ISSN : 1796-203X
Volume : 4    Issue : 5    Date : May 2009

Classification of Malicious Distributed SELinux Activities
Mathieu Blanc, Patrice Clemente, Jonathan Rouzaud-Cornabas, and Christian Toinard
Page(s): 423-432
Full Text:
PDF (695 KB)

This paper deals with the classification of malicious activities occurring on a network of SELinux
hosts. SELinux system logs come from a high interaction distributed honeypot. An architecture is
proposed to compute those events in order to assemble system sessions, such as malicious
ones. Afterwards, recognition mechanisms are proposed to classify those activities. The paper
presents the classification architecture using comprehensive examples. It is the first solution that
supports SELinux sessions. In contrast with previous works, distributed sessions are better
addressed using only SELinux logs. The results of experiments use real samples taken from our
honeypot. A high performance architecture enables to compute a large amount of events captured
during one year on our high interaction honeypot. Our approach enables the real-time
reconstruction of system sessions. Moreover, sessions are compared to patterns in order to
classify them according to specific attacks. The paper shows that the classification can be done in a
linear time. An automatic recognition of new patterns is proposed.

Index Terms
SELinux sessions, classification of attacks, distributed sessions.