Algorithms for clustering data
Algorithms for clustering data
On ordered weighted averaging aggregation operators in multicriteria decisionmaking
IEEE Transactions on Systems, Man and Cybernetics
An experiment in linguistic synthesis with a fuzzy logic controller
International Journal of Human-Computer Studies - Special issue: 1969-1999, the 30th anniversary
Characteristics of network traffic flow anomalies
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Industrial Applications of Fuzzy Control
Industrial Applications of Fuzzy Control
Internet intrusions: global characteristics and prevalence
SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
The Zombie roundup: understanding, detecting, and disrupting botnets
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Using uncleanliness to predict future botnet addresses
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
WISTDCS '08 Proceedings of the 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing
ICDMW '08 Proceedings of the 2008 IEEE International Conference on Data Mining Workshops
SS'08 Proceedings of the 17th conference on Security symposium
A new graph-theoretic approach to clustering and segmentation
CVPR'03 Proceedings of the 2003 IEEE computer society conference on Computer vision and pattern recognition
The WOMBAT Attack Attribution Method: Some Results
ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
An analysis of rogue AV campaigns
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Hi-index | 0.00 |
In network traffic monitoring, and more particularly in the realm of threat intelligence, the problem of "attack attribution" refers to the process of effectively attributing new attack events to (un)-known phenomena, based on some evidence or traces left on one or several monitoring platforms. Real-world attack phenomena are often largely distributed on the Internet, or can sometimes evolve quite rapidly. This makes them inherently complex and thus difficult to analyze. In general, an analyst must consider many different attack features (or criteria) in order to decide about the plausible root cause of a given attack, or to attribute it to some given phenomenon. In this paper, we introduce a global analysis method to address this problem in a systematic way. Our approach is based on a novel combination of a knowledge discovery technique with a fuzzy inference system, which somehow mimics the reasoning of an expert by implementing a multi-criteria decision-making process built on top of the previously extracted knowledge. By applying this method on attack traces, we are able to identify large-scale attack phenomena with a high degree of confidence. In most cases, the observed phenomena can be attributed to so-called zombie armies - or botnets, i.e. groups of compromised machines controlled remotely by a same entity. By means of experiments with real-world attack traces, we show how this method can effectively help us to perform a behavioral analysis of those zombie armies from a long-term, strategic viewpoint.