Attack Patterns Discovery by Frequent Episodes Mining from Honeypot Systems

  • Ming-Yang Su
  • Kai-Chi Chang
  • Chun-Yuen Lin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5576)


The type of Probe/Exploit (hacking) intrusion can be regarded as a series of relevant actions that are occurred in some sequence. In frequent episodes mining, data is viewed as a sequence of events, where each event has an associated time of occurrence. So the mining technique has significant effect on discovering sophisticated Probe/Exploit intrusion attacks. Prior to deadly attacks to the victim computers, hackers must gather information about the victims and transfer instructions or files to the victims. The proposed method can be used to discover such abnormal episodes from the log files of honeypot systems. The proposed method can be applied to discover known or unknown attack episodes for any network services. In this paper, we focus on discovering attack episodes for SMB (Server Message Block) protocol, which is the most important one for Microsoft’s Windows Network. In the experiment, we successfully mined out a sophisticated intrusion episode. The proposed method can easily be modified to protect other network services.


Frequent Episodes Mining Honeypot systems Network Security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    KeyFocus Ltd., KFSensor - Advanced Windows Honeypot System,
  2. 2.
    Mannila, H., Toivonen, H., Verkamo, A.I.: Discovery of Frequent Episodes in Event Sequences. Data Mining and Knowledge Discovery 1, 259–289 (1997)CrossRefGoogle Scholar
  3. 3.
    Hwang, K., Cai, M., Chen, Y., Qin, M.: Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes. IEEE Transactions on Dependable and Secure Computing 4(1), 41–55 (2007)CrossRefGoogle Scholar
  4. 4.
    Lee, W., Stolfo, S.J., Mok, K.W.: Adaptive Intrusion Detection: A Data Mining Approach. Artificial Intelligence Review 14(6), 533–567 (2000)CrossRefzbMATHGoogle Scholar
  5. 5.
    Luo, J., Bridges, S.M.: Mining Fuzzy Association Rules and Fuzzy Frequent Episodes for Intrusion Detection. International Journal of Intelligent Systems 15(8), 687–703 (2000)CrossRefzbMATHGoogle Scholar
  6. 6.
    Luo, J., Bridges, S.M., Vaughn Jr., R.B.: Fuzzy Frequent Episodes for Real-Time Intrusion Detection. In: Proceedings of the IEEE International Conference on Fuzzy Systems, vol. 1, pp. 368–371 (2001)Google Scholar
  7. 7.
    Qin, M., Hwang, K.: Frequent Episode Rules for Internet Anomaly Detection. In: Proceedings of the IEEE International Symposium on Network Computing and Applications, pp. 161–168 (2004)Google Scholar
  8. 8.
  9. 9.
  10. 10.
  11. 11.

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Ming-Yang Su
    • 1
  • Kai-Chi Chang
    • 1
  • Chun-Yuen Lin
    • 1
  1. 1.Department of Computer Science and Information EngineeringMing Chuan University, Taoyuan, TaiwanTaoyuanTaiwan

Personalised recommendations