Attack Patterns Discovery by Frequent Episodes Mining from Honeypot Systems
The type of Probe/Exploit (hacking) intrusion can be regarded as a series of relevant actions that are occurred in some sequence. In frequent episodes mining, data is viewed as a sequence of events, where each event has an associated time of occurrence. So the mining technique has significant effect on discovering sophisticated Probe/Exploit intrusion attacks. Prior to deadly attacks to the victim computers, hackers must gather information about the victims and transfer instructions or files to the victims. The proposed method can be used to discover such abnormal episodes from the log files of honeypot systems. The proposed method can be applied to discover known or unknown attack episodes for any network services. In this paper, we focus on discovering attack episodes for SMB (Server Message Block) protocol, which is the most important one for Microsoft’s Windows Network. In the experiment, we successfully mined out a sophisticated intrusion episode. The proposed method can easily be modified to protect other network services.
KeywordsFrequent Episodes Mining Honeypot systems Network Security
Unable to display preview. Download preview PDF.
- 1.KeyFocus Ltd., KFSensor - Advanced Windows Honeypot System, http://www.keyfocus.net/kfsensor/
- 6.Luo, J., Bridges, S.M., Vaughn Jr., R.B.: Fuzzy Frequent Episodes for Real-Time Intrusion Detection. In: Proceedings of the IEEE International Conference on Fuzzy Systems, vol. 1, pp. 368–371 (2001)Google Scholar
- 7.Qin, M., Hwang, K.: Frequent Episode Rules for Internet Anomaly Detection. In: Proceedings of the IEEE International Symposium on Network Computing and Applications, pp. 161–168 (2004)Google Scholar
- 8.Kaspersky Lab., http://www.viruslist.com/en/analysis?pubid=204791921
- 9.F-Secure Corporate, http://www.f-secure.com/v-descs/opasoft.shtml
- 10.Kaspersky Lab., http://www.viruslist.com/en/viruslist.html?id=52256