Skip to main content
SpringerLink
Log in

Automated Attacker Behaviour Classification Using Threat Intelligence Insights

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14551))

Included in the following conference series:

  • 62 Accesses

Abstract

As the sophistication and occurrence of cyberattacks continues to rise, it is increasingly crucial for organizations to invest in threat intelligence. In this research, we propose a way to automate some part of the threat intelligence process by leveraging the MITRE ATT &CK knowledge base of attackers to correlate and attribute attackers to a specific threat group. We propose a proof of work algorithm that does not aim to completely replace network administrators, but would rather help them by giving guidance, to expedite the attribution process. We show how this algorithm can be used to give insights on attackers by using it on real-world data gathered from a honeypot made publicly available on the Internet, over a two months period. We demonstrate how we are able to first discover the different techniques used by the attackers. Then, we identify various modi operandi of different threat groups collected from the MITRE ATT &CK framework and leverage that information to expose the behaviour of attackers targeting our Honeypot. By correlating the attackers together, we manage to reconstruct more complex attack vectors and are finally able to find higher similarities between the observed attackers and the knowledge base.

This research was supported by Thales Research and Technology (TRT) Canada.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Bada, M., Nurse, J.R.: Profiling the cybercriminal: a systematic review of research. In: 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). pp. 1–8. IEEE (2021)

    Google Scholar 

  2. Bar, A., Shapira, B., Rokach, L., Unger, M.: Identifying attack propagation patterns in honeypots using Markov chains modeling and complex networks analysis. In: 2016 IEEE International Conference on Software Science, Technology and Engineering (SWSTE 2016), pp. 28–36 (2016)

    Google Scholar 

  3. Bianco, D.J.: Pyramid of pain (2014). http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

  4. Caliński, T., Harabasz, J.: A dendrite method for cluster analysis. Commun. Stat. Theory Methods 3(1), 1–27 (1974)

    Article  MathSciNet  Google Scholar 

  5. Charan, P.S., Anand, P.M., Shukla, S.K.: Dmapt: study of data mining and machine learning techniques in advanced persistent threat attribution and detection. In: Data Mining-Concepts and Applications. IntechOpen (2021)

    Google Scholar 

  6. Deshmukh, S., Rade, R., Kazi, D., et al.: Attacker behaviour profiling using stochastic ensemble of hidden Markov models. arXiv preprint arXiv:1905.11824 (2019)

  7. Djap, R., Lim, C., Silaen, K.E., Yusuf, A.: Xb-pot: revealing honeypot-based attacker’s behaviors. In: 2021 9th International Conference on Information and Communication Technology (ICoICT), pp. 550–555. IEEE (2021)

    Google Scholar 

  8. Doynikova, E., Novikova, E., Kotenko, I.: Attacker behaviour forecasting using methods of intelligent data analysis: a comparative review and prospects. Information 11(3) (2020)

    Google Scholar 

  9. Ester, M., Kriegel, H.P., Sander, J., Xu, X.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: Proceedings of the Second International Conference on Knowledge Discovery and Data Mining. KDD’96, pp. 226–231. AAAI Press (1996)

    Google Scholar 

  10. GhasemiGol, M., Ghaemi-Bafghi, A., Takabi, H.: A comprehensive approach for network attack forecasting. Comput. Secur. 58, 83–105 (2016)

    Google Scholar 

  11. Goutam, R.K.: The problem of attribution in cyber security. Int. J. Comput. Appl. 131(7), 34–36 (2015)

    Google Scholar 

  12. Karafili, E., Wang, L., Lupu, E.C.: An argumentation-based reasoner to assist digital investigation and attribution of cyber-attacks. Forensic Sci. Int. Digit. Invest. 32(S) (2020)

    Google Scholar 

  13. Kim, K., Shin, Y., Lee, J., Lee, K.: Automatically attributing mobile threat actors by vectorized ATT &CK matrix and paired indicator. Sensors 21(19), 6522 (2021)

    Article  Google Scholar 

  14. Kotenko, I., Chechulin, A.: A cyber attack modeling and impact assessment framework. In: 2013 5th International Conference on Cyber Conflict (CYCON 2013), pp. 1–24. IEEE (2013)

    Google Scholar 

  15. Mallikarjunan, K.N., Shalinie, S.M., Preetha, G.: Real time attacker behavior pattern discovery and profiling using fuzzy rules. J. Internet Technol. 19(5), 1567–1575 (2018)

    Google Scholar 

  16. Mandiant: The Majority of Business Cyber Security Decisions are Made Without Insight into the Attacker (2023). https://www.mandiant.com/company/press-releases/mandiant-security-perspectives-report

  17. MITRE ATT &CK: Putter panda. https://attack.mitre.org/groups/G0024/

  18. MITRE ATT &CK, February 2023. https://attack.mitre.org/

  19. Mokube, I., Adams, M.: Honeypots: concepts, approaches, and challenges. In: Proceedings of the 45th Annual Southeast Regional Conference, pp. 321–326 (2007)

    Google Scholar 

  20. Nawrocki, M., Wählisch, M., Schmidt, T.C., Keil, C., Schönfelder, J.: A survey on honeypot software and data analysis. arXiv preprint arXiv:1608.06249 (2016)

  21. Oosterhof, M.: Cowrie (2022). https://www.cowrie.org

  22. Ryandy, Lim, C., Silaen, K.E.: Xt-pot: exposing threat category of honeypot-based attacks. In: Proceedings of the 2021 International Conference on Engineering and Information Technology for Sustainable Industry, pp. 1–6 (2020)

    Google Scholar 

  23. Shin, Y., Kim, K., Lee, J.J., Lee, K.: Art: automated reclassification for threat actors based on ATT &CK matrix similarity. In: 2021 World Automation Congress (WAC), pp. 15–20. IEEE (2021)

    Google Scholar 

  24. Soliman, H.M., Salmon, G., Sovilj, D., Rao, M.: Rank: AI-assisted end-to-end architecture for detecting persistent attacks in enterprise networks. arXiv preprint arXiv:2101.02573 (2021)

  25. University of Cambridge: Clever Carl (2012). https://nrich.maths.org/2478

  26. Warikoo, A.: The triangle model for cyber threat attribution. J. Cyber Secur. Technol. 5(3–4), 191–208 (2021)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Polytechnique Montreal, Montreal, Canada

    Pierre Crochelet, Christopher Neal, Nora Boulahia Cuppens, Frédéric Cuppens & Alexandre Proulx

  2. IRT SystemX, Palaiseau, France

    Christopher Neal

  3. Thales Research and Technology, Quebec City, Canada

    Alexandre Proulx

Authors
  1. Pierre Crochelet
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christopher Neal
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nora Boulahia Cuppens
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Frédéric Cuppens
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Alexandre Proulx
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christopher Neal .

Editor information

Editors and Affiliations

  1. University of Bordeaux, Bordeaux, France

    Mohamed Mosbah

  2. Toulouse III - Paul Sabatier University, Toulouse, France

    Florence Sèdes

  3. Université Laval, Québec, QC, Canada

    Nadia Tawbi

  4. University of Bordeaux, Bordeaux, France

    Toufik Ahmed

  5. Polytechnique Montréal, Montreal, QC, Canada

    Nora Boulahia-Cuppens

  6. Telecom SudParis, Palaiseau, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Crochelet, P., Neal, C., Boulahia Cuppens, N., Cuppens, F., Proulx, A. (2024). Automated Attacker Behaviour Classification Using Threat Intelligence Insights. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14551. Springer, Cham. https://doi.org/10.1007/978-3-031-57537-2_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-57537-2_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-57536-5

  • Online ISBN: 978-3-031-57537-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation