Temporal and Stochastic Modelling of Attacker Behaviour

Rade, Rahul; Deshmukh, Soham; Nene, Ruturaj; Wadekar, Amey; Unny, Ajay

doi:10.1007/978-981-13-3582-2_3

Cited by 4 publications

(4 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are few previous works which did predictive analysis on attacker behavior.. Rade et al [26] modeled honeypot data using semisupervised Markov Chains and Hidden Markov Models (HMM). They also explored Long Short-Term Memory (LSTM) for attack sequence modeling.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Modeling and Analyzing Attacker Behavior in IoT Botnet using Temporal Convolution Network (TCN)

Sadique¹,

Sengupta²

2021

Preprint

View full text Add to dashboard Cite

Traditional reactive approach of blacklisting botnets fails to adapt to the rapidly evolving landscape of cyberattacks. An automated and proactive approach to detect and block botnet hosts will immensely benefit the industry. Behavioral analysis of attackers is shown to be effective against a wide variety of attack types. Previous works, however, focus solely on anomalies in network traffic to detect bots and botnet. In this work we take a more robust approach of analyzing the heterogeneous events including network traffic, file download events, SSH logins and chain of commands input by attackers in a compromised host. We have deployed several honeypots to simulate Linux shells and allowed attackers access to the shells. We have collected a large dataset of heterogeneous threat events from the honeypots. We have then combined and modeled the heterogeneous threat data to analyze attacker behavior. Then we have used a deep learning architecture called a Temporal Convolutional Network (TCN) to do sequential and predictive analysis on the data. A prediction accuracy of 85 − 97% validates our data model as well as our analysis methodology. In this work, we have also developed an automated mechanism to collect and analyze these data. For the automation we have used CYbersecurity information Exchange (CYBEX). Finally, we have compared TCN with Long Short-Term Memory (LSTM) and Gated Recurrent Unit (GRU) and have showed that TCN outperforms LSTM and GRU for the task at hand.

show abstract

Section: Related Workmentioning

confidence: 99%

“…Deshmukh et al [27] extended the work by Rade et al [26] to propose Fusion Hidden Markov Model (FHMM) for modeling attacker behavior. FHMM is more noise resistant and provides faster performance than Deep Recurrent Neural Network (DeepRNN) with comparative accuracy in their analysis.…”

Section: Related Workmentioning

confidence: 99%

Modeling and Analyzing Attacker Behavior in IoT Botnet using Temporal Convolution Network (TCN)

Sadique¹,

Sengupta²

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Lastly, Shrivastava, Bashir and Hota (2019) focus on classifying types of attacks from commands using a series of machine learning techniques. The second class of approaches analyses attacker behaviour from session data using Hidden Markov Models, as seen in the studies of Rade et al (2018) and Deshmukh, Rade and Kazi (2019). However, none of the aforementioned studies consider topic modelling approaches for the analysis of sessions.…”

mentioning

confidence: 99%

Unsupervised attack pattern detection in honeypot data using Bayesian topic modelling

Passino¹,

Mantziou²,

Ghani³

et al. 2023

Preprint

View full text Add to dashboard Cite

Cyber-systems are under near-constant threat from intrusion attempts. Attacks types vary, but each attempt typically has a specific underlying intent, and the perpetrators are typically groups of individuals with similar objectives. Clustering attacks appearing to share a common intent is very valuable to threat-hunting experts. This article explores topic models for clustering terminal session commands collected from honeypots, which are special network hosts designed to entice malicious attackers. The main practical implications of clustering the sessions are two-fold: finding similar groups of attacks, and identifying outliers. A range of statistical topic models are considered, adapted to the structures of command-line syntax. In particular, concepts of primary and secondary topics, and then session-level and commandlevel topics, are introduced into the models to improve interpretability. The proposed methods are further extended in a Bayesian nonparametric fashion to allow unboundedness in the vocabulary size and the number of latent intents. The methods are shown to discover an unusual MIRAI variant which attempts to take over existing cryptocurrency coin-mining infrastructure, not detected by traditional topic-modelling approaches.

show abstract

“…According to the second approach, in [30], the authors used the honeypot technology. The detailed description of attack features logged and dataset description, when using the honeypot technology, is provided in [55]. The analysis is based on the following assumption: the data are grouped by session ID for considering that the attacker attempts to implement some malicious scenario in one session, that is, different session IDs are independent of individual attacker characteristics.…”

mentioning

confidence: 99%

Attacker Behaviour Forecasting Using Methods of Intelligent Data Analysis: A Comparative Review and Prospects

2020

View full text Add to dashboard Cite

Early detection of the security incidents and correct forecasting of the attack development is the basis for the efficient and timely response to cyber threats. The development of the attack depends on future steps available to the attackers, their goals, and their motivation—that is, the attacker “profile” that defines the malefactor behaviour in the system. Usually, the “attacker profile” is a set of attacker’s attributes—both inner such as motives and skills, and external such as existing financial support and tools used. The definition of the attacker’s profile allows determining the type of the malefactor and the complexity of the countermeasures, and may significantly simplify the attacker attribution process when investigating security incidents. The goal of the paper is to analyze existing techniques of the attacker’s behaviour, the attacker’ profile specifications, and their application for the forecasting of the attack future steps. The implemented analysis allowed outlining the main advantages and limitations of the approaches to attack forecasting and attacker’s profile constructing, existing challenges, and prospects in the area. The approach for attack forecasting implementation is suggested that specifies further research steps and is the basis for the development of an attacker behaviour forecasting technique.

show abstract

Temporal and Stochastic Modelling of Attacker Behaviour

Cited by 4 publications

References 11 publications

Modeling and Analyzing Attacker Behavior in IoT Botnet using Temporal Convolution Network (TCN)

Modeling and Analyzing Attacker Behavior in IoT Botnet using Temporal Convolution Network (TCN)

Unsupervised attack pattern detection in honeypot data using Bayesian topic modelling

Attacker Behaviour Forecasting Using Methods of Intelligent Data Analysis: A Comparative Review and Prospects

Contact Info

Product

Resources

About