Skip to main content
SpringerLink
Log in

Temporal and Stochastic Modelling of Attacker Behaviour

  • Conference paper
  • First Online:
Advances in Data Science (ICIIT 2018)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 941))

Included in the following conference series:

Abstract

Cyber Threat Analysis is one of the emerging focus of information security. Its main functions include identifying the potential threats and predicting the nature of an attacker. Understanding the behaviour of an attacker remains one of the most important aspect of threat analysis, much work has been focused on the detection of concrete network attacks using Intrusion Detection System to raise an alert which subsequently requires human attention. However, we think inspecting the behavioural aspect of an attacker is more intuitive in order to take necessary security measures. In this paper, we propose a novel approach to analyse the behaviour of an attacker in cowrie honeypot. First, we introduce the concept of Honeypot and then model the data using semi-supervised Markov Chains and Hidden Markov Models. We evaluate the suggested methods on a dataset consisting of over a million simulated attacks on a cowrie honeypot system. Along with proposed stochastic models, we also explore the use of Long Short-Term Memory (LSTM) based model for attack sequence modelling. The LSTM based model was found to be better for modelling of long attack sequences as compared to Markov models due to their inability to capture long term dependencies. The results of these models are used to analyse different attack propagation and interaction patterns in the system and predict attacker’s next action. These patterns can be used for a better understanding of the existing or evolving attacks and may also aid security experts to comprehend the mindset of an attacker.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Schneier, B.: Honeypots and the Honeynet Project (2001). http://www.cs.rochester.edu/~brown/Crypto/news/3.txt. Accessed 26 July 2018

  2. Cheng, B.C., Liao, G.T., Huang, C.C., Yu, M.T.: A novel probabilistic matching algorithm for multi-stage attack forecasts. IEEE J. Sel. Areas Commun. 29(7), 1438–1448 (2011)

    Article  Google Scholar 

  3. Shukla, D., Singhai, R.: Analysis of users web browsing behavior using Markov chain model. Int. J. 2, 824–830 (2010)

    Google Scholar 

  4. Norouzian, M.R., Merati, S.: Classifying attacks in a network intrusion detection system based on artificial neural networks - IEEE Conference Publication. Paper presented at the 13th International Conference on Advanced Communication Technology (ICACT 2011), Seoul, South Korea, 13–16 February 2011 (2011)

    Google Scholar 

  5. Masduki, B.W., Ramli, K., Saputra, F.A., Sugiarto, D.: Study on implementation of machine learning methods combination for improving attacks detection accuracy on Intrusion Detection System (IDS). Paper presented at the 2015 International Conference on Quality in Research (QiR), Lombok, Indonesia, 10–13 August 2015 (2016)

    Google Scholar 

  6. Kim, K., Aminanto, M.E.: Deep learning in intrusion detection perspective: overview and further challenges. Paper presented at the 2017 International Workshop on Big Data and Information Security (IWBIS), Jakarta, Indonesia, 23–24 September 2017 (2018)

    Google Scholar 

  7. Kolesnikov, O., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic (2005): CC Technical report; GIT-CC-05-09, Georgia Institute of Technology. http://hdl.handle.net/1853/6485. Accessed 26 July 2018

  8. Koganti, V.S., Galla, L.K., Nuthalapati, N.: Internet worms and its detection. Paper presented at the 2016 International Conference on Control, Instrumentation, Communication and Computational Technologies (ICCICCT), Kumaracoil, India, 16–17 December 2016 (2018)

    Google Scholar 

  9. Hong, J., Hua, Y.: IOP Conference Series: Materials Science and Engineering, vol. 322 052033 (2018). http://iopscience.iop.org/article/10.1088/1757-899X/322/5/052033/pdf. Accessed 26 July 2018

  10. Rebiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. In: Proceedings of the IEEE (1989)

    Google Scholar 

  11. Hoberman, R., Durand, D.: HMM Lecture Notes (2006). http://www.cs.cmu.edu/~durand/03-711/2006/Lectures/hmm-bw.pdf. Accessed 26 July 2018

  12. Grinstead, C.M., Snell, J.L.: Introduction to probability. American Mathematical Society (2012)

    Google Scholar 

  13. Chan, K.C., Lenard, C.T., Mills, T.M.: An Introduction to Markov Chains (2012). https://doi.org/10.13140/2.1.1833.8248

  14. Rabiner, L.R., Juang, B.-H.: An introduction to hidden Markov models. ASSP Mag. 3(1), 4–16 (1986)

    Article  Google Scholar 

  15. Cho, K., et al.: Learning phrase representations using RNN encoder-decoder for statistical machine translation. In: Proceedings of the Empirical Methods in Natural Language Processing (EMNLP 2014) (2014, to appear)

    Google Scholar 

  16. Graves, A.: Generating sequences with recurrent neural networks (2013). arXiv:1308.0850 [cs.NE]

  17. Bengio, Y., Frasconi, P., Simard, P.: The Problem of Learning Long-Term Dependencies in Recurrent Networks, pp. 1183–1195. IEEE Press, San Francisco (1993)

    Google Scholar 

  18. Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)

    Article  Google Scholar 

  19. Official repository for the Cowrie SSH and Telnet Honeypot effort. https://github.com/micheloosterhof/cowrie. Accessed 26 July 2018

  20. Pascanu, R., Mikolov, T., Bengio, Y.: On the difficulty of training Recurrent Neural Networks (2013). arXiv:1709.03082v7 [cs.NE] 10 Mar 2018

Download references

Acknowledgement

We acknowledge the support of Centre of Excellence (CoE) in Complex and Nonlinear Dynamical Systems (CNDS), VJTI and Larsen & Toubro Infotech (LTI) under their 1-Step CSR initiative.

Author information

Authors and Affiliations

  1. Veermata Jijabai Technological Institute, Mumbai, India

    Rahul Rade, Soham Deshmukh, Ruturaj Nene, Amey S. Wadekar & Ajay Unny

Authors
  1. Rahul Rade
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Soham Deshmukh
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ruturaj Nene
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Amey S. Wadekar
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ajay Unny
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rahul Rade .

Editor information

Editors and Affiliations

  1. Carnegie Mellon University, Pittsburgh, PA, USA

    Leman Akoglu

  2. University of Southern California, Marina Del Rey, CA, USA

    Emilio Ferrara

  3. CEG, Anna University, Chennai, India

    Mallayya Deivamani

  4. Northeastern University at Silicon Valley, San Jose, CA, USA

    Ricardo Baeza-Yates

  5. Anna University, Chennai, India

    Palanisamy Yogesh

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Rade, R., Deshmukh, S., Nene, R., Wadekar, A.S., Unny, A. (2019). Temporal and Stochastic Modelling of Attacker Behaviour. In: Akoglu, L., Ferrara, E., Deivamani, M., Baeza-Yates, R., Yogesh, P. (eds) Advances in Data Science. ICIIT 2018. Communications in Computer and Information Science, vol 941. Springer, Singapore. https://doi.org/10.1007/978-981-13-3582-2_3

Download citation

  • DOI: https://doi.org/10.1007/978-981-13-3582-2_3

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-13-3581-5

  • Online ISBN: 978-981-13-3582-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation