Advertisement

The WOMBAT Attack Attribution Method: Some Results

  • Marc Dacier
  • Van-Hau Pham
  • Olivier Thonnard
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5905)

Abstract

In this paper, we present a new attack attribution method that has been developed within the WOMBAT project. We illustrate the method with some real-world results obtained when applying it to almost two years of attack traces collected by low interaction honeypots. This analytical method aims at identifying large scale attack phenomena composed of IP sources that are linked to the same root cause. All malicious sources involved in a same phenomenon constitute what we call a Misbehaving Cloud (MC). The paper offers an overview of the various steps the method goes through to identify these clouds, providing pointers to external references for more detailed information. Four instances of misbehaving clouds are then described in some more depth to demonstrate the meaningfulness of the concept.

Keywords

Attack Event Attack Trace Multi Criterion Decision Analysis Malicious Source Attack Phenomenon 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Basseville, M., Nikiforov, I.V.: Detection of Abrupt Changes:Theory and Application. Prentice Hall, Englewood Cliffs (1993)Google Scholar
  2. 2.
    Beliakov, G., Pradera, A., Calvo, T.: Aggregation Functions: A Guide for Practitioners. Springer, Berlin (2007)Google Scholar
  3. 3.
    Collins, M.P., Shimeall, T.J., Faber, S., Janies, J., Weaver, R., De Shon, M., Kadane, J.: Using uncleanliness to predict future botnet addresses. In: IMC 2007: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, pp. 93–104. ACM, New York (2007)CrossRefGoogle Scholar
  4. 4.
    Dacier, M., Pouget, F., Debar, H.: Attack processes found on the internet. In: NATO Symposium IST-041/RSY-013, Toulouse, France (April 2004)Google Scholar
  5. 5.
    Defrawy, K.E., Gjoka, M., Markopoulou, A.: Bottorrent: misusing bittorrent to launch ddos attacks. In: SRUTI 2007: Proceedings of the 3rd USENIX workshop on Steps to reducing unwanted traffic on the internet, Berkeley, CA, USA, pp. 1–6. USENIX Association (2007)Google Scholar
  6. 6.
    Jain, A.K., Dubes, R.C.: Algorithms for Clustering Data. Prentice-Hall advanced reference series (1988)Google Scholar
  7. 7.
    Kullback, S., Leibler, R.A.: On information and sufficiency. Annals of Mathematical Statistics 22, 79–86 (1951)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Leita, C., Pham, V.H., Thonnard, O., Ramirez Silva, E., Pouget, F., Kirda, E., Dacier, M.: The leurre.com project: collecting internet threats information using a worldwide distributed honeynet. In: 1st WOMBAT workshop, April 21st-22nd, Amsterdam, The Netherlands (April 2008)Google Scholar
  9. 9.
    Leita, C., Dacier, M.: Sgnet: a worldwide deployable framework to support the analysis of malware threat models. In: Proceedings of the 7th European Dependable Computing Conference (EDCC 2008) (May 2008)Google Scholar
  10. 10.
    Leurre.com, Eurecom Honeypot Project (September 2009), http://www.leurrecom.org/
  11. 11.
    Lin, J.: Divergence measures based on the shannon entropy. IEEE Transactions on Information Theory 37(1), 145–151 (1991)zbMATHCrossRefGoogle Scholar
  12. 12.
    Naoumov, N., Ross, K.: Exploiting p2p systems for ddos attacks. In: InfoScale 2006: Proceedings of the 1st international conference on Scalable information systems, p. 47. ACM, New York (2006)CrossRefGoogle Scholar
  13. 13.
    Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of Internet Background Radiation. In: Proceedings of the 4th ACM SIGCOMM conference on the Internet Measurement (2004)Google Scholar
  14. 14.
    Pavan, M., Pelillo, M.: A new graph-theoretic approach to clustering and segmentation. In: Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (2003)Google Scholar
  15. 15.
    Pham, V.-H.: Honeypot traces forensics by means of attack event identification. PhD thesis, TELECOM ParisTech (2009)Google Scholar
  16. 16.
    Pham, V.-H., Dacier, M.: Honeypot traces forensics: the observation view point matters. In: NSS 2009, 3rd International Conference on Network and System Security, October 19-21, Gold Coast, Australia (December 2009)Google Scholar
  17. 17.
    Pham, V.-H., Dacier, M., Urvoy Keller, G., En Najjary, T.: The quest for multi-headed worms. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 247–266. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Pouget, F., Dacier, M., Debar, H.: Honeypot-based forensics. In: Proceedings of AusCERT Asia Pacific Information Technology Security Conference 2004, Brisbane, Australia (May 2004)Google Scholar
  19. 19.
    Pouget, F., Dacier, M., Pham, V.H.: Leurre.com: on the advantages of deploying a large scale distributed honeypot platform. In: ECCE 2005, E-Crime and Computer Conference, Monaco, March 29-30 (2005)Google Scholar
  20. 20.
    Provos, N.: A virtual honeypot framework. In: Proceedings of the 12th USENIX Security Symposium, August 2004, pp. 1–14 (2004)Google Scholar
  21. 21.
    Shepard, R.N.: Multidimensional scaling, tree fitting, and clustering. Science 210, 390–398 (1980)CrossRefMathSciNetGoogle Scholar
  22. 22.
    Thonnard, O., Dacier, M.: A framework for attack patterns’ discovery in honeynet data. In: DFRWS 2008, 8th Digital Forensics Research Conference, Baltimore, USA, August 11- 13 (2008)Google Scholar
  23. 23.
    Thonnard, O., Dacier, M.: Actionable knowledge discovery for threats intelligence support using a multi-dimensional data mining methodology. In: ICDM 2008, 8th IEEE International Conference on Data Mining series, Pisa, Italy, December 15-19 (2008)Google Scholar
  24. 24.
    Thonnard, O., Mees, W., Dacier, M.: Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making. In: KDD 2009, 15th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, Workshop on CyberSecurity and Intelligence Informatics, Paris, France, June 28th - July 1st (2009)Google Scholar
  25. 25.
    Wheeler, D., Larsen, G.: Techniques for Cyber Attack Attribution. Institute for Defense Analyses (October 2003)Google Scholar
  26. 26.
    Yager, R.R.: On ordered weighted averaging aggregation operators in multicriteria decisionmaking. IEEE Trans. Syst. Man Cybern. 18(1), 183–190 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  27. 27.
    Yegneswaran, V., Barford, P., Paxson, V.: Using honeynets for internet situational awareness. In: Fourth ACM Sigcomm Workshop on Hot Topics in Networking, Hotnets IV (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Marc Dacier
    • 1
  • Van-Hau Pham
    • 2
  • Olivier Thonnard
    • 3
  1. 1.Symantec ResearchSophia AntipolisFrance
  2. 2.Institut EurecomSophia AntipolisFrance
  3. 3.Royal Military Academy, Polytechnic FacultyBrusselsBelgium

Personalised recommendations

Cite paper

Buy options