From Manual Cyber Attacks Forensic to Automatic Characterization of Attackers' Profiles J. Briffaut, P. Clemente, J.-F. Lalande, J. Rouzaud-Cornabas

Abstract : This chapter studies the activities of cyber attackers on a large scale honeypot running for more than 2 years. A honeypot is a set of online computers that welcome attackers and let them perform their attacks. The chapter presents how to classify complex distributed sessions of attacks. The first part of this chapter analyzes the illegal activities performed by attackers using the data collected during two years of attacks: logged sessions, intrusion detection system alerts, mandatory access control system alerts. The study of these illegal activities allows to understand the global motivations of the cyber attackers, their technical skills and the geographical location of the attackers and their targets. The second part of this chapter presents generic methods to rebuild the illegal activities appearing on several attacked hosts. By correlating information collected by multiple sources (loggers, monitors, detectors) both watching at the network and the operations occurring on each system, we provide precise and high level characterization of attacks. The proposed method follows an incremental approach that characterizes attacks from basic ones to highly complex malicious activities, including largely distributed attacks (migrating/hopping attacks, distributed denials of service). This work reveals the global goals of attackers that take control of multiple hosts to launch massive attacks on big universities, industries, or governmental organisations. Experimental results of these forensic and high level characterization methods are presented using the collected data of our large-scale honeypot.
Document type :
Reports
Complete list of metadatas

Cited literature [32 references]  Display  Hide  Download

https://hal.archives-ouvertes.fr/hal-00995211
Contributor : Patrice Clemente <>
Submitted on : Thursday, May 22, 2014 - 10:22:08 PM
Last modification on : Thursday, February 7, 2019 - 2:21:22 PM
Long-term archiving on : Friday, August 22, 2014 - 1:36:43 PM

File

RR-2011-14.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-00995211, version 1

Citation

Jérémy Briffaut, Patrice Clemente, Jean-François Lalande, Jonathan Rouzaud-Cornabas. From Manual Cyber Attacks Forensic to Automatic Characterization of Attackers' Profiles J. Briffaut, P. Clemente, J.-F. Lalande, J. Rouzaud-Cornabas. 2011. ⟨hal-00995211⟩

Share

Metrics

Record views

966

Files downloads

298