A Statistical Analysis of Attack Data to Separate Attacks

Cukier, Michel; Berthier, Robin; Panjwani, S.; Tan, Swee Chuan

doi:10.1109/dsn.2006.9

Cited by 24 publications

(16 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Many studies related to security analysis have been conducted by means of honeypots [1], [2] or well-known public labeled datasets and simulated intrusions [16], [18], [20], [21].…”

Section: Adopted Datasetsmentioning

confidence: 99%

“…The analysis of the security alerts generated by the monitors at node-and network -level provides a goldmine of information to detect attacks and to pinpoint potential system misuse [1], [2], [3], [4]. However, comprehensive system monitoring, which guarantees high coverage at detecting suspicious system activities, causes the generation of large volumes of alerts and false positives [5], [6], [3].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Automated root cause identification of security alerts: Evaluation in a SaaS Cloud

Cotroneo

Paudice²,

Pecchia

2016

Future Generation Computer Systems

View full text Add to dashboard Cite

“…Many studies related to security analysis have been conducted by means of honeypots [1], [2] or well-known public labeled datasets and simulated intrusions [16], [18], [20], [21].…”

Section: Adopted Datasetsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Automated root cause identification of security alerts: Evaluation in a SaaS Cloud

Cotroneo

Paudice²,

Pecchia

2016

Future Generation Computer Systems

View full text Add to dashboard Cite

“…In [7] data collected by two high-interaction honeypots were used to analyze malicious attacks to port 445. That work was focused on distinguishing among three types of attacks using the Kmeans clustering algorithm.…”

Section: Related Workmentioning

confidence: 99%

Classification of Malicious Web Sessions

Goševa-Popstojanova

Anastasovski

Pantev

2012

2012 21st International Conference on Computer Communications and Networks (ICCCN)

View full text Add to dashboard Cite

The ever increasing number of vulnerabilities and reported attacks on Web systems clearly illustrate the need for better understanding of malicious cyber activities, which will allow better protection, detection, and service recovery in the cyberspace. In this paper we use three supervised machine learning methods, Support Vector Machines (SVM), and decision trees based J48 and PART, to classify attacker activities aimed at Web systems. The empirical analysis is based on four datasets, each in duration of four to five months, collected by high-interaction honeypots. Malicious Web sessions are characterized with forty three different features (i.e., session attributes) extracted from Web server logs. Our results show that the supervised learning methods can be used to efficiently distinguish attack sessions from vulnerability scan sessions, with very high probability of detection and very low probability of false alarms. Furthermore, we follow the principle of Occam's razor, that is, we seek for the simplest possible model that can successfully classify malicious Web sessions. Our results show that attacks differ from vulnerability scans only in a small number of features (i.e., session attributes). In particular, depending on the data set, classification of malicious activities can be performed using from four to six features without significantly affecting learners' performance compared to when all 43 features are used. Decision tree based methods J48 and PART perform better than SVM across all datasets.

show abstract

“…In [20] the data control and data capture is much more distributed. Findings and analysis of the results derived from the honeynet deployment have been detailed in a few papers by Cukier and his team, including: [20] in which it was observed that (using their definitions of port scan, vulnerability scan and attack) port scans should not be considered as precursors to attacks; [21] in which the authors provide empirical and statistical analysis of classifying attacks directed to Windows port 445 (which Short Message Block (SMB) protocol uses), concluding that a criterion as simple as the total number of bytes per connection is very good for separating different attacks on this port, whereas number of packets per connection and connection duration are not so good; or [22] in which the authors analyzed the attacker behavior that follows a successful compromise on Secure Shell (SSH) protocol.…”

Section: Related Workmentioning

confidence: 99%

Comparison of Empirical Data from Two Honeynets and a Distributed Honeypot Network

Bloomfield

Gashi

Povyakalo

et al. 2008

2008 19th International Symposium on Software Reliability Engineering (ISSRE)

View full text Add to dashboard Cite

This is the unspecified version of the paper.This version of the publication may differ from the final published version. Permanent repository link AbstractIn this paper we present empirical results and speculative analysis based on observations collected over a two month period from studies with two highinteraction honeynets, deployed in a corporate and an SME (Small to Medium Enterprise) environment, and a distributed honeypots deployment. All three networks contain a mixture of Windows and Linux hosts. We detail the architecture of the deployment and results of comparing the observations from the three environments. We analyze in detail the times between attacks on different hosts, operating systems, networks or geographical location. Even though results from honeynet deployments are reported often in the literature, this paper provides novel results analyzing traffic from three different types of networks and some initial exploratory models. This research aims to contribute to endeavours in the wider security research community to build methods, grounded on strong empirical work, for assessment of the robustness of computer-based systems in hostile environments.

show abstract

A Statistical Analysis of Attack Data to Separate Attacks

Cited by 24 publications

References 2 publications

Automated root cause identification of security alerts: Evaluation in a SaaS Cloud

Automated root cause identification of security alerts: Evaluation in a SaaS Cloud

Classification of Malicious Web Sessions

Comparison of Empirical Data from Two Honeynets and a Distributed Honeypot Network

Contact Info

Product

Resources

About