An evaluation of connection characteristics for separating network attacks

被引:14
作者
Berthier, Robin [1 ]
Cukier, Michel [1 ]
机构
[1] Center for Risk and Reliability, Department of Mechanical Engineering, University of Maryland, College Park
来源
International Journal of Security and Networks | 2009年 / 4卷 / 1-2期
关键词
Attack characteristics; Data mining; Honeypot; Statistical analysis;
D O I
10.1504/IJSN.2009.023430
中图分类号
学科分类号
摘要
The goal of this paper is to evaluate the efficiency of connection characteristics to separate different attack families that target a single TCP port. Identifying the most relevant characteristics might allow statistically separating attack families without systematically using forensics. This study is based on a dataset collected over 117 days using a test-bed of two high interaction honeypots. The results indicated that to separate unsuccessful from successful attacks in malicious traffic: • the number of bytes is a relevant characteristic; • time-based characteristics are poor characteristics; • using combinations of characteristics does not improve the efficiency of separating attacks. Copyright © 2009, Inderscience Publishers.
引用
收藏
页码:110 / 124
页数:14
相关论文
共 35 条
[1]  
Arce I., Levy E., An analysis of the Slapper worm, Security and Privacy Magazine, IEEE, 1, pp. 82-87, (2003)
[2]  
Bailey M., Cooke E., Watson D., Jahanian F., Provos N., A Hybrid Honeypot Architecture for Scalable Network Monitoring, Technical Report CSE-TR, pp. 499-504, (2004)
[3]  
Dokas P., Ertoz L., Kumar V., Lazarevic A., Srivastava J., Tan P., Data mining for network intrusion detection, Proceedings of NSF Workshop on Next Generation Data Mining, (2002)
[4]  
Duda R., Hart P., Pattern Classification and Scene Analysis, (1973)
[5]  
Eskin E., Arnold A., Prerau M., Portnoy L., Stolfo S., A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data, Applications of Data Mining in Computer Security, (2002)
[6]  
Gomez J., Gonzalez F., Dasgupta D., An immuno-fuzzy approach to anomaly detection, The 12th IEEE International Conference on Fuzzy Systems, 2, pp. 1219-1224, (2003)
[7]  
Guan Y., Ghorbani A., Belacel N., Y-means: A clustering method for intrusion detection, Proceeding of IEEE Canadian Conference on Electrical and Computer Engineering, 2, pp. 1083-1086, (2003)
[8]  
Hertel C., Implementing Cifs: The Common Internet File System, (2003)
[9]  
World Wide Web, (2006)
[10]  
IDSeval, World Wide Web, (1998)
1234