A honeypot-driven cyber incident monitor: Lessons learned and steps ahead

Emmanouil Vasilomanolakis; Shankar Karuppayah; Panayotis Kikiras; Max Mühlhäuser

doi:10.1145/2799979.2799999

A honeypot-driven cyber incident monitor: Lessons learned and steps ahead

Emmanouil Vasilomanolakis, Shankar Karuppayah, Panayotis Kikiras, Max Mühlhäuser

Research output: Contribution to book/anthology/report/conference proceeding › Article in proceeding › Research › peer-review

18 Citations (Scopus)

Abstract

In recent years, the amount and the sophistication of cyber attacks has increased significantly. This creates a plethora of challenges from a security perspective. First, for the efficient monitoring of a network, the generated alerts need to be presented and summarized in a meaningful manner. Second, additional analytics are required to identify sophisticated and correlated attacks. In particular, the detection of correlated attacks requires collaboration between different monitoring points. Cyber incident monitors are platforms utilized for supporting the tasks of network administrators and provide an initial step towards coping with the aforementioned challenges. In this paper, we present our cyber incident monitor TraCINg. TraCINg obtains alert data from honeypot sensors distributed across all over the world. The main contribution of this paper is a thoughtful discussion of the lessons learned, both from a design rational perspective as well as from the analysis of data gathered during a five month deployment period. Furthermore, we show that even with a relatively small number of deployed sensors, it is possible to detect correlated attacks that target multiple sensors.

Original language	English
Title of host publication	Proceedings of the 8th International Conference on Security of Information and Networks, SIN 2015
Editors	Oleg Makarevich, Mehmet Orgun, Atilla Elci, Manoj Singh Gaur, Ronald Poet, Ludmila Babenko, Maxim Anikeev
Publisher	Association for Computing Machinery
Publication date	8 Sept 2015
ISBN (Electronic)	9781450334532
DOIs	https://doi.org/10.1145/2799979.2799999
Publication status	Published - 8 Sept 2015
Externally published	Yes
Event	8th International Conference on Security of Information and Networks, SIN 2015 - Sochi, Russian Federation Duration: 8 Sept 2015 → 10 Sept 2015

Conference

Conference	8th International Conference on Security of Information and Networks, SIN 2015
Country/Territory	Russian Federation
City	Sochi
Period	08/09/2015 → 10/09/2015
Sponsor	Echelon Information Security

Series	ACM International Conference Proceeding Series
Volume	08-10-Sep-2015

Bibliographical note

Publisher Copyright:
© 2015 ACM.

Keywords

Alert Correlation
Cyber Security
Honeypot
Incident Monitor

Access to Document

10.1145/2799979.2799999

AUB Link

Search for the material in Aalborg University Library's search engine

Cite this

Vasilomanolakis, E., Karuppayah, S., Kikiras, P., & Mühlhäuser, M. (2015). A honeypot-driven cyber incident monitor: Lessons learned and steps ahead. In O. Makarevich, M. Orgun, A. Elci, M. S. Gaur, R. Poet, L. Babenko, & M. Anikeev (Eds.), Proceedings of the 8th International Conference on Security of Information and Networks, SIN 2015 Association for Computing Machinery. https://doi.org/10.1145/2799979.2799999

Vasilomanolakis, Emmanouil ; Karuppayah, Shankar ; Kikiras, Panayotis et al. / A honeypot-driven cyber incident monitor : Lessons learned and steps ahead. Proceedings of the 8th International Conference on Security of Information and Networks, SIN 2015. editor / Oleg Makarevich ; Mehmet Orgun ; Atilla Elci ; Manoj Singh Gaur ; Ronald Poet ; Ludmila Babenko ; Maxim Anikeev. Association for Computing Machinery, 2015. (ACM International Conference Proceeding Series, Vol. 08-10-Sep-2015).

@inproceedings{41be8e862eb54a1aa9ccbca8cbf39412,

title = "A honeypot-driven cyber incident monitor: Lessons learned and steps ahead",

abstract = "In recent years, the amount and the sophistication of cyber attacks has increased significantly. This creates a plethora of challenges from a security perspective. First, for the efficient monitoring of a network, the generated alerts need to be presented and summarized in a meaningful manner. Second, additional analytics are required to identify sophisticated and correlated attacks. In particular, the detection of correlated attacks requires collaboration between different monitoring points. Cyber incident monitors are platforms utilized for supporting the tasks of network administrators and provide an initial step towards coping with the aforementioned challenges. In this paper, we present our cyber incident monitor TraCINg. TraCINg obtains alert data from honeypot sensors distributed across all over the world. The main contribution of this paper is a thoughtful discussion of the lessons learned, both from a design rational perspective as well as from the analysis of data gathered during a five month deployment period. Furthermore, we show that even with a relatively small number of deployed sensors, it is possible to detect correlated attacks that target multiple sensors.",

keywords = "Alert Correlation, Cyber Security, Honeypot, Incident Monitor",

author = "Emmanouil Vasilomanolakis and Shankar Karuppayah and Panayotis Kikiras and Max M{\"u}hlh{\"a}user",

note = "Publisher Copyright: {\textcopyright} 2015 ACM.; 8th International Conference on Security of Information and Networks, SIN 2015 ; Conference date: 08-09-2015 Through 10-09-2015",

year = "2015",

month = sep,

day = "8",

doi = "10.1145/2799979.2799999",

language = "English",

series = "ACM International Conference Proceeding Series",

editor = "Oleg Makarevich and Mehmet Orgun and Atilla Elci and Gaur, {Manoj Singh} and Ronald Poet and Ludmila Babenko and Maxim Anikeev",

booktitle = "Proceedings of the 8th International Conference on Security of Information and Networks, SIN 2015",

publisher = "Association for Computing Machinery",

address = "United States",

}

Vasilomanolakis, E, Karuppayah, S, Kikiras, P & Mühlhäuser, M 2015, A honeypot-driven cyber incident monitor: Lessons learned and steps ahead. in O Makarevich, M Orgun, A Elci, MS Gaur, R Poet, L Babenko & M Anikeev (eds), Proceedings of the 8th International Conference on Security of Information and Networks, SIN 2015. Association for Computing Machinery, ACM International Conference Proceeding Series, vol. 08-10-Sep-2015, 8th International Conference on Security of Information and Networks, SIN 2015, Sochi, Russian Federation, 08/09/2015. https://doi.org/10.1145/2799979.2799999

A honeypot-driven cyber incident monitor: Lessons learned and steps ahead. / Vasilomanolakis, Emmanouil; Karuppayah, Shankar; Kikiras, Panayotis et al.
Proceedings of the 8th International Conference on Security of Information and Networks, SIN 2015. ed. / Oleg Makarevich; Mehmet Orgun; Atilla Elci; Manoj Singh Gaur; Ronald Poet; Ludmila Babenko; Maxim Anikeev. Association for Computing Machinery, 2015. (ACM International Conference Proceeding Series, Vol. 08-10-Sep-2015).

Research output: Contribution to book/anthology/report/conference proceeding › Article in proceeding › Research › peer-review

TY - GEN

T1 - A honeypot-driven cyber incident monitor

T2 - 8th International Conference on Security of Information and Networks, SIN 2015

AU - Vasilomanolakis, Emmanouil

AU - Karuppayah, Shankar

AU - Kikiras, Panayotis

AU - Mühlhäuser, Max

PY - 2015/9/8

Y1 - 2015/9/8

N2 - In recent years, the amount and the sophistication of cyber attacks has increased significantly. This creates a plethora of challenges from a security perspective. First, for the efficient monitoring of a network, the generated alerts need to be presented and summarized in a meaningful manner. Second, additional analytics are required to identify sophisticated and correlated attacks. In particular, the detection of correlated attacks requires collaboration between different monitoring points. Cyber incident monitors are platforms utilized for supporting the tasks of network administrators and provide an initial step towards coping with the aforementioned challenges. In this paper, we present our cyber incident monitor TraCINg. TraCINg obtains alert data from honeypot sensors distributed across all over the world. The main contribution of this paper is a thoughtful discussion of the lessons learned, both from a design rational perspective as well as from the analysis of data gathered during a five month deployment period. Furthermore, we show that even with a relatively small number of deployed sensors, it is possible to detect correlated attacks that target multiple sensors.

AB - In recent years, the amount and the sophistication of cyber attacks has increased significantly. This creates a plethora of challenges from a security perspective. First, for the efficient monitoring of a network, the generated alerts need to be presented and summarized in a meaningful manner. Second, additional analytics are required to identify sophisticated and correlated attacks. In particular, the detection of correlated attacks requires collaboration between different monitoring points. Cyber incident monitors are platforms utilized for supporting the tasks of network administrators and provide an initial step towards coping with the aforementioned challenges. In this paper, we present our cyber incident monitor TraCINg. TraCINg obtains alert data from honeypot sensors distributed across all over the world. The main contribution of this paper is a thoughtful discussion of the lessons learned, both from a design rational perspective as well as from the analysis of data gathered during a five month deployment period. Furthermore, we show that even with a relatively small number of deployed sensors, it is possible to detect correlated attacks that target multiple sensors.

KW - Alert Correlation

KW - Cyber Security

KW - Honeypot

KW - Incident Monitor

UR - http://www.scopus.com/inward/record.url?scp=84958601909&partnerID=8YFLogxK

U2 - 10.1145/2799979.2799999

DO - 10.1145/2799979.2799999

M3 - Article in proceeding

AN - SCOPUS:84958601909

T3 - ACM International Conference Proceeding Series

BT - Proceedings of the 8th International Conference on Security of Information and Networks, SIN 2015

A2 - Makarevich, Oleg

A2 - Orgun, Mehmet

A2 - Elci, Atilla

A2 - Gaur, Manoj Singh

A2 - Poet, Ronald

A2 - Babenko, Ludmila

A2 - Anikeev, Maxim

PB - Association for Computing Machinery

Y2 - 8 September 2015 through 10 September 2015

ER -

Vasilomanolakis E, Karuppayah S, Kikiras P, Mühlhäuser M. A honeypot-driven cyber incident monitor: Lessons learned and steps ahead. In Makarevich O, Orgun M, Elci A, Gaur MS, Poet R, Babenko L, Anikeev M, editors, Proceedings of the 8th International Conference on Security of Information and Networks, SIN 2015. Association for Computing Machinery. 2015. (ACM International Conference Proceeding Series, Vol. 08-10-Sep-2015). doi: 10.1145/2799979.2799999

A honeypot-driven cyber incident monitor: Lessons learned and steps ahead

Abstract

Conference

Bibliographical note

Keywords

Access to Document

AUB Link

Other files and links

Fingerprint

Cite this