Time Signatures to Detect Multi-headed Stealthy Attack Tools

In this paper, we present a method to detect the existence of sophisticated attack tools in the Internet that combine, in a misleading way, several exploits. These tools apply various attack strategies, resulting into several different attack fingerprints. A few of these sophisticated tools have already been identified, e.g. Welchia. However, devising a method to automatically detect them is very challenging since their different fingerprints are apparently unrelated. We propose a technique to automatically detect their existence through their time signatures. We exemplify the interest of the technique on a large set of real world attack traces and discover a handful of those new sophisticated tools.