A multicriteria clustering approach to support attack attribution in cyberspace

The main contribution of this thesis consists in developing an analytical method to systematically address the complex problem of attack attribution in cyberspace. Our approach is based on a novel combination of a graph-based clustering technique with a data aggregation method inspired by multi-criteria decision analysis (MCDA). More specifically, we show that it is possible to analyze large-scale attack phenomena from different viewpoints, revealing meaningful patterns with respect to various attack features. Secondly, we show how to systematically combine all those viewpoints such that the behavioral properties of attack phenomena are appropriately modeled in the aggregation process.

Consequently, our global threat analysis method can attribute apparently different security events to a common root cause or phenomenon, based on the combination of all available evidence. Perhaps more importantly, our attack attribution technique can also emphasize the modus operandi of the attackers. This can help an analyst to get insights into how cybercriminals operate in the real-world, but also which strategies they are using.

Finally, an experimental validation on two completely different data sets (i.e., honeypot traces and rogue antivirus websites) demonstrates the applicability and the effectiveness of our attack attribution method.