Abstract
Cyber Threat Analysis is one of the emerging focus of information security. Its main functions include identifying the potential threats and predicting the nature of an attacker. Understanding the behaviour of an attacker remains one of the most important aspect of threat analysis, much work has been focused on the detection of concrete network attacks using Intrusion Detection System to raise an alert which subsequently requires human attention. However, we think inspecting the behavioural aspect of an attacker is more intuitive in order to take necessary security measures. In this paper, we propose a novel approach to analyse the behaviour of an attacker in cowrie honeypot. First, we introduce the concept of Honeypot and then model the data using semi-supervised Markov Chains and Hidden Markov Models. We evaluate the suggested methods on a dataset consisting of over a million simulated attacks on a cowrie honeypot system. Along with proposed stochastic models, we also explore the use of Long Short-Term Memory (LSTM) based model for attack sequence modelling. The LSTM based model was found to be better for modelling of long attack sequences as compared to Markov models due to their inability to capture long term dependencies. The results of these models are used to analyse different attack propagation and interaction patterns in the system and predict attacker’s next action. These patterns can be used for a better understanding of the existing or evolving attacks and may also aid security experts to comprehend the mindset of an attacker.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Schneier, B.: Honeypots and the Honeynet Project (2001). http://www.cs.rochester.edu/~brown/Crypto/news/3.txt. Accessed 26 July 2018
Cheng, B.C., Liao, G.T., Huang, C.C., Yu, M.T.: A novel probabilistic matching algorithm for multi-stage attack forecasts. IEEE J. Sel. Areas Commun. 29(7), 1438–1448 (2011)
Shukla, D., Singhai, R.: Analysis of users web browsing behavior using Markov chain model. Int. J. 2, 824–830 (2010)
Norouzian, M.R., Merati, S.: Classifying attacks in a network intrusion detection system based on artificial neural networks - IEEE Conference Publication. Paper presented at the 13th International Conference on Advanced Communication Technology (ICACT 2011), Seoul, South Korea, 13–16 February 2011 (2011)
Masduki, B.W., Ramli, K., Saputra, F.A., Sugiarto, D.: Study on implementation of machine learning methods combination for improving attacks detection accuracy on Intrusion Detection System (IDS). Paper presented at the 2015 International Conference on Quality in Research (QiR), Lombok, Indonesia, 10–13 August 2015 (2016)
Kim, K., Aminanto, M.E.: Deep learning in intrusion detection perspective: overview and further challenges. Paper presented at the 2017 International Workshop on Big Data and Information Security (IWBIS), Jakarta, Indonesia, 23–24 September 2017 (2018)
Kolesnikov, O., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic (2005): CC Technical report; GIT-CC-05-09, Georgia Institute of Technology. http://hdl.handle.net/1853/6485. Accessed 26 July 2018
Koganti, V.S., Galla, L.K., Nuthalapati, N.: Internet worms and its detection. Paper presented at the 2016 International Conference on Control, Instrumentation, Communication and Computational Technologies (ICCICCT), Kumaracoil, India, 16–17 December 2016 (2018)
Hong, J., Hua, Y.: IOP Conference Series: Materials Science and Engineering, vol. 322 052033 (2018). http://iopscience.iop.org/article/10.1088/1757-899X/322/5/052033/pdf. Accessed 26 July 2018
Rebiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. In: Proceedings of the IEEE (1989)
Hoberman, R., Durand, D.: HMM Lecture Notes (2006). http://www.cs.cmu.edu/~durand/03-711/2006/Lectures/hmm-bw.pdf. Accessed 26 July 2018
Grinstead, C.M., Snell, J.L.: Introduction to probability. American Mathematical Society (2012)
Chan, K.C., Lenard, C.T., Mills, T.M.: An Introduction to Markov Chains (2012). https://doi.org/10.13140/2.1.1833.8248
Rabiner, L.R., Juang, B.-H.: An introduction to hidden Markov models. ASSP Mag. 3(1), 4–16 (1986)
Cho, K., et al.: Learning phrase representations using RNN encoder-decoder for statistical machine translation. In: Proceedings of the Empirical Methods in Natural Language Processing (EMNLP 2014) (2014, to appear)
Graves, A.: Generating sequences with recurrent neural networks (2013). arXiv:1308.0850 [cs.NE]
Bengio, Y., Frasconi, P., Simard, P.: The Problem of Learning Long-Term Dependencies in Recurrent Networks, pp. 1183–1195. IEEE Press, San Francisco (1993)
Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)
Official repository for the Cowrie SSH and Telnet Honeypot effort. https://github.com/micheloosterhof/cowrie. Accessed 26 July 2018
Pascanu, R., Mikolov, T., Bengio, Y.: On the difficulty of training Recurrent Neural Networks (2013). arXiv:1709.03082v7 [cs.NE] 10 Mar 2018
Acknowledgement
We acknowledge the support of Centre of Excellence (CoE) in Complex and Nonlinear Dynamical Systems (CNDS), VJTI and Larsen & Toubro Infotech (LTI) under their 1-Step CSR initiative.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Rade, R., Deshmukh, S., Nene, R., Wadekar, A.S., Unny, A. (2019). Temporal and Stochastic Modelling of Attacker Behaviour. In: Akoglu, L., Ferrara, E., Deivamani, M., Baeza-Yates, R., Yogesh, P. (eds) Advances in Data Science. ICIIT 2018. Communications in Computer and Information Science, vol 941. Springer, Singapore. https://doi.org/10.1007/978-981-13-3582-2_3
Download citation
DOI: https://doi.org/10.1007/978-981-13-3582-2_3
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-3581-5
Online ISBN: 978-981-13-3582-2
eBook Packages: Computer ScienceComputer Science (R0)