JCP 2009 Vol.4(5): 423-432 ISSN: 1796-203X
doi: 10.4304/jcp.4.5.423-432
doi: 10.4304/jcp.4.5.423-432
Classification of Malicious Distributed SELinux Activities
Mathieu Blanc, Patrice Clemente, Jonathan Rouzaud-Cornabas, Christian Toinard
ENSI de Bourges, LIFO EA 40 22, 88 Bld Lahitolle, 18020 Bourges Cedex, France CEA, DAM, DIF F-91297 Arpajon, France
Abstract—This paper deals with the classification of malicious activities occurring on a network of SELinux hosts. SELinux system logs come from a high interaction distributed honeypot. An architecture is proposed to compute those events in order to assemble system sessions, such as malicious ones. Afterwards, recognition mechanisms are proposed to classify those activities. The paper presents the classification architecture using comprehensive examples. It is the first solution that supports SELinux sessions. In contrast with previous works, distributed sessions are better addressed using only SELinux logs. The results of experiments use real samples taken from our honeypot. A high performance architecture enables to compute a large amount of events captured during one year on our high interaction honeypot. Our approach enables the real-time reconstruction of system sessions. Moreover, sessions are compared to patterns in order to classify them according to specific attacks. The paper shows that the classification can be done in a linear time. An automatic recognition of new patterns is proposed.
Index Terms—SELinux sessions, classification of attacks, distributed sessions.
Abstract—This paper deals with the classification of malicious activities occurring on a network of SELinux hosts. SELinux system logs come from a high interaction distributed honeypot. An architecture is proposed to compute those events in order to assemble system sessions, such as malicious ones. Afterwards, recognition mechanisms are proposed to classify those activities. The paper presents the classification architecture using comprehensive examples. It is the first solution that supports SELinux sessions. In contrast with previous works, distributed sessions are better addressed using only SELinux logs. The results of experiments use real samples taken from our honeypot. A high performance architecture enables to compute a large amount of events captured during one year on our high interaction honeypot. Our approach enables the real-time reconstruction of system sessions. Moreover, sessions are compared to patterns in order to classify them according to specific attacks. The paper shows that the classification can be done in a linear time. An automatic recognition of new patterns is proposed.
Index Terms—SELinux sessions, classification of attacks, distributed sessions.
Cite: Mathieu Blanc, Patrice Clemente, Jonathan Rouzaud-Cornabas, Christian Toinard, "Classification of Malicious Distributed SELinux Activities," Journal of Computers vol. 4, no. 5, pp. 423-432, 2009.
General Information
ISSN: 1796-203X
Abbreviated Title: J.Comput.
Frequency: Bimonthly
Abbreviated Title: J.Comput.
Frequency: Bimonthly
Editor-in-Chief: Prof. Liansheng Tan
Executive Editor: Ms. Nina Lee
Abstracting/ Indexing: DBLP, EBSCO, ProQuest, INSPEC, ULRICH's Periodicals Directory, WorldCat,etc
E-mail: jcp@iap.org
-
Nov 14, 2019 News!
Vol 14, No 11 has been published with online version [Click]
-
Mar 20, 2020 News!
Vol 15, No 2 has been published with online version [Click]
-
Dec 16, 2019 News!
Vol 14, No 12 has been published with online version [Click]
-
Sep 16, 2019 News!
Vol 14, No 9 has been published with online version [Click]
-
Aug 16, 2019 News!
Vol 14, No 8 has been published with online version [Click]
- Read more>>