Characterization of attacks

Monitoring malicious activities on the Internet (worms, denial of service attacks, phishing attempts, botnets, etc.) and analyzing how the attackers proceed for exploiting systems’ vulnerabilities is important to improve our knowledge about these threats and the behavior of the attackers. In particular, information obtained from such analyses is useful to establish realistic assumptions and to implement efficient protection mechanisms to cope with these threats. This motivates the need for methods for collecting real world data related to malware and attacks and for experimental results based on the analysis of such data.

Our research in this context is based on the deployment of honeypots on the Internet, i.e., network resources dedicated to be probed, attacked and compromised, that can be monitored to observe how attackers behave. Our recent contributions cover two main objectives. The first one concerns the development of a methodology and statistical models to characterize the attack processes observed at various geographic locations on the Internet, considering the data collected from low interaction honeypots deployed by Eurecom in the context of the Leurré.com platform  [Alata et al. 2005].  The analysis focuses on the distribution of the times between attacks, the propagation of attacks and the correlations between the attack processes observed on several honeypots. As an example, we have observed that the times between attacks reported on the different honeypots can be described by a mixture distribution combining a generalized Pareto distribution and a Weibull distribution [Alata 2007, Kaâniche et al. 2006]. Thus, the traditional assumption in reliability evaluation studies assuming that accidental failures occur according to a Poisson process does not seem to be satisfactory when considering malicious attacks. Low interaction honeypots emulate simple services and cannot be compromised by the attackers. The second objective of our work focuses on the development and deployment of high interaction honeypots that offer a more suitable environment to observe the progression of an attack within a system. We are mainly interested in observing the activities corresponding to manual attacks rather than automated attacks such as worms.

We have developed and deployed a high-interaction honeypot based on a Gnu-Linux implementation that has been designed to monitor intrusions requiring the successful connection through the SSH service. The analysis of data collected allowed us to observe different stages of an intrusion and to demonstrate the relevance of our approach. Three types of data are recorded by the honeypot:

1) the user passwords and logins tried by the attackers to gain access to the system,
2) the data exchanged within the SSH connections, and
3) the system calls generated by the activity of the attackers. The data collected during more than one year deployment period allowed us to observe different stages of an intrusion  [Alata et al. 2006, Alata 2007].

In particular, two main steps of the attack process have been investigated:

1) the first one, generally performed by means of automatic tools, concerns brute-force dictionary attacks aimed at gaining access to the system, and
2) the second step concerns the activities carried out by the attackers once they succeeded in breaking into the system (i.e., intrusions).

As concluded from the analysis, the second step has been generally performed by human beings.


Figure 1: Honeypots: Observation of Internet attacks


[Alata et al. 2005] E.Alata, M.Dacier, Y.Deswarte, M.Kaâniche, K.Kortchinsky, V.Nicomette, V.H.Pham, F.Pouget, Collection and analysis of attack data based on honeypots deployed on the Internet, First Workshop on Quality of protection (QoP2005), Security Measurements and Metrics (QoP 2005), Milan (Italie), 15 september 2005, Springer, Advances in Information Security, ISBN-0-387-29016-8, D. Gollmann, F. Massacci, A. Yautsiukhin (Eds), pp. 79-92.

[Kaâniche et al. 2006] M.Kaâniche, E.Alata, V.Nicomette, Y.Deswarte, M.Dacier, Empirical Analysis and Statistical Modeling of Attack Processes based on Honeypots, Supplemental volume of the 2006 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-2006), Workshop on Empirical Evaluation of Dependability and Security (WEEDS), Philadelphia, USA, , 25-28 June 2006, pp.119-124.

[Alata et al. 2006] E. Alata, V.Nicomette, M.Kaâniche, M.Dacier, M. Herrb, Lessons learned from the deployment of a high interaction honeypot, 6th European Dependable Computing Conference (EDCC-6), Coimbra (Portugal), 18-20 October 2006, IEEE Computer Society, pp.39-44.

[Alata et al. 2008] E.Alata, I.Alberdi, V.Nicomette, P. Owezarski, M. Kaâniche, Internet attacks monitoring with dynamic connection redirection mechanisms, Journal in Computer Virology, Springer, Vol.4, N°2, pp.127-136, May 2008

[Alata et al. 2008] E.Alata, M. Kaâniche , V.Nicomette, Etude expérimentale d'attaques par dictionnaire, 3ème Conférence sur la Sécurité des Architectures Réseaux et des Systèmes d'Information (SAR/SSI'2008), Loctudy (France), 13-17 October 2008, pp.301-315

[Alata 2007] E.Alata, Observation, caractérisation et modélisation de processus d’attaque s sur Internet, Thèse de Doctorat de l’Institut National Polytechnique de Toulouse, December 2007 (Rapport LAAS n° 07805).