Abstract
A honeypot system can be deployed to decoy and record malicious intrusions over the Internet. However, events logged by a honeypot can rapidly accumulate an enormous amount of data, which an administrator will be unable to handle. The proposed system combines episode mining and pruning, and allows an administrator to identify suspected intrusions, and thus focus his energy on addressing them, instead of reading enormous amounts of raw data. An attack episode is composed of a series of events, and represents an Internet intrusion as a series of relevant events occurring to a victim host in a specific sequence. Due to the variety of internet attacks, this paper focuses on discovering attack episodes for the Server Message Block (SMB) protocol, which provides Microsoft Windows Network services. Experiments show that the proposed approach can locate suspicious episodes that are very likely novel attacks, from an immense amount of logged data.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
