Many security experts have recently acknowledged the fact that the cyber-crime scene becomes increasingly organized and more consolidated. Even though there are some plausible indicators about the origins, causes, and consequences of these new malicious activities observed in the Internet, very few claims can be backed up by scientific evidence. In particular, many questions remain regarding the attribution of the attacks and the organization of cybercrime. The main reason is that no global threat analysis framework exists to rigorously investigate emerging attacks using different attack features or different viewpoints.
A multicriteria clustering approach to support attack attribution in cyberspace
The main contribution of this thesis consists in developing an analytical method to systematically address the complex problem of attack attribution in cyberspace. Our approach is based on a novel combination of a graph-based clustering technique with a data aggregation method inspired by multi-criteria decision analysis (MCDA). More specifically, we show that it is possible to analyze large-scale attack phenomena from different viewpoints, revealing meaningful patterns with respect to various attack features. Secondly, we show how to systematically combine all those viewpoints such that the behavioral properties of attack phenomena are appropriately modeled in the aggregation process.
Consequently, our global threat analysis method can attribute apparently different security events to a common root cause or phenomenon, based on the combination of all available evidence. Perhaps more importantly, our attack attribution technique can also emphasize the modus operandi of the attackers. This can help an analyst to get insights into how cybercriminals operate in the real-world, but also which strategies they are using.
Finally, an experimental validation on two completely different data sets (i.e., honeypot traces and rogue antivirus websites) demonstrates the applicability and the effectiveness of our attack attribution method.
© TELECOM ParisTech. Personal use of this material is permitted. The definitive version of this paper was published in Thesis and is available at :
PERMALINK : https://www.eurecom.fr/publication/3054