HOME       POLICIES       SUBMISSION        PEOPLE        ARCHIVES         CONFERENCES        CONTACT
ABSTRACT

Model order selection (MOS) schemes, which are frequently employed in several signal processing applications, are shown to be effective tools for the detection of malicious activities in honeypot data. In this paper, we extend previous results by proposing a method that builds on parallel MOS computation, in order to obtain an efficient and scalable blind automatic malicious activity detection in distributed honeypots. Our proposed scheme does not require any previous information on attacks or human intervention. We model network traffic data as signals and noise and then apply modified signal processing methods. However, differently from the previous centralized solutions, we propose that the data colected by each honeypot node be processed by nodes in a cluster (that may consist of the collection nodes themselves) and then grouped to obtain the final results. This is achieved by having each node locally compute the Eigenvalue Decomposition (EVD) to its own sample correlation matrix (obtained from the honeypot data) and transmit the resulting eigenvalues to a central node, where the global eigenvalues and final model order are computed. The model order computed from the global eigenvalues through RADOI represents the number of malicious activities detected in the analysed data. The feasibility of the proposed approach is demonstrated through simulation experiments.



KEYWORDS

Intrusion Detection, Honeypot, Model Order Selection, Principal Component Analysis.

ARCHIVES
To return to the Volume/Number webpage, click here.
THE INTERNATIONAL JOURNAL OF FORENSIC COMPUTER SCIENCE - IJoFCS

Volume 6, Number 1, pages 8-27, DOI: 10.5769/J201101001 or http://dx.doi.org/10.5769/J201101001


A Parallel Approach to PCA Based Malicious Activity Detection in Distributed Honeypot Data


By Bernardo David, Joăo Paulo Costa, Anderson Nascimento, Marcelo Holtz, Dino Amaral, and
      Rafael Sousa Júnior



To download this paper, click here.