PAPERS
To return to the "Published Papers" main page, click here.
THE SEVENTH INTERNATIONAL CONFERENCE ON FORENSIC COMPUTER SCIENCE - ICoFCS 2012
Print ISBN 978-85-65069-08-3 - Online ISBN 978-85-65069-06-9, pages 46-55
DOI: 10.5769/C2012008 and http://dx.doi.org/10.5769/C2012008
Improved Blind Automatic Malicious Activity Detection in Honeypot Data
By Joăo Paulo C. L da Costa, Edison Pignaton de Freitas, Bernardo Machado David, A. M. Rubio Serrano, Dino Amaral, and Rafael Timóteo de Sousa Júnior
To download this paper, click here.
ABSTRACT
This paper presents the modified exponential fitting test for automatically identifying malicious activities in honeypot data based on state of the art model order selection schemes. Model order selection (MOS) schemes are frequently applied in several signal processing applications, such as RADAR, SONAR, communications, channel modeling, medical imaging, and parameters estimation of dominant multipath components from MIMO channel measurements. The proposal of this paper is a new application for these MOS schemes, which is the identification of the malicious activity in honeypots. The proposed blind automatic techniques are efficient and need neither previous training nor knowledge of attack signatures for detecting malicious activities. In order to achieve such results an innovative approach is considered which models network traffic data as signals and noise allowing the application of signal processing methods. The model order selection schemes are adapted to process network data, showing that the Modified Exponential Fitting Test achieves the best performance and reliability in detecting attacks. The efficiency and accuracy of the theoretical results are tested on real data collected at a honeypot system located at the network border of a large banking institution in Latin America.
KEYWORDS