Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top
Published in:
An Adversarial Robustness Benchmark for Enterprise Network Intrusion Detection Read chapter Read first chapter

2024 | OriginalPaper | Chapter

Automated Attacker Behaviour Classification Using Threat Intelligence Insights

Authors : Pierre Crochelet, Christopher Neal, Nora Boulahia Cuppens, Frédéric Cuppens, Alexandre Proulx

Published in: Foundations and Practice of Security

Publisher: Springer Nature Switzerland

Log in

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

As the sophistication and occurrence of cyberattacks continues to rise, it is increasingly crucial for organizations to invest in threat intelligence. In this research, we propose a way to automate some part of the threat intelligence process by leveraging the MITRE ATT &CK knowledge base of attackers to correlate and attribute attackers to a specific threat group. We propose a proof of work algorithm that does not aim to completely replace network administrators, but would rather help them by giving guidance, to expedite the attribution process. We show how this algorithm can be used to give insights on attackers by using it on real-world data gathered from a honeypot made publicly available on the Internet, over a two months period. We demonstrate how we are able to first discover the different techniques used by the attackers. Then, we identify various modi operandi of different threat groups collected from the MITRE ATT &CK framework and leverage that information to expose the behaviour of attackers targeting our Honeypot. By correlating the attackers together, we manage to reconstruct more complex attack vectors and are finally able to find higher similarities between the observed attackers and the knowledge base.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

inform now
previous chapter Unmasking of Maskware: Detection and Prevention of Next-Generation Mobile Crypto-Ransomware
next chapter UDP State Manipulation: Description of a Packet Filtering Vulnerability in Stateful Firewalls
Literature
1.
Bada, M., Nurse, J.R.: Profiling the cybercriminal: a systematic review of research. In: 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). pp. 1–8. IEEE (2021)
2.
Bar, A., Shapira, B., Rokach, L., Unger, M.: Identifying attack propagation patterns in honeypots using Markov chains modeling and complex networks analysis. In: 2016 IEEE International Conference on Software Science, Technology and Engineering (SWSTE 2016), pp. 28–36 (2016)
3.
4.
Caliński, T., Harabasz, J.: A dendrite method for cluster analysis. Commun. Stat. Theory Methods 3(1), 1–27 (1974)MathSciNetCrossRef
5.
Charan, P.S., Anand, P.M., Shukla, S.K.: Dmapt: study of data mining and machine learning techniques in advanced persistent threat attribution and detection. In: Data Mining-Concepts and Applications. IntechOpen (2021)
6.
Deshmukh, S., Rade, R., Kazi, D., et al.: Attacker behaviour profiling using stochastic ensemble of hidden Markov models. arXiv preprint arXiv:​1905.​11824 (2019)
7.
Djap, R., Lim, C., Silaen, K.E., Yusuf, A.: Xb-pot: revealing honeypot-based attacker’s behaviors. In: 2021 9th International Conference on Information and Communication Technology (ICoICT), pp. 550–555. IEEE (2021)
8.
Doynikova, E., Novikova, E., Kotenko, I.: Attacker behaviour forecasting using methods of intelligent data analysis: a comparative review and prospects. Information 11(3) (2020)
9.
Ester, M., Kriegel, H.P., Sander, J., Xu, X.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: Proceedings of the Second International Conference on Knowledge Discovery and Data Mining. KDD’96, pp. 226–231. AAAI Press (1996)
10.
GhasemiGol, M., Ghaemi-Bafghi, A., Takabi, H.: A comprehensive approach for network attack forecasting. Comput. Secur. 58, 83–105 (2016)
11.
Goutam, R.K.: The problem of attribution in cyber security. Int. J. Comput. Appl. 131(7), 34–36 (2015)
12.
Karafili, E., Wang, L., Lupu, E.C.: An argumentation-based reasoner to assist digital investigation and attribution of cyber-attacks. Forensic Sci. Int. Digit. Invest. 32(S) (2020)
13.
Kim, K., Shin, Y., Lee, J., Lee, K.: Automatically attributing mobile threat actors by vectorized ATT &CK matrix and paired indicator. Sensors 21(19), 6522 (2021)CrossRef
14.
Kotenko, I., Chechulin, A.: A cyber attack modeling and impact assessment framework. In: 2013 5th International Conference on Cyber Conflict (CYCON 2013), pp. 1–24. IEEE (2013)
15.
Mallikarjunan, K.N., Shalinie, S.M., Preetha, G.: Real time attacker behavior pattern discovery and profiling using fuzzy rules. J. Internet Technol. 19(5), 1567–1575 (2018)
16.
17.
18.
19.
Mokube, I., Adams, M.: Honeypots: concepts, approaches, and challenges. In: Proceedings of the 45th Annual Southeast Regional Conference, pp. 321–326 (2007)
20.
Nawrocki, M., Wählisch, M., Schmidt, T.C., Keil, C., Schönfelder, J.: A survey on honeypot software and data analysis. arXiv preprint arXiv:​1608.​06249 (2016)
21.
22.
Ryandy, Lim, C., Silaen, K.E.: Xt-pot: exposing threat category of honeypot-based attacks. In: Proceedings of the 2021 International Conference on Engineering and Information Technology for Sustainable Industry, pp. 1–6 (2020)
23.
Shin, Y., Kim, K., Lee, J.J., Lee, K.: Art: automated reclassification for threat actors based on ATT &CK matrix similarity. In: 2021 World Automation Congress (WAC), pp. 15–20. IEEE (2021)
24.
Soliman, H.M., Salmon, G., Sovilj, D., Rao, M.: Rank: AI-assisted end-to-end architecture for detecting persistent attacks in enterprise networks. arXiv preprint arXiv:​2101.​02573 (2021)
25.
26.
Warikoo, A.: The triangle model for cyber threat attribution. J. Cyber Secur. Technol. 5(3–4), 191–208 (2021)CrossRef
Metadata
Title
Automated Attacker Behaviour Classification Using Threat Intelligence Insights
Authors
Pierre Crochelet
Christopher Neal
Nora Boulahia Cuppens
Frédéric Cuppens
Alexandre Proulx
Copyright Year
2024
Book
Foundations and Practice of Security

Print ISBN: 978-3-031-57536-5

Electronic ISBN: 978-3-031-57537-2

Copyright Year: 2024

DOI
https://doi.org/10.1007/978-3-031-57537-2_18

Premium Partner

    Image Credits