Abstract
Increasingly, the computer networks supporting the operations of organizations face a higher quantity and sophistication of cyber-incidents. Due to the evolving complexity of these attacks, detection alone is not enough and there is a need for automatic attacker attribution. This task is currently done by network administrators, making it slow, costly and prone to human error. Previous works in the field mostly profile attackers based on external tools or lists of rules that need to be updated regularly. Some tackle this problem through particular methodologies that cannot be easily generalized to any data source. We focus on using a self-sufficient technique that allows us to characterize attackers through motivation, resourcefulness, stealth, intention and originality. Furthermore, we show that this technique can easily be used on several protocols by applying it to a dataset consisting of real attacks performed on several honeypots. We show that more than 90% of the recorded data is relatively harmless and only a limited number of attackers are alarming. This process enables network administrators to readily discard benign traffic and focus their attention towards high-priority attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cyber security breaches survey (2022). www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022
Oosterhof, M.: Cowrie (2022). www.cowrie.org
MITRE ATT CK, Groups (2022). www.attack.mitre.org/groups/
Symantec (2022). www.securitycloud.symantec.com/cc/landing
VirusTotal (2022). www.virustotal.com/gui/home/upload
Bar, A., Shapira, B., Rokach, L., Unger, M.: Identifying attack propagation patterns in honeypots using Markov chains modeling and complex networks analysis. In: 2016 IEEE International Conference on Software Science, Technology and Engineering (SWSTE 2016), pp. 28–36 (2016)
Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutorials 18(2), 1153–1176 (2016)
Deshmukh, S., Rade, R., Kazi, D., et al.: Attacker behaviour profiling using stochastic ensemble of hidden Markov models. arXiv preprint arXiv:1905.11824 (2019)
Doynikova, E., Novikova, E., Kotenko, I.: Attacker behaviour forecasting using methods of intelligent data analysis: a comparative review and prospects. Information 11(3), 168 (2020)
Fraunholz, D., Duque Anton, S., Schotten, H.D.: Introducing GAMfIS: a generic attacker model for information security. In: Begusic, D., Rozic, N., Radic, J., Saric, M. (eds.) 2017 25TH International Conference on Software, Telecommunications and Computer Networks (SOFTCOM), pp. 393–398 (2017)
Fraunholz, D., Krohmer, D., Anton, S.D., Schotten, H.D.: YAAS-on the attribution of honeypot data. Int. J. Cyber Situational Aware. 2(1), 31–48 (2017)
Goutam, R.K.: The problem of attribution in cyber security. Int. J. Comput. Appl. 131(7), 34–36 (2015)
Karafili, E., Wang, L., Lupu, E.C.: An argumentation-based reasoner to assist digital investigation and attribution of cyber-attacks. Forensic Sci. Int.-Digital Invest. 32(S), 300925 (2020)
Khraisat, A., Gondal, I., Vamplew, P., Kamruzzaman, J.: Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity 2(1), 1–22 (2019). https://doi.org/10.1186/s42400-019-0038-7
Mallikarjunan, K.N., Shalinie, S.M., Preetha, G.: Real time attacker behavior pattern discovery and profiling using fuzzy rules. J. Internet Technol. 19(5), 1567–1575 (2018)
Mokube, I., Adams, M.: Honeypots: concepts, approaches, and challenges. In: Proceedings of the 45th Annual Southeast Regional Conference, pp. 321–326 (2007)
Nawrocki, M., Wählisch, M., Schmidt, T.C., Keil, C., Schönfelder, J.: A survey on honeypot software and data analysis. arXiv preprint arXiv:1608.06249 (2016)
Nisioti, A., Mylonas, A., Yoo, P.D., Katos, V.: From intrusion detection to attacker attribution: a comprehensive survey of unsupervised methods. IEEE Commun. Surv. Tutorials 20(4), 3369–3388 (2018)
Acknowledgements
We would like to thank Thales Digital Solutions for their generous support to enable this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Crochelet, P., Neal, C., Cuppens, N.B., Cuppens, F. (2022). Attacker Attribution via Characteristics Inference Using Honeypot Data. In: Yuan, X., Bai, G., Alcaraz, C., Majumdar, S. (eds) Network and System Security. NSS 2022. Lecture Notes in Computer Science, vol 13787. Springer, Cham. https://doi.org/10.1007/978-3-031-23020-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-23020-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-23019-6
Online ISBN: 978-3-031-23020-2
eBook Packages: Computer ScienceComputer Science (R0)