Knowledge discovery from honeypot data for monitoring malicious attacks

Huidong Jin*, Olivier De Vel, Ke Zhang, Nianjun Liu

*Corresponding author for this work

    Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

    5 Citations (Scopus)

    Abstract

    Owing to the spread of worms and botnets, cyber attacks have significantly increased in volume, coordination and sophistication. Cheap rentable botnet services, e.g., have resulted in sophisticated botnets becoming an effective and popular tool for committing online crime these days. Honeypots, as information system traps, are monitoring or deflecting malicious attacks on the Internet. To understand the attack patterns generated by botnets by virtue of the analysis of the data collected by honeypots, we propose an approach that integrates a clustering structure visualisation technique with outlier detection techniques. These techniques complement each other and provide end users both a big-picture view and actionable knowledge of high-dimensional data. We introduce KNOF (K-nearest Neighbours Outlier Factor) as the outlier definition technique to reach a trade-off between global and local outlier definitions, i.e., K th -Nearest Neighbour (KNN) and Local Outlier Factor (LOF) respectively. We propose an algorithm to discover the most significant KNOF outliers. We implement these techniques in our hpdAnalyzer tool. The tool is successfully used to comprehend honeypot data. A series of experiments show that our proposed KNOF technique substantially outperforms LOF and, to a lesser degree, KNN for real-world honeypot data.

    Original languageEnglish
    Title of host publicationAI 2008
    Subtitle of host publicationAdvances in Artificial Intelligence - 21st Australasian Joint Conference on Artificial Intelligence, Proceedings
    Pages470-481
    Number of pages12
    DOIs
    Publication statusPublished - 2008
    Event21st Australasian Joint Conference on Artificial Intelligence, AI 2008 - Auckland, New Zealand
    Duration: 1 Dec 20085 Dec 2008

    Publication series

    NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    Volume5360 LNAI
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349

    Conference

    Conference21st Australasian Joint Conference on Artificial Intelligence, AI 2008
    Country/TerritoryNew Zealand
    CityAuckland
    Period1/12/085/12/08

    Fingerprint

    Dive into the research topics of 'Knowledge discovery from honeypot data for monitoring malicious attacks'. Together they form a unique fingerprint.

    Cite this