A Statistical Analysis of Attack Data to Separate Attacks

Author

Cukier, Michel ; Berthier, Robin ; Panjwani, Susmit ; Tan, Stephanie

Author_Institution

Dept. of Mech. Eng., Maryland Univ., College Park, MD

fYear

2006

fDate

25-28 June 2006

Firstpage

383

Lastpage

392

Abstract

This paper analyzes malicious activity collected from a test-bed, consisting of two target computers dedicated solely to the purpose of being attacked, over a 109 day time period. We separated port scans, ICMP scans, and vulnerability scans from the malicious activity. In the remaining attack data, over 78% (i.e., 3,677 attacks) targeted port 445, which was then statistically analyzed. The goal was to find the characteristics that most efficiently separate the attacks. First, we separated the attacks by analyzing their messages. Then we separated the attacks by clustering characteristics using the K-Means algorithm. The comparison between the analysis of the messages and the outcome of the K-Means algorithm showed that 1) the mean of the distributions of packets, bytes and message lengths over time are poor characteristics to separate attacks and 2) the number of bytes, the mean of the distribution of bytes and message lengths as a function of the number packets are the best characteristics for separating attacks

Keywords

computer crime; data analysis; data mining; pattern clustering; statistical analysis; ICMP scans; K-Means algorithm; attack data statistical analysis; attack separation; data mining; port scans; vulnerability scans; Algorithm design and analysis; Clustering algorithms; Clustering methods; Data analysis; Educational institutions; Engineering profession; Mechanical engineering; Protocols; Statistical analysis; Testing;

fLanguage

English

Publisher

ieee

Conference_Titel

Dependable Systems and Networks, 2006. DSN 2006. International Conference on

Conference_Location

Philadelphia, PA

Print_ISBN

0-7695-2607-1

Type

conf

DOI

10.1109/DSN.2006.9

Filename

1633527