On The Comparison of Network Attack Datasets: An Empirical Analysis
Network malicious activity can be collected and reported by various sources using different attack detection solutions. The granularity of these solutions provides either very detailed information (Intrusion Detection Systems, honeypots) or high-level trends (CAIDA, SANS). The problem for network security operators is often to select the sources of information to better protect their network. How much information from these sources is redundant and how much is unique? The goal of this paper is to show empirically that while some global attack events can be correlated across various sensors, the majority of incoming malicious activity has local specificities. This study presents a comparative analysis of four different attack datasets offering three different levels of granularity:1) two high interaction honeynets deployed at two different locations (i.e., a corporate and an academic environment); 2) ATLAS which is a distributed network telescope from Arbor; and 3) Internet Protect(TM) which is a global alerting service from AT&T.
Robin Berthier Dave Korman Michel Cukier Matti Hiltunen Gregg Vesonder Daniel Sheleheda
Center for Risk and Reliability Dept.of Mechanical Engineering University of Maryland, College Park AT&T Labs Research Florham Park, NJ
国际会议
11th IEEE High Assurance Systems Engineering Symposium(HASE 2008)(第十一届IEEE高可信系统工程国际研讨会)
南京
英文
39-48
2008-12-03(万方平台首次上网日期,不代表论文的发表时间)