Detecting Connection-Chains: A Data Mining Approach

9 years 8 months ago
Detecting Connection-Chains: A Data Mining Approach
A connection-chain refers to a mechanism in which someone recursively logs into a host, then from there logs into another host, and so on. Connection-chains represent an important vector in many security attacks, so it is essential to be able to detect them. In this paper, we propose a host-based algorithm to detect them. We adopt a black-box approach by passively monitoring inbound and outbound packets at a host, and analyzing the observed packets using association rule mining. We first explain the proposed algorithm in greater details, then evaluations are presented to demonstrate its efficiency and detection capabilities. We conduct the evaluation using public network traces, and show that by appropriately setting underlying parameters we can achieve perfect detection, meaning a true positive rate (TPR) of 100% and a false positive rate (FPR) of 0%.
Ahmad Almulhem, Issa Traoré
Added 18 May 2011
Updated 18 May 2011
Type Journal
Year 2010
Authors Ahmad Almulhem, Issa Traoré
Comments (0)