Knowledge Discovery from Honeypot Data for Monitoring Malicious Attacks

Authors:
Huidong Jin;Olivier Vel;Ke Zhang;Nianjun Liu
Affiliations:
NICTA Canberra Lab, Locked Bag 8001, Canberra ACT, Australia 2601 and RSISE, the Australian National University, Canberra ACT, Australia 0200;Command, Control, Communications and Intelligence Division, DSTO, Edinburgh, Australia SA 5111;NICTA Canberra Lab, Locked Bag 8001, Canberra ACT, Australia 2601 and RSISE, the Australian National University, Canberra ACT, Australia 0200;NICTA Canberra Lab, Locked Bag 8001, Canberra ACT, Australia 2601 and RSISE, the Australian National University, Canberra ACT, Australia 0200
Venue:
AI '08 Proceedings of the 21st Australasian Joint Conference on Artificial Intelligence: Advances in Artificial Intelligence
Year:
2008

Citing 8
Cited 0

OPTICS: ordering points to identify the clustering structure

SIGMOD '99 Proceedings of the 1999 ACM SIGMOD international conference on Management of data
LOF: identifying density-based local outliers

SIGMOD '00 Proceedings of the 2000 ACM SIGMOD international conference on Management of data
Efficient algorithms for mining outliers from large data sets

SIGMOD '00 Proceedings of the 2000 ACM SIGMOD international conference on Management of data
Data Mining: Concepts and Techniques

Data Mining: Concepts and Techniques
Scalable Model-Based Clustering for Large Databases Based on Data Summarization

IEEE Transactions on Pattern Analysis and Machine Intelligence
Data mining approaches for intrusion detection

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Peer-to-peer botnets: overview and case study

HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Virtual honeypots: from botnet tracking to intrusion detection

Virtual honeypots: from botnet tracking to intrusion detection

Quantified Score

Hi-index	0.00

Visualization

Abstract

Owing to the spread of worms and botnets, cyber attacks have significantly increased in volume, coordination and sophistication. Cheap rentable botnet services, e.g., have resulted in sophisticated botnets becoming an effective and popular tool for committing online crime these days. Honeypots, as information system traps, are monitoring or deflecting malicious attacks on the Internet. To understand the attack patterns generated by botnets by virtue of the analysis of the data collected by honeypots, we propose an approach that integrates a clustering structure visualisation technique with outlier detection techniques. These techniques complement each other and provide end users both a big-picture view and actionable knowledge of high-dimensional data. We introduce KNOF (K-nearest Neighbours Outlier Factor) as the outlier definition technique to reach a trade-off between global and local outlier definitions, i.e., K th -Nearest Neighbour (KNN) and Local Outlier Factor (LOF) respectively. We propose an algorithm to discover the most significant KNOF outliers. We implement these techniques in our hpdAnalyzer tool. The tool is successfully used to comprehend honeypot data. A series of experiments show that our proposed KNOF technique substantially outperforms LOF and, to a lesser degree, KNN for real-world honeypot data.