When categorizing attacks provides insight on how attacks can be defended against, the work to separate attacks becomes crucial. In this research, a test bed is configured to collect data used in the attacks, such as port scans, Internet control message protocol (ICMP) scans, and vulnerability scans, including a specific type of attack against the server message block (SMB) protocol. (The SMB protocol provides a mechanism for client systems to request file services over a network.) Then, a specific clustering algorithm--the k-means algorithm--is used to separate the collected data from SMB attacks with criteria such as number of bytes, packets, message length, and the duration per attack.

The k-means algorithm has been used in various data mining applications to divide data into clusters. How to collect attack data and the process of analyzing data are the main contributions of the paper. However, as the k-means algorithm provides a sound basis for finding clusters, the application of separating “all” attacks with the k-means algorithm may not be quite appropriate. This may be the reason why this study singles out the attacks against SMB from other attacks when applying the k-means algorithm.

In summary, the title of this paper should really be changed to emphasize that the main goal is to categorize SMB attacks. It is a good reference for empirical studies of attacks.