Multi Platform Honeypot for Generation of Cyber Threat Intelligence

Kumar, Sanjeev; Janet, B.; Eswari, R.

doi:10.1109/iacc48062.2019.8971584

Cited by 21 publications

(7 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Qualitative and supply issues will be mitigated, as well as bias and actor naming issues, when the CTI field improves its approach. The authors present the honey trap base as a low-level interaction honeypot for effective detection and enhanced security controls [4]. A persistent threat actor in West Asia is using Microsoft OneDrive for command-and-control (C2) purposes.…”

Section: Related Workmentioning

confidence: 99%

Offensive Security: Cyber Threat Intelligence Enrichment With Counterintelligence and Counterattack

et al. 2022

View full text Add to dashboard Cite

Cyber-attacks on financial institutions and corporations are on the rise, particularly during pandemics. These attacks are becoming more sophisticated. Reports of hacking activities against government and commercial sector organisations have garnered a lot of attention in the last several years. By design, the focus of Cyber Threat Intelligence (CTI) is exclusively defensive. This is because most of the CTI-derived analysis output is intended to prevent breaches or facilitate early detection. So, there is a need to have a new mechanism for unmasking the attacker. In this research, we demonstrate cyber threat intelligence enrichment with counterintelligence and counterattack combined with certain new methods to exploit the adversary's vulnerability and fully control the attacker's system. Attackers use a VPN to establish an anonymous connection. A VPN creates a secure "tunnelling" to the internet, with the VPN server acting as a middleman between the attacker and the web. This provides anonymity because the attacker's IP address seems to be that of the VPN rather than his own, masking the IP address. So, hackers used this application to create persistence because it is automatically launched each time a computer is restarted. As a result, we are attempting to eliminate the persistence by removing it from the startup and registry. This research will help firms detect and identify an assault in its earliest phases, allowing them to respond accordingly. This project will develop new and innovative strategies to bypass VPNs and other security measures in order to obtain correct source information. Companies will be able to identify new methods by which their systems are penetrated and rapidly harden them. Using counterattack and counterintelligence, a proposed technique can bypass a VPN and get adversarial intel. The main goal of this research is to find the attacker's footprints or tracks and find out why the attack was planned in the first place.

show abstract

Section: Related Workmentioning

confidence: 99%

Offensive Security: Cyber Threat Intelligence Enrichment With Counterintelligence and Counterattack

et al. 2022

View full text Add to dashboard Cite

show abstract

“…They are considered a valuable source for gathering information regarding the tactics and techniques, as well as the attack patterns used against the exposed services, thus providing useful and actionable CTI. Additionally, honeypots are utilised in conjunction with other security components (e.g., IDS and Security Information and Event Management (SIEM) systems) in order to improve and enhance their detection performance [2], [3]. For their deployment, the majority of approaches utilise docker containers; low and medium-interaction honeypots are preferred, with Dionaea 1 and Cowrie 2 being the most popular ones [2]- [5].…”

Section: Related Workmentioning

confidence: 99%

“…Additionally, honeypots are utilised in conjunction with other security components (e.g., IDS and Security Information and Event Management (SIEM) systems) in order to improve and enhance their detection performance [2], [3]. For their deployment, the majority of approaches utilise docker containers; low and medium-interaction honeypots are preferred, with Dionaea 1 and Cowrie 2 being the most popular ones [2]- [5].…”

Section: Related Workmentioning

confidence: 99%

Towards Continuous Enrichment of Cyber Threat Intelligence: A Study on a Honeypot Dataset

Spyros

Papoutsis

Koritsas

et al. 2022

2022 IEEE International Conference on Cyber Security and Resilience (CSR)

View full text Add to dashboard Cite

Cyber Threat Intelligence helps organisations make the right decisions in their fight against cyber threats and strategically design their defences by continuously providing information regarding the cyber threat landscape. In this context, honeypots are a widespread solution for gathering intelligence about threat actors. However, honeypots do not inherently provide information about the origin of threat groups, their resources, capabilities and their impact. Thus, we propose an approach that classifies threats, as highly or less abusive, based on their behaviour characteristics using four ensemble machine learning algorithms applied on security incidents identified in a rule-based manner on a deployed honeypot. After prepossessing and hyper-tuning of the parameters, the four models, Adaptive Boosting Classifier (AdaBoost), Random Forest Classifier (RFC), Light Gradient Boosting Machine (LGBM) and Extreme Gradient Boosting (XGBoost), achieve good results, with RFC and LGBM achieving the best recall (84%, 83%) and LGBM and XGB the best AUC (91%, 90%).

show abstract

“…To gather data, we utilise a honeypot implementation. Honeypots can mimic the behaviour (e.g., the services) of a typical system and therefore, in the view of attackers, honeypots are just another endpoint that can be attacked; however, honeypots are not actual systems and can lure attackers into performing malicious actions [16]. After extensive research, we decided to use the Dionaea honeypot deployed on a cloud VM located on the AWS platform.…”

Section: A Data Collectionmentioning

confidence: 99%

Host-based Cyber Attack Pattern Identification on Honeypot Logs Using Association Rule Learning

Papoutsis

Iliou

Kavallieros

et al. 2022

2022 IEEE International Conference on Cyber Security and Resilience (CSR)

View full text Add to dashboard Cite

Attack pattern identification is a significant step for protecting organisations from cyber-threats, as it can be used to reveal valuable patterns, enabling the better detection and analysis of the respective attacks that can be leveraged for the development of effective and efficient Intrusion Detection Systems. In this work, Association Rule Learning (ARL), a data mining technique, is used for the identification of attack patterns from data collected from a public honeypot. Using the FP-Growth ARL algorithm, we identified different patterns of attacks and correlated the respective commands executed by various attackers. To our knowledge, this is the first time ARL has been used to extract attack patterns from commands run by the attackers using real-world log data collected at the host level.

show abstract

Multi Platform Honeypot for Generation of Cyber Threat Intelligence

Cited by 21 publications

References 4 publications

Offensive Security: Cyber Threat Intelligence Enrichment With Counterintelligence and Counterattack

Offensive Security: Cyber Threat Intelligence Enrichment With Counterintelligence and Counterattack

Towards Continuous Enrichment of Cyber Threat Intelligence: A Study on a Honeypot Dataset

Host-based Cyber Attack Pattern Identification on Honeypot Logs Using Association Rule Learning

Contact Info

Product

Resources

About