Classification of Malicious Distributed SELinux Activities

This paper deals with the classification of malicious activities occurring on a network of SELinux hosts. SELinux system logs come from a high interaction distributed honeypot. An architecture is proposed to compute those events in order to assemble system sessions, such as malicious ones. Afterwards, recognition mechanisms are proposed to classify those activities. The paper presents the classification architecture using comprehensive examples. It is the first solution that supports SELinux sessions. In contrast with previous works, distributed sessions are better addressed using only SELinux logs. The results of experiments use real samples taken from our honeypot. A high performance architecture enables to compute a large amount of events captured during one year on our high interaction honeypot. Our approach enables the real-time reconstruction of system sessions. Moreover, sessions are compared to patterns in order to classify them according to specific attacks. The paper shows that the classification can be done in a linear time. An automatic recognition of new patterns is proposed.