Internet attack knowledge discovery via clusters and cliques of attack traces

There is an increasing awareness of the growing influence of organized entities involved in today's Internet attacks. However, there is no easy way to discriminate between the observed malicious activities of script kiddies and professional organizations, for example. For more than two years, the Leurré.com project has collected data on a worldwide scale amenable to such analysis. Previous publications have highlighted the usefulness of so called attack clusters to provide some insight into the different tools used to attack Internet sites. In this paper, we introduce a new notion, namely cliques of clusters, as an automated knowledge discovery method. Cliques provide analysts with some refined information about how, and potentially by whom, attack tools are used. We provide some examples of the kind of information that they can provide. We also address the limitations of the approach by showing that some interesting attack characteristics, namely Inter Arrival Times (IATs) of packets in the attack flows, are only partially taken into account by this approach.