In this paper, we present a new attack attribution method that has been developed within the WOMBAT project. We illustrate the method with some real-world results obtained when applying it to almost two years of attack traces collected by low interaction honeypots. This analytical method aims at identifying large scale attack phenomena composed of IP sources that are linked to the same root cause. All malicious sources involved in a same phenomenon constitute what we call a Misbehaving Cloud (MC). The paper offers an overview of the various steps the method goes through to identify these clouds, providing pointers to external references for more detailed information. Four instances of misbehaving clouds are then described in some more depth to demonstrate the meaningfulness of the concept.
The WOMBAT attack attribution method : Some results
Lecture Notes in Computer Science, Volume 5905/2009, ISSN : 0302-9743
© Springer. Personal use of this material is permitted. The definitive version of this paper was published in Lecture Notes in Computer Science, Volume 5905/2009, ISSN : 0302-9743 and is available at : http://dx.doi.org/10.1007/978-3-642-10772-6_3
PERMALINK : https://www.eurecom.fr/publication/2968