Extracting Inter-arrival Time Based Behaviour from Honeypot Traffic using Cliques

Almotairi, Saleh I., Clark, Andrew J., Dacier, Marc, Leita, Corrado, Mohay, George M., Pham, Van Hau, Thonnard, Olivier, & Zimmermann, Jacob (2007) Extracting Inter-arrival Time Based Behaviour from Honeypot Traffic using Cliques. In Valli, Craig & Woodward, Andrew (Eds.) 5th Australian Digital Forensics Conference, 3 December 2007, Perth, Western Australia.


The Leurre.com project is a worldwide network of honeypot environments that collect traces of malicious Internet traffic every day. Clustering techniques have been utilized to categorize and classify honeypot activities based on several traffic features. While such clusters of traffic provide useful information about different activities that are happening in the Internet, a new correlation approach is needed to automate the discovery of refined types of activities that share common features. This paper proposes the use of packet inter-arrival time (IAT) as a main feature in grouping clusters that exhibit commonalities in their IAT distributions. Our approach utilizes the cliquing algorithm for the automatic discovery of cliques of clusters. We demonstrate the usefulness of our methodology by providing several examples of IAT cliques and a discussion of the types of activity they represent. We also give some insight into the causes of these activities. In addition, we address the limitation of our approach, through the manual extraction of what we term supercliques, and discuss ideas for further improvement.

Impact and interest:

6 citations in Scopus
Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

Full-text downloads:

409 since deposited on 05 Aug 2008
15 in the past twelve months

Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

ID Code: 14289
Item Type: Conference Paper
Refereed: Yes
Additional Information: The contents of this conference can be freely accessed online via the conference's web page (see hypertext link).
Additional URLs:
ISBN: 0729806464
Subjects: Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > DATA FORMAT (080400) > Data Format not elsewhere classified (080499)
Divisions: Past > QUT Faculties & Divisions > Faculty of Science and Technology
Past > Institutes > Information Security Institute
Copyright Owner: Copyright 2007 (The authors)
Copyright Statement: The author/s assign SCISSEC & Edith Cowan
University a non-exclusive license to use this document for personal use provided that the article is used in full
and this copyright statement is reproduced. The authors also grant a non-exclusive license to SCISSEC & ECU
to publish this document in full in the Conference Proceedings. Such documents may be published on the World
Wide Web, CD-ROM, in printed form, and on mirror sites on the World Wide Web. Any other usage is
prohibited without the express permission of the authors.
Deposited On: 05 Aug 2008 00:00
Last Modified: 29 Feb 2012 13:33

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page