Skip to main content
SpringerLink
Log in

Limitation of Honeypot/Honeynet Databases to Enhance Alert Correlation

  • Conference paper
Computer Network Security (MMM-ACNS 2012)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 7531))

Abstract

In SIEM environments, security analysts process massive amount of alerts often imprecise. Alert correlation has been designed to efficiently analyze this large volume of alerts. However, a major limitation of existing correlation techniques is that they focus on the local knowledge of alerts and ignore the global view of the threat landscape. In this paper, we introduce an alert enrichment strategy that aims at improving the local domain knowledge about the event with relevant global information about the threat in order to enhance the security event correlation process.

Today, the most prominent sources of information about the global threat landscape are the large honeypot/honeynet infrastructures which allow us to gather more in-depth insights on the modus operandi of attackers by looking at the threat dynamics. In this paper, we explore four honeypot databases that collect information about malware propagation and security information about web-based server profile. We evaluate the use of these databases to correlate local alerts with global knowledge. Our experiments show that the information stored in current honeypot databases suffers from several limitations related to: the interaction level of honeypots that influences their coverage and their analysis of the attacker’s activities, collection of raw data which may include imprecise or voluminous information, the lack of standardization in the information representation which hinder cross-references between different databases, the lack of documentation describing the available information.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ren, H., Stakhanova, N., Ghorbani, A.A.: An Online Adaptive Approach to Alert Correlation. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 153–172. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  2. Chifflier, P., Tricaud, S.: Intrusion detection systems correlation: a weapon of mass investigation (2008)

    Google Scholar 

  3. Cheung, S., Lindqvist, U., Fong, M.W.: Modeling multistep cyber attacks for scenario recognition. In: DISCEX (1). IEEE Computer Society (2003)

    Google Scholar 

  4. Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of New Security Paradigms Workshop, pp. 31–38. ACM Press (2000)

    Google Scholar 

  5. Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Computer Security Applications Conference (December 2001)

    Google Scholar 

  6. Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  7. Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: A Formal Data Model for IDS Alert Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 115–137. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  8. Morin, B., Debar, H.: Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  9. Morin, B., Mé, L., Debar, H., Duccassé, M.: M4D4: a Logical Framework to Support Alert Correlation in Intrusion Detection. Information Fusion 10, 285–299 (2009)

    Article  Google Scholar 

  10. Comparetti, P.M., Maggi, F.: Using WOMBAT APIs on Real-World Tasks. In: The second WOMBAT Workshop, pp. 67–81 (2009)

    Google Scholar 

  11. Leita, C., Bayer, U., Kirda, E.: Exploiting diverse observation perspectives to get insights on the malware landscape. In: 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2010 (June 2010)

    Google Scholar 

  12. Li, L., Sun, H., Zhang, Z.: The research and design of honeypot system applied in the lan security. In: 2nd International Conference on Software Engineering and Service Science (ICSESS). IEEE (2011)

    Google Scholar 

  13. Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J.B., Levine, J.G., Owen, H.L.: HoneyStat: Local Worm Detection Using Honeypots. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 39–58. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  14. Pouget, F., Dacier, M.: Honeypot-based Forensics. In: AusCERT Asia Pacific Information Technology Security Conference (2004)

    Google Scholar 

  15. Mokube, I., Adams, M.: Honeypots: Concepts, Approaches, and Challenges. In: ACMSE 2007,Winston-Salem, North Carolina, USA (March 2007)

    Google Scholar 

  16. Leita, C., Dacier, M.: SGNET: a worldwide deployable framework to support the analysis of malware threat models. In: 7th European Dependable Computing Conference, EDCC 2008 (May 2008)

    Google Scholar 

  17. Leita, C., Dacier, M., Massicotte, F.: Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 185–205. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  18. Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks. In: ACM Sigops EuroSys (2006)

    Google Scholar 

  19. Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F.C.: The Nepenthes Platform: An Efficient Approach to Collect Malware. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 165–184. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  20. Cuppens, F., Ortalo, R.: LAMBDA: A Language to Model a Database for Detection of Attacks. LNCS (2000)

    Google Scholar 

  21. Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format (IDMEF), http://tools.ietf.org/pdf/rfc4765.pdf

  22. Remi-Omosowon, O.B.: Statistical analysis of snort alerts (2009)

    Google Scholar 

  23. Spathoulas, G.P., Katsikas, S.K.: Reducing false positives in intrusion detection systems. Computer & Security 29, 35–44 (2010)

    Article  Google Scholar 

  24. Common vulnerabilities and exposures, http://cve.mitre.org/cve/

  25. Leita, C., Cova, M.: HARMUR: Storing and analyzing historic data on malicious domains. In: Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (2011)

    Google Scholar 

  26. Zanero, S., Comparetti, P.M.: The WOMBAT API: querying a global network of advanced honeypots. In: BlackHat DC (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Telecom Sudparis, SAMOVAR UMR 5157, 9 rue Charles Fourier, 91011, Evry, France

    Yosra Ben Mustapha, Hervé Débar & Grégoire Jacob

Authors
  1. Yosra Ben Mustapha
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hervé Débar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Grégoire Jacob
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. St. Petersburg Institute for Informatics and Automation, Russian Academy of Science, 39, 14th Liniya, 199178, St.-Petersburg, Russia

    Igor Kotenko

  2. Binghamton University (SUNYI), 13902, Binghamton, NY, USA

    Victor Skormin

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Mustapha, Y.B., Débar, H., Jacob, G. (2012). Limitation of Honeypot/Honeynet Databases to Enhance Alert Correlation. In: Kotenko, I., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2012. Lecture Notes in Computer Science, vol 7531. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33704-8_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33704-8_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33703-1

  • Online ISBN: 978-3-642-33704-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation