Automated Attack Community Graph Construction
by Yu-Chin Cheng for The Honeynet Project
A large amount of honeypot logs result in difficulties in data analysis and interpretation. In order to alleviate expert's workload and complexity of data analytic, this GSoC idea is to automatically build attack community graph for eliciting attack approaches and intention description. The GSoC idea will be divided into three stages. The first constructs attack graph by extracting relationship among criminals, victims and malicious servers from honeypot logs. With centrality calculation mechanism I can apply centrality to groups in addition to individual attack approach actors. The second is to evaluate the relative centrality of different attack approaches actors for integrating into attack community graph and presenting its behavior intentions. The third is to develop a APP to present attack community graph and integrate into Splunk platform, where Honeynet Project stores logs and shows the daily analysis results.