Model order selection (MOS) schemes, which are frequently employed in several signal processing applications, are shown to be effective tools for the detection of malicious activities in honeypot data. In this paper, we extend previous results by proposing a method that builds on parallel MOS computation, in order to obtain an efficient and scalable blind automatic malicious activity detection in distributed honeypots. Our proposed scheme does not require any previous information on attacks or human intervention. We model network traffic data as signals and noise and then apply modified signal processing methods. However, differently from the previous centralized solutions, we propose that the data colected by each honeypot node be processed by nodes in a cluster (that may consist of the collection nodes themselves) and then grouped to obtain the final results. This is achieved by having each node locally compute the Eigenvalue Decomposition (EVD) to its own sample correlation matrix (obtained from the honeypot data) and transmit the resulting eigenvalues to a central node, where the global eigenvalues and final model order are computed. The model order computed from the global eigenvalues through RADOI represents the number of malicious activities detected in the analysed data. The feasibility of the proposed approach is demonstrated through simulation experiments.
Intrusion Detection, Honeypot, Model Order Selection, Principal Component Analysis.
To return to the Volume/Number webpage, click here.
THE INTERNATIONAL JOURNAL OF FORENSIC COMPUTER SCIENCE - IJoFCS
Volume 6, Number 1, pages 8-27, DOI: 10.5769/J201101001 or http://dx.doi.org/10.5769/J201101001
A Parallel Approach to PCA Based Malicious Activity Detection in Distributed Honeypot Data
By Bernardo David, Joăo Paulo Costa, Anderson Nascimento, Marcelo Holtz, Dino Amaral, and
Rafael Sousa Júnior
To download this paper, click here.