Discovering Collaborative Cyber Attack Patterns Using Social Network Analysis

  • Haitao Du
  • Shanchieh Jay Yang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6589)


This paper investigates collaborative cyber attacks based on social network analysis. An Attack Social Graph (ASG) is defined to represent cyber attacks on the Internet. Features are extracted from ASGs to analyze collaborative patterns. We use principle component analysis to reduce the feature space, and hierarchical clustering to group attack sources that exhibit similar behavior. Experiments with real world data illustrate that our framework can effectively reduce from large dataset to clusters of attack sources exhibiting critical collaborative patterns.


Network security Collaborative attacks Degree centrality Hierarchical clustering 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aben, E., et al.: The CAIDA UCSD Network Telescope Two Days in November 2008, Dataset (2008),
  2. 2.
    Allman, M., et al.: A brief history of scanning. In: Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement, p. 82 (2007)Google Scholar
  3. 3.
    Batagelj, V., Mrvar, A.: Pajek-program for large network analysis. Connections 21(2), 47–57 (1998)zbMATHGoogle Scholar
  4. 4.
    Freeman, L.: A set of measures of centrality based on betweenness. Sociometry 40(1), 35–41 (1977)CrossRefGoogle Scholar
  5. 5.
    Gu, G., et al.: Botminer: clustering analysis of network traffic for protocol andstructure independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium, pp. 139–154 (2008)Google Scholar
  6. 6.
    Jain, A.K., Murty, M.N., Flynn, P.J.: Data clustering: a review. ACM Computing Surveys 31(3), 264–323 (1999)CrossRefGoogle Scholar
  7. 7.
    Jolliffe, I.: Principal component analysis. Springer Series in Statistics (2002)Google Scholar
  8. 8.
    Moore, D., Shannon, C., Voelker, G., Savage, S.: Network telescopes: Technical report. CAIDA (2004)Google Scholar
  9. 9.
    NWB Team: Network workbench tool. Indiana University, Northeastern University, and University of Michigan (2006),
  10. 10.
    Shannon, P., et al.: Cytoscape: a software environment for integrated models of biomolecular interaction networks. Genome Research 13(11), 24–98 (2003)CrossRefGoogle Scholar
  11. 11.
    Wei, S., et al.: Profiling and clustering internet hosts. In: Proceedings of the International Conference on Data Mining (2006)Google Scholar
  12. 12.
    Yegneswaran, V., et al.: Internet intrusions: Global characteristics and prevalence. In: Proceedings of the International Conference on Measurement and Modeling of Computer Systems, p. 147 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Haitao Du
    • 1
  • Shanchieh Jay Yang
    • 1
  1. 1.Department of Computer EngineeringRochester Institute of TechnologyRochesterUSA

Personalised recommendations