This paper presents the R-D Akaike Information Criterion (AIC) and R-D Minimum Description Length (MDL) for automatically identification of malicious activities in honeypot networks based on state of the art model order selection schemes. Model order selection (MOS) schemes are frequently applied in several signal processing applications, such as RADAR, SONAR, communications, channel modeling, medical imaging, and parameters estimation of dominant multipath components from MIMO channel measurements. The proposal of this paper is a new application for these MOS schemes, which is the identification of the malicious activity in honeypots. The proposed blind automatic techniques are efficient and need neither previous training nor knowledge of attack signatures for detecting malicious activities. In order to achieve such results an innovative approach is considered which models network traffic data as signals and noise allowing the application of signal processing methods. The model order selection schemes are adapted to process network data, showing that the R-D Modified AIC and R-D MDL solve the limitations of other schemes because they can be applied to honeypot networks composed by several computers. The performance of the proposed solution is evaluated using the Probability of Detection (PoD).
To return to the Volume/Number webpage, click here.
THE INTERNATIONAL JOURNAL OF FORENSIC COMPUTER SCIENCE - IJoFCS
Volume 7, Number 2, pages 8-20, DOI: 10.5769/J201202001 or http://dx.doi.org/10.5769/J201202001
Improved Parallel Approach to PCA Based Malicious Activity Detection in Distributed Honeypot Data
By Joăo Paulo Costa, Edison Freitas, Antonio Serrano, and Rafael Sousa Júnior
To download this paper, click here.