack clusters to provide some insight into the different tools used to attack Internet sites. In this paper, we introduce a new notion, namely cliques of clusters, as an automated knowledge discovery method. Cliques provide analysts with some refined information about how, and potentially by whom, attack tools are used. We provide some examples of the kind of information that they can provide. We also address the limitations of the approach by showing that some interesting attack characteristics, namely Inter Arrival Times (IATs) of packets in the attack flows, are only partially taken into account by this approach.

[1]  Eamonn J. Keogh,et al.  A symbolic representation of time series, with implications for streaming algorithms , 2003, DMKD '03.

[2]  BronCoen,et al.  Algorithm 457: finding all cliques of an undirected graph , 1973 .

[3]  Evangelos Kranakis,et al.  DNS-based Detection of Scanning Worms in an Enterprise Network , 2005, NDSS.

[4]  Vern Paxson,et al.  Strategies for sound internet measurement , 2004, IMC '04.

[5]  C. Bron,et al.  Algorithm 457: finding all cliques of an undirected graph , 1973 .

[6]  Fabien Pouget,et al.  Honeypot-based forensics , 2004 .

[7]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[8]  Jose Nazario,et al.  Defense and Detection Strategies against Internet Worms , 2003 .

[9]  Fabien Pouget Distributed system of honeypot sensors : discrimination and correlative analysis of attack processes , 2006 .

[10]  Bill McCarty,et al.  Botnets: Big and Bigger , 2003, IEEE Secur. Priv..

[11]  M. Pavan,et al.  A new graph-theoretic approach to clustering and segmentation , 2003, 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003. Proceedings..

[12]  Guofei Gu,et al.  Worm detection, early warning and response based on local victim information , 2004, 20th Annual Computer Security Applications Conference.

[13]  David Geer,et al.  Malicious bots threaten network security , 2005, Computer.

[14]  Van-Hau Pham,et al.  on the Advantages of Deploying a Large Scale Distributed Honeypot Platform , 2005 .

[15]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[16]  Donald F. Towsley,et al.  Inferring TCP connection characteristics through passive measurements , 2004, IEEE INFOCOM 2004.

[17]  George M. Mohay,et al.  The use of packet inter-arrival times for investigating unsolicited Internet traffic , 2005, First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'05).

[18]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[19]  Evangelos Kranakis,et al.  Detecting intra-enterprise scanning worms based on address resolution , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).