Visible to the public Detection of vulnerability scanning using features of collective accesses based on information collected from multiple honeypots

TitleDetection of vulnerability scanning using features of collective accesses based on information collected from multiple honeypots
Publication TypeConference Paper
Year of Publication2016
AuthorsKuze, N., Ishikura, S., Yagi, T., Chiba, D., Murata, M.
Conference NameNOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium
Keywordsattack prevention, classification, collective access feature, compositionality, computer network security, Conferences, crawler classification, Crawlers, decoy Web honeypot, features of collective accesses, Google, Human Behavior, human factors, information collection, Intrusion detection, IP networks, malicious threat, Metrics, multiple honeypot, pattern classification, Ports (Computers), pubcrawl, Resiliency, vulnerability detection, vulnerability scanning detection, Web crawling, Web search crawler, Web servers, Web Service, web services, Web site, Web sites, Web vulnerability, web-based attacks

Attacks against websites are increasing rapidly with the expansion of web services. An increasing number of diversified web services make it difficult to prevent such attacks due to many known vulnerabilities in websites. To overcome this problem, it is necessary to collect the most recent attacks using decoy web honeypots and to implement countermeasures against malicious threats. Web honeypots collect not only malicious accesses by attackers but also benign accesses such as those by web search crawlers. Thus, it is essential to develop a means of automatically identifying malicious accesses from mixed collected data including both malicious and benign accesses. Specifically, detecting vulnerability scanning, which is a preliminary process, is important for preventing attacks. In this study, we focused on classification of accesses for web crawling and vulnerability scanning since these accesses are too similar to be identified. We propose a feature vector including features of collective accesses, e.g., intervals of request arrivals and the dispersion of source port numbers, obtained with multiple honeypots deployed in different networks for classification. Through evaluation using data collected from 37 honeypots in a real network, we show that features of collective accesses are advantageous for vulnerability scanning and crawler classification.

Citation Keykuze_detection_2016