An evaluation of connection characteristics for separating network attacks

Authors:
Robin Berthier;Michel Cukier
Affiliations:
Center for Risk and Reliability, Department of Mechanical Engineering, University of Maryland, MD 20742, USA.;Center for Risk and Reliability, Department of Mechanical Engineering, University of Maryland, MD 20742, USA
Venue:
International Journal of Security and Networks
Year:
2009

Citing 12
Cited 4

Data mining: practical machine learning tools and techniques with Java implementations

Data mining: practical machine learning tools and techniques with Java implementations
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
An empirical analysis of NATE: Network Analysis of Anomalous Traffic Events

Proceedings of the 2002 workshop on New security paradigms
An Analysis of the Slapper Worm

IEEE Security and Privacy
Implementing CIFS: The Common Internet File System

Implementing CIFS: The Common Internet File System
Honeycomb: creating intrusion detection signatures using honeypots

ACM SIGCOMM Computer Communication Review
J-Honeypot: A Java-Based Network Deception Tool with Monitoring and Intrusion Detection

ITCC '04 Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC'04) Volume 2 - Volume 2
An Experimental Evaluation to Determine if Port Scans are Precursors to an Attack

DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
A Clustering Approach to Wireless Network Intrusion Detection

ICTAI '05 Proceedings of the 17th IEEE International Conference on Tools with Artificial Intelligence
Labelling Clusters in an Intrusion Detection System Using a Combination of Clustering Evaluation Techniques

HICSS '06 Proceedings of the 39th Annual Hawaii International Conference on System Sciences - Volume 06
HonIDS: Enhancing Honeypot System with Intrusion Detection Models

IWIA '06 Proceedings of the Fourth IEEE International Workshop on Information Assurance
A new unsupervised anomaly detection framework for detecting network attacks in real-time

CANS'05 Proceedings of the 4th international conference on Cryptology and Network Security

Wireless telemedicine and m-health: technologies, applications and research issues

International Journal of Sensor Networks
DarkNOC: dashboard for honeypot management

LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
A survey of security visualization for computer network logs

Security and Communication Networks
A survey of cyber crimes

Security and Communication Networks

Quantified Score

Hi-index	0.00

Visualization

Abstract

The goal of this paper is to evaluate the efficiency of connection characteristics to separate different attack families that target a single TCP port. Identifying the most relevant characteristics might allow statistically separating attack families without systematically using forensics. This study is based on a dataset collected over 117 days using a test-bed of two high interaction honeypots. The results indicated that to separate unsuccessful from successful attacks in malicious traffic: the number of bytes is a relevant characteristic; time-based characteristics are poor characteristics; using combinations of characteristics does not improve the efficiency of separating attacks.