Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making

In network traffic monitoring, and more particularly in the realm of threat intelligence, the problem of "attack attribution" refers to the process of effectively attributing new attack events to (un)-known phenomena, based on some evidence or traces left on one or several monitoring platforms. Real-world attack phenomena are often largely distributed on the Internet, or can sometimes evolve quite rapidly. This makes them inherently complex and thus difficult to analyze. In general, an analyst must consider many different attack features (or criteria) in order to decide about the plausible root cause of a given attack, or to attribute it to some given phenomenon. In this paper, we introduce a global analysis method to address this problem in a systematic way. Our approach is based on a novel combination of a knowledge discovery technique with a fuzzy inference system, which somehow mimics the reasoning of an expert by implementing a multi-criteria decision-making process built on top of the previously extracted knowledge. By applying this method on attack traces, we are able to identify large-scale attack phenomena with a high degree of confidence. In most cases, the observed phenomena can be attributed to so-called zombie armies - or botnets, i.e. groups of compromised machines controlled remotely by a same entity. By means of experiments with real-world attack traces, we show how this method can effectively help us to perform a behavioral analysis of those zombie armies from a long-term, strategic viewpoint.

[1]  Van-Hau Pham,et al.  The Quest for Multi-headed Worms , 2008, DIMVA.

[2]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[3]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[4]  Paul Barford,et al.  Spatial-Temporal Characteristics of Internet Malicious Sources , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[5]  Vinod Yegneswaran,et al.  Using Honeynets for Internet Situational Awareness , 2005 .

[6]  Paul Barford,et al.  Characteristics of network traffic flow anomalies , 2001, IMW '01.

[7]  M. Dacier,et al.  The Leurre.com Project: Collecting Internet Threats Information Using a Worldwide Distributed Honeynet , 2008, 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing.

[8]  Joseph B. Kadane,et al.  Using uncleanliness to predict future botnet addresses , 2007, IMC '07.

[9]  Geoffrey E. Hinton,et al.  Visualizing Data using t-SNE , 2008 .

[10]  Ronald R. Yager,et al.  On ordered weighted averaging aggregation operators in multicriteria decisionmaking , 1988, IEEE Trans. Syst. Man Cybern..

[11]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[12]  M. Pavan,et al.  A new graph-theoretic approach to clustering and segmentation , 2003, 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003. Proceedings..

[13]  D. Barroso,et al.  Botnets – The Silent Threat , 2007 .

[14]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[15]  Jianhua Lin,et al.  Divergence measures based on the Shannon entropy , 1991, IEEE Trans. Inf. Theory.

[16]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[17]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[18]  Flemming Topsøe,et al.  Jensen-Shannon divergence and Hilbert space embedding , 2004, International Symposium onInformation Theory, 2004. ISIT 2004. Proceedings..

[19]  Marc Dacier,et al.  A framework for attack patterns' discovery in honeynet data , 2008 .

[20]  Ebrahim H. Mamdani,et al.  An Experiment in Linguistic Synthesis with a Fuzzy Logic Controller , 1999, Int. J. Hum. Comput. Stud..

[21]  Anil K. Jain,et al.  Algorithms for Clustering Data , 1988 .

[22]  Wenke Lee,et al.  Botnet Detection: Countering the Largest Security Threat , 2010, Botnet Detection.

[23]  Huaiyu Zhu On Information and Sufficiency , 1997 .

[24]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[25]  Geoffrey E. Hinton,et al.  Stochastic Neighbor Embedding , 2002, NIPS.

[26]  Marc Dacier,et al.  Actionable Knowledge Discovery for Threats Intelligence Support Using a Multi-dimensional Data Mining Methodology , 2008, 2008 IEEE International Conference on Data Mining Workshops.

[27]  Michio Sugeno,et al.  Industrial Applications of Fuzzy Control , 1985 .

[28]  Fabien Pouget,et al.  Honeypot-based forensics , 2004 .