Title: An evaluation of connection characteristics for separating network attacks

Authors: Robin Berthier, Michel Cukier

Addresses: Center for Risk and Reliability, Department of Mechanical Engineering, University of Maryland, MD 20742, USA. ' Center for Risk and Reliability, Department of Mechanical Engineering, University of Maryland, MD 20742, USA

Abstract: The goal of this paper is to evaluate the efficiency of connection characteristics to separate different attack families that target a single TCP port. Identifying the most relevant characteristics might allow statistically separating attack families without systematically using forensics. This study is based on a dataset collected over 117 days using a test-bed of two high interaction honeypots. The results indicated that to separate unsuccessful from successful attacks in malicious traffic: the number of bytes is a relevant characteristic; time-based characteristics are poor characteristics; using combinations of characteristics does not improve the efficiency of separating attacks.

Keywords: attack characteristics; honeypot; statistical analysis; data mining; network attacks; attack families; attack family separation; security; unsuccessful attacks; successful attacks.

DOI: 10.1504/IJSN.2009.023430

International Journal of Security and Networks, 2009 Vol.4 No.1/2, pp.110 - 124

Published online: 23 Feb 2009 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article