Published June 22, 2022 | Version v1
Conference paper Open

Host-based Cyber Attack Pattern Identification on Honeypot Logs Using Association Rule Learning

  • 1. Information Technologies Institute, CERTH, Thessaloniki, Greece


Attack pattern identification is a significant step for protecting organisations from cyber-threats, as it can be used to reveal valuable patterns, enabling the better detection and analysis of the respective attacks that can be leveraged for the development of effective and efficient Intrusion Detection Systems. In this work, Association Rule Learning (ARL), a data mining technique, is used for the identification of attack patterns from data collected from a public honeypot. Using the FP-Growth ARL algorithm, we identified different patterns of attacks and correlated the respective commands executed by various attackers. To our knowledge, this is the first time ARL has been used to extract attack patterns from commands run by the attackers using real-world log data collected at the host level.


This is the accepted version of the paper. The final version of the paper can be found at



Files (169.2 kB)

Name Size Download all
169.2 kB Preview Download

Additional details


FORESIGHT – Advanced cyber-security simulation platform for preparedness training in Aviation, Naval and Power-grid environments 833673
European Commission
ECHO – European network of Cybersecurity centres and competence Hub for innovation and Operations 830943
European Commission