Temporal and Stochastic Modelling of Attacker Behaviour

Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 941)


Cyber Threat Analysis is one of the emerging focus of information security. Its main functions include identifying the potential threats and predicting the nature of an attacker. Understanding the behaviour of an attacker remains one of the most important aspect of threat analysis, much work has been focused on the detection of concrete network attacks using Intrusion Detection System to raise an alert which subsequently requires human attention. However, we think inspecting the behavioural aspect of an attacker is more intuitive in order to take necessary security measures. In this paper, we propose a novel approach to analyse the behaviour of an attacker in cowrie honeypot. First, we introduce the concept of Honeypot and then model the data using semi-supervised Markov Chains and Hidden Markov Models. We evaluate the suggested methods on a dataset consisting of over a million simulated attacks on a cowrie honeypot system. Along with proposed stochastic models, we also explore the use of Long Short-Term Memory (LSTM) based model for attack sequence modelling. The LSTM based model was found to be better for modelling of long attack sequences as compared to Markov models due to their inability to capture long term dependencies. The results of these models are used to analyse different attack propagation and interaction patterns in the system and predict attacker’s next action. These patterns can be used for a better understanding of the existing or evolving attacks and may also aid security experts to comprehend the mindset of an attacker.


Cyber security Threat intelligence Cowrie honeypot Markov chain Hidden Markov Models Attacker behavioral analysis Sequence modelling using LSTM 



We acknowledge the support of Centre of Excellence (CoE) in Complex and Nonlinear Dynamical Systems (CNDS), VJTI and Larsen & Toubro Infotech (LTI) under their 1-Step CSR initiative.


  1. 1.
    Schneier, B.: Honeypots and the Honeynet Project (2001). Accessed 26 July 2018
  2. 2.
    Cheng, B.C., Liao, G.T., Huang, C.C., Yu, M.T.: A novel probabilistic matching algorithm for multi-stage attack forecasts. IEEE J. Sel. Areas Commun. 29(7), 1438–1448 (2011)CrossRefGoogle Scholar
  3. 3.
    Shukla, D., Singhai, R.: Analysis of users web browsing behavior using Markov chain model. Int. J. 2, 824–830 (2010)Google Scholar
  4. 4.
    Norouzian, M.R., Merati, S.: Classifying attacks in a network intrusion detection system based on artificial neural networks - IEEE Conference Publication. Paper presented at the 13th International Conference on Advanced Communication Technology (ICACT 2011), Seoul, South Korea, 13–16 February 2011 (2011)Google Scholar
  5. 5.
    Masduki, B.W., Ramli, K., Saputra, F.A., Sugiarto, D.: Study on implementation of machine learning methods combination for improving attacks detection accuracy on Intrusion Detection System (IDS). Paper presented at the 2015 International Conference on Quality in Research (QiR), Lombok, Indonesia, 10–13 August 2015 (2016)Google Scholar
  6. 6.
    Kim, K., Aminanto, M.E.: Deep learning in intrusion detection perspective: overview and further challenges. Paper presented at the 2017 International Workshop on Big Data and Information Security (IWBIS), Jakarta, Indonesia, 23–24 September 2017 (2018)Google Scholar
  7. 7.
    Kolesnikov, O., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic (2005): CC Technical report; GIT-CC-05-09, Georgia Institute of Technology. Accessed 26 July 2018
  8. 8.
    Koganti, V.S., Galla, L.K., Nuthalapati, N.: Internet worms and its detection. Paper presented at the 2016 International Conference on Control, Instrumentation, Communication and Computational Technologies (ICCICCT), Kumaracoil, India, 16–17 December 2016 (2018)Google Scholar
  9. 9.
    Hong, J., Hua, Y.: IOP Conference Series: Materials Science and Engineering, vol. 322 052033 (2018). Accessed 26 July 2018
  10. 10.
    Rebiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. In: Proceedings of the IEEE (1989)Google Scholar
  11. 11.
    Hoberman, R., Durand, D.: HMM Lecture Notes (2006). Accessed 26 July 2018
  12. 12.
    Grinstead, C.M., Snell, J.L.: Introduction to probability. American Mathematical Society (2012)Google Scholar
  13. 13.
    Chan, K.C., Lenard, C.T., Mills, T.M.: An Introduction to Markov Chains (2012).
  14. 14.
    Rabiner, L.R., Juang, B.-H.: An introduction to hidden Markov models. ASSP Mag. 3(1), 4–16 (1986)CrossRefGoogle Scholar
  15. 15.
    Cho, K., et al.: Learning phrase representations using RNN encoder-decoder for statistical machine translation. In: Proceedings of the Empirical Methods in Natural Language Processing (EMNLP 2014) (2014, to appear)Google Scholar
  16. 16.
    Graves, A.: Generating sequences with recurrent neural networks (2013). arXiv:1308.0850 [cs.NE]
  17. 17.
    Bengio, Y., Frasconi, P., Simard, P.: The Problem of Learning Long-Term Dependencies in Recurrent Networks, pp. 1183–1195. IEEE Press, San Francisco (1993)Google Scholar
  18. 18.
    Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)CrossRefGoogle Scholar
  19. 19.
    Official repository for the Cowrie SSH and Telnet Honeypot effort. Accessed 26 July 2018
  20. 20.
    Pascanu, R., Mikolov, T., Bengio, Y.: On the difficulty of training Recurrent Neural Networks (2013). arXiv:1709.03082v7 [cs.NE] 10 Mar 2018

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.Veermata Jijabai Technological InstituteMumbaiIndia

Personalised recommendations