Distributed system of honeypot sensors : discrimination and correlative analysis of attack processes

Pouget, Fabien
Thesis

Security systems cannot be efficiently designed without both a good preliminary understanding of malicious activities which might occur in the wild and a good comprehension of attack processes. Unfortunately, it seems that this knowledge is either not available or remains anecdotal and often biased. The goal of this thesis is primarily to make progress on understanding the malicious activities that occur and to provide a methodology that would help to acquire this knowledge. It is necessary in a first step to work on a valuable dataset. To address this problem, we have deployed a worldwide distributed network of sensors, also called Honeypots. Honeypots are machines that are not publicly advertised. They have contributed to capture a huge amount of suspicious data over several months. In the scope of this thesis, we propose a framework, called HoRaSis (for Honeypot Traffic Analysis), which aims at automatically extracting meaningful information out of this remarkable dataset. It basically consists in two major stages: i) the discrimination and ii) the correlative analysis of the collected traffic. More precisely, we first discriminate collected activities according to the fingerprints they let on each sensor. This stage must also consider the potential disturbances introduced by the network. The proposed solution relies on dedicated clustering and classification techniques. We then identify all previous fingerprints which share strong common characteristics. This task is performed thanks to a graph-theory approach, and, in particular, the search of maximal weighted cliques within graphs. Different characteristics based on our preliminary experiments have been considered. Several cases exemplify the value of combining these two stages. Thanks to the proposed HoRaSis framework, we prove that a rigorous and methodical analysis of honeypot traffic clearly helps to get a better understanding of malicious activities.


HAL
Type:
Thèse
Date:
2006-01-23
Department:
Sécurité numérique
Eurecom Ref:
1860
Copyright:
© TELECOM ParisTech. Personal use of this material is permitted. The definitive version of this paper was published in Thesis and is available at :
See also:

PERMALINK : https://www.eurecom.fr/publication/1860