THE SIXTH INTERNATIONAL CONFERENCE ON FORENSIC COMPUTER SCIENCE
Print ISBN 978-85-65069-07-6 - Online ISBN 978-85-65069-05-2, pp 142-152
DOI: 10.5769/C2011016 and http://dx.doi.org/10.5769/C2011016
Blind Automatic Malicious Activity Detection in Honeypot Data
By Bernardo Machado David, Joăo Paulo C. L. da Costa, Anderson C. A. Nascimento, Marcelo Dias Holtz, Dino Amaral, Rafael Timóteo de Sousa Júnior
To download this paper, click here.
Model order selection (MOS) schemes are frequently applied in several signal processing applications. In this paper, we propose a new application for such state-of-the-art model order selection schemes, which is an automatic method for blind identification of malicious activities in honeypot systems. Our proposed blind automatic techniques are efficient and need no previous training nor knowledge of attack signatures for detecting malicious activities. In order to achieve such results, we model network traffic data as signals and noise, which allows us to apply modified signal processing methods. We adapt model order selection schemes to process network data, showing that RADOI achieves the best performance and reliability in detecting attacks. The efficiency and accuracy of our theoretical results are tested on real data collected at a honeypot system located at the network border of a large banking institution in Latin America.
Intrusion Detection; Honeypot; Model Order Selection; Principal Component Analysis
To return to the "Published Papers" main page, click here.