Title :
A Technique for Detecting New Attacks in Low-Interaction Honeypot Traffic
Author :
Almotairi, S. ; Clark, A. ; Mohay, G. ; Zimmermann, J.
Author_Institution :
Inf. Security Inst., Queensland Univ. of Technol., Brisbane, QLD
Abstract :
Honeypots are flexible security tools for gathering artefacts associated with a variety of Internet attack activities. While existing work on honeypot traffic analysis focuses mainly on identifying existing attacks, this paper describes a technique for detecting new attacks based on principal component analysis. The proposed technique requires no prior knowledge of attack types and has low computational requirements that makes it suitable for online detection systems. Our method of detecting new attacks is based on measuring changes in the residual space using square prediction error (SPE) statistics. When attack vectors are projected onto the residual space, attacks that are not presented by the main hyperspace will create new directions with high SPE values. We demonstrate the usefulness of our technique by using real traffic data from the Leurre.com project, a world-wide deployment of low-interaction honeypots, where several examples of new traffic detected by the system are illustrated.
Keywords :
Internet; principal component analysis; security of data; Internet attack; low-interaction honeypot traffic; online detection systems; principal component analysis; residual space; square prediction error statistics; Data security; Error analysis; Information security; Internet; Intrusion detection; Monitoring; Principal component analysis; Protection; Telecommunication traffic; Traffic control; internet traffic analysis; low-interaction honeypots; principal component analysis; square prediction error;
Conference_Titel :
Internet Monitoring and Protection, 2009. ICIMP '09. Fourth International Conference on
Conference_Location :
Venice/Mestre
Print_ISBN :
978-1-4244-3839-6
Electronic_ISBN :
978-0-7695-3612-5
DOI :
10.1109/ICIMP.2009.9
