Skip to main content
SpringerLink
Log in

The WOMBAT Attack Attribution Method: Some Results

  • Conference paper
Book cover Information Systems Security (ICISS 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5905))

Included in the following conference series:

Abstract

In this paper, we present a new attack attribution method that has been developed within the WOMBAT project. We illustrate the method with some real-world results obtained when applying it to almost two years of attack traces collected by low interaction honeypots. This analytical method aims at identifying large scale attack phenomena composed of IP sources that are linked to the same root cause. All malicious sources involved in a same phenomenon constitute what we call a Misbehaving Cloud (MC). The paper offers an overview of the various steps the method goes through to identify these clouds, providing pointers to external references for more detailed information. Four instances of misbehaving clouds are then described in some more depth to demonstrate the meaningfulness of the concept.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Basseville, M., Nikiforov, I.V.: Detection of Abrupt Changes:Theory and Application. Prentice Hall, Englewood Cliffs (1993)

    Google Scholar 

  2. Beliakov, G., Pradera, A., Calvo, T.: Aggregation Functions: A Guide for Practitioners. Springer, Berlin (2007)

    Google Scholar 

  3. Collins, M.P., Shimeall, T.J., Faber, S., Janies, J., Weaver, R., De Shon, M., Kadane, J.: Using uncleanliness to predict future botnet addresses. In: IMC 2007: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, pp. 93–104. ACM, New York (2007)

    Chapter  Google Scholar 

  4. Dacier, M., Pouget, F., Debar, H.: Attack processes found on the internet. In: NATO Symposium IST-041/RSY-013, Toulouse, France (April 2004)

    Google Scholar 

  5. Defrawy, K.E., Gjoka, M., Markopoulou, A.: Bottorrent: misusing bittorrent to launch ddos attacks. In: SRUTI 2007: Proceedings of the 3rd USENIX workshop on Steps to reducing unwanted traffic on the internet, Berkeley, CA, USA, pp. 1–6. USENIX Association (2007)

    Google Scholar 

  6. Jain, A.K., Dubes, R.C.: Algorithms for Clustering Data. Prentice-Hall advanced reference series (1988)

    Google Scholar 

  7. Kullback, S., Leibler, R.A.: On information and sufficiency. Annals of Mathematical Statistics 22, 79–86 (1951)

    Article  MATH  MathSciNet  Google Scholar 

  8. Leita, C., Pham, V.H., Thonnard, O., Ramirez Silva, E., Pouget, F., Kirda, E., Dacier, M.: The leurre.com project: collecting internet threats information using a worldwide distributed honeynet. In: 1st WOMBAT workshop, April 21st-22nd, Amsterdam, The Netherlands (April 2008)

    Google Scholar 

  9. Leita, C., Dacier, M.: Sgnet: a worldwide deployable framework to support the analysis of malware threat models. In: Proceedings of the 7th European Dependable Computing Conference (EDCC 2008) (May 2008)

    Google Scholar 

  10. Leurre.com, Eurecom Honeypot Project (September 2009), http://www.leurrecom.org/

  11. Lin, J.: Divergence measures based on the shannon entropy. IEEE Transactions on Information Theory 37(1), 145–151 (1991)

    Article  MATH  Google Scholar 

  12. Naoumov, N., Ross, K.: Exploiting p2p systems for ddos attacks. In: InfoScale 2006: Proceedings of the 1st international conference on Scalable information systems, p. 47. ACM, New York (2006)

    Chapter  Google Scholar 

  13. Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of Internet Background Radiation. In: Proceedings of the 4th ACM SIGCOMM conference on the Internet Measurement (2004)

    Google Scholar 

  14. Pavan, M., Pelillo, M.: A new graph-theoretic approach to clustering and segmentation. In: Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (2003)

    Google Scholar 

  15. Pham, V.-H.: Honeypot traces forensics by means of attack event identification. PhD thesis, TELECOM ParisTech (2009)

    Google Scholar 

  16. Pham, V.-H., Dacier, M.: Honeypot traces forensics: the observation view point matters. In: NSS 2009, 3rd International Conference on Network and System Security, October 19-21, Gold Coast, Australia (December 2009)

    Google Scholar 

  17. Pham, V.-H., Dacier, M., Urvoy Keller, G., En Najjary, T.: The quest for multi-headed worms. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 247–266. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  18. Pouget, F., Dacier, M., Debar, H.: Honeypot-based forensics. In: Proceedings of AusCERT Asia Pacific Information Technology Security Conference 2004, Brisbane, Australia (May 2004)

    Google Scholar 

  19. Pouget, F., Dacier, M., Pham, V.H.: Leurre.com: on the advantages of deploying a large scale distributed honeypot platform. In: ECCE 2005, E-Crime and Computer Conference, Monaco, March 29-30 (2005)

    Google Scholar 

  20. Provos, N.: A virtual honeypot framework. In: Proceedings of the 12th USENIX Security Symposium, August 2004, pp. 1–14 (2004)

    Google Scholar 

  21. Shepard, R.N.: Multidimensional scaling, tree fitting, and clustering. Science 210, 390–398 (1980)

    Article  MathSciNet  Google Scholar 

  22. Thonnard, O., Dacier, M.: A framework for attack patterns’ discovery in honeynet data. In: DFRWS 2008, 8th Digital Forensics Research Conference, Baltimore, USA, August 11- 13 (2008)

    Google Scholar 

  23. Thonnard, O., Dacier, M.: Actionable knowledge discovery for threats intelligence support using a multi-dimensional data mining methodology. In: ICDM 2008, 8th IEEE International Conference on Data Mining series, Pisa, Italy, December 15-19 (2008)

    Google Scholar 

  24. Thonnard, O., Mees, W., Dacier, M.: Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making. In: KDD 2009, 15th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, Workshop on CyberSecurity and Intelligence Informatics, Paris, France, June 28th - July 1st (2009)

    Google Scholar 

  25. Wheeler, D., Larsen, G.: Techniques for Cyber Attack Attribution. Institute for Defense Analyses (October 2003)

    Google Scholar 

  26. Yager, R.R.: On ordered weighted averaging aggregation operators in multicriteria decisionmaking. IEEE Trans. Syst. Man Cybern. 18(1), 183–190 (1988)

    Article  MATH  MathSciNet  Google Scholar 

  27. Yegneswaran, V., Barford, P., Paxson, V.: Using honeynets for internet situational awareness. In: Fourth ACM Sigcomm Workshop on Hot Topics in Networking, Hotnets IV (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Symantec Research, Sophia Antipolis, France

    Marc Dacier

  2. Institut Eurecom, 2229, Route des Crètes, Sophia Antipolis, France

    Van-Hau Pham

  3. Royal Military Academy, Polytechnic Faculty, Brussels, Belgium

    Olivier Thonnard

Authors
  1. Marc Dacier
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Van-Hau Pham
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Olivier Thonnard
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Electrical Engineering and Computer Science Department, University of Michigan, 48109, Ann Arbor, MI, USA

    Atul Prakash

  2. Department of Computer Science and Engineering, Indian Institute of Technology Kharagpur, Kharagpur, India

    Indranil Sen Gupta

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Dacier, M., Pham, VH., Thonnard, O. (2009). The WOMBAT Attack Attribution Method: Some Results. In: Prakash, A., Sen Gupta, I. (eds) Information Systems Security. ICISS 2009. Lecture Notes in Computer Science, vol 5905. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10772-6_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-10772-6_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-10771-9

  • Online ISBN: 978-3-642-10772-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation