Internet security is a major issue nowadays. Several research initiatives have
been carried out to understand the Internet security threats. Recently, a domain
has emerged called attack attribution that aims at studying the modus operandi of
the attacks and at identifying the characteristics of the groups responsible for the
observed attacks. The work presented in this thesis participates to the efforts in this
area.We show in this work that, starting from network traces collected over two years
on a distributed system of low interaction honeypots, one can extract meaningful and
useful knowledge about the attackers. To reach this goal, the thesis makes several
important contributions. First of all, we show that attack traces can be automatically
grouped into three distinct classes, corresponding to different attack phenomena.We
have defined, implemented and validated algorithms to automatically group large
amount of traces per category. Secondly, we show that, for two of these classes, so
called micro and macro attack events can be identified that span a limited amount
of time. These attack events represent a key element to help identifying specific
activities that would, otherwise, be lost in the so called attack background radiation
noise. Here too, a new framework has been defined, implemented and validated
over 2 years of traces. Hundreds of significant attack events have been found in our
traces. Last but not least, we showed that, by grouping attack events together, it
was possible to highlight the modus operandi of the organizations responsible for
the attacks. The experimental validation of our approach led to the identification of
dozens of so called zombie armies. Their main characteristics are presented in the
thesis and they reveal new insights on the dynamics of the attacks carried out over
the Internet.
