Chaoqun Yang,Zhiguo Shi,Heng Zhang,Junfeng Wu,Xiufang Shi

DOI: https://doi.org/10.1109/tcyb.2019.2912939

IF: 11.8

2020-01-01

IEEE Transactions on Cybernetics

Abstract:To invade a cyber-physical system (CPS) successfully, hackers are prone to simultaneously launching multiple cyber attacks on different sensors in a CPS. However, little attention has been paid to the problem of detecting multiple cyber attacks up to now. Therefore, in this paper, we deal with the problem on how to efficiently detect multiple cyber attacks aiming at different sensors in CPSs. To achieve the goal of simultaneously detecting both the number of attacks and the attacked sensors, we formulate this problem via a random finite set (RFS) theory, and then apply an iterative RFS-based Bayesian filter and its approximation to solve the problem. Four numerical experiments with different attacks are provided, and the results have demonstrated the effectiveness of the RFS-based approach for the problem of multiple attacks detection in CPSs.

Zhengbing Hu,Roman Odarchenko,Sergiy Gnatyuk,Maksym Zaliskyi,Anastasia Chaplits,Sergiy Bondar,Vadim Borovik,

DOI: https://doi.org/10.5815/ijcnis.2020.06.01

2021-12-08

International Journal of Computer Network and Information Security

Abstract:Represented paper is currently topical, because of year on year increasing quantity and diversity of attacks on computer networks that causes significant losses for companies. This work provides abilities of such problems solving as: existing methods of location of anomalies and current hazards at networks, statistical methods consideration, as effective methods of anomaly detection and experimental discovery of choosed method effectiveness. The method of network traffic capture and analysis during the network segment passive monitoring is considered in this work. Also, the processing way of numerous network traffic indexes for further network information safety level evaluation is proposed. Represented methods and concepts usage allows increasing of network segment reliability at the expense of operative network anomalies capturing, that could testify about possible hazards and such information is very useful for the network administrator. To get a proof of the method effectiveness, several network attacks, whose data is storing in specialised DARPA dataset, were chosen. Relevant parameters for every attack type were calculated. In such a way, start and termination time of the attack could be obtained by this method with insignificant error for some methods.

Yu-Zhong Chen,Zi-Gang Huang,Shouhuai Xu,Ying-Cheng Lai

DOI: https://doi.org/10.1371/journal.pone.0124472

2016-03-24

Abstract:A relatively unexplored issue in cybersecurity science and engineering is whether there exist intrinsic patterns of cyberattacks. Conventional wisdom favors absence of such patterns due to the overwhelming complexity of the modern cyberspace. Surprisingly, through a detailed analysis of an extensive data set that records the time-dependent frequencies of attacks over a relatively wide range of consecutive IP addresses, we successfully uncover intrinsic spatiotemporal patterns underlying cyberattacks, where the term "spatio" refers to the IP address space. In particular, we focus on analyzing {\em macroscopic} properties of the attack traffic flows and identify two main patterns with distinct spatiotemporal characteristics: deterministic and stochastic. Strikingly, there are very few sets of major attackers committing almost all the attacks, since their attack "fingerprints" and target selection scheme can be unequivocally identified according to the very limited number of unique spatiotemporal characteristics, each of which only exists on a consecutive IP region and differs significantly from the others. We utilize a number of quantitative measures, including the flux-fluctuation law, the Markov state transition probability matrix, and predictability measures, to characterize the attack patterns in a comprehensive manner. A general finding is that the attack patterns possess high degrees of predictability, potentially paving the way to anticipating and, consequently, mitigating or even preventing large-scale cyberattacks using macroscopic approaches.

Cryptography and Security,Data Analysis, Statistics and Probability,Physics and Society,Applications

Jianwei Zhuge,Xinhui Han,Yu Chen,Zhiyuan Ye,Wei Zou

DOI: https://doi.org/10.1109/IAW.2006.1652098

2006-01-01

Abstract:Honeynet Data Analysis has become a core requirement of honeynet technology. However, current honeynet data analysis mechanisms are still unable to provide security analysts enough capacities of comprehend the captured data quickly, in particular, there is no work done on behavior level correlation analysis.Towards providing high level attack scenario graphs, in this paper, we propose a honeynet data correlation analysis model and method. Based on a network attack and defense knowledge base and network environment perceiving mechanism, our proposed honeynet data correlation analysis method can recognize the attackcr\s plan from a large volume of captured data and consequently reconstruct attack scenarios. Two proof-of-concept experiments on Scan of the Month 27 dataset and in-the-wild botnet scenarios are presented to show the effectiveness of our method.

Phani Lanka,Khushi Gupta,Cihan Varol

DOI: https://doi.org/10.3390/electronics13132465

IF: 2.9

2024-06-25

Electronics

Abstract:Security adversaries are rampant on the Internet, constantly seeking vulnerabilities to exploit. The sheer proliferation of these sophisticated threats necessitates innovative and swift defensive measures to protect the vulnerable infrastructure. Tools such as honeypots effectively determine adversary behavior and safeguard critical organizational systems. However, it takes a significant amount of time to analyze these attacks on the honeypots, and by the time actionable intelligence is gathered from the attacker's tactics, techniques, and procedures (TTPs), it is often too late to prevent potential damage to the organization's critical systems. This paper contributes to the advancement of cybersecurity practices by presenting a cutting-edge methodology, capitalizing on the synergy between artificial intelligence and threat analysis to combat evolving cyber threats. The current research articulates a novel strategy, outlining a method to analyze large volumes of attacker data from honeypots utilizing large language models (LLMs) to assimilate TTPs and apply this knowledge to identify real-time anomalies in regular user activity. The effectiveness of this model is tested in real-world scenarios, demonstrating a notable reduction in response time for detecting malicious activities in critical infrastructure. Moreover, we delve into the proposed framework's practical implementation considerations and scalability, underscoring its adaptability in diverse organizational contexts.

engineering, electrical & electronic,computer science, information systems,physics, applied

P. Barford,Y. Chen,A. Goyal,Z. Li,V. Paxson,V. Yegneswaran

DOI: https://doi.org/10.1007/978-1-4419-0140-8_5

2010-01-01

Abstract:Effective network security administration depends to a great extent on having accurate, concise, high-quality information about malicious activity in one's network. Honeynets can potentially provide such detailed information, but the volume and diversity of this data can prove overwhelming. We explore ways to integrate honeypot data into daily network security monitoring with a goal of sufficiently classifying and summarizing the data to provide ongoing "situational awareness." We present such a system, built using the Bro network intrusion detection system coupled with statistical analysis of numerous honeynet "events", and discuss experiences drawn from many months of operation. In particular, we develop methodologies by which sites receiving such probes can infer-using purely local observation-in format ion about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? One key aspect of this environment is its ability to provide insight into large-scale events. We look at the problem of accurately classifying botnet sweeps and worm outbreaks, which turns out to be difficult to grapple with due to the high dimensionality of such incidents. Using datasets collected during a number of these events, we explore the utility of several analysis methods, finding that when used together they show good potential for contributing towards effective Situational awareness. Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties, such as trend, uniformity, coordination, and darknet-avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that such inferences exhibit promising accuracy.

Xingyuan Yang,Jie Yuan,Hao Yang,Ya Kong,Hao Zhang,Jinyu Zhao

DOI: https://doi.org/10.3390/fi15040127

2023-03-29

Future Internet

Abstract:In this paper, considering the problem that the common defensive means in the current cyber confrontation often fall into disadvantage, honeypot technology is adopted to turn reactive into proactive to deal with the increasingly serious cyberspace security problem. We address the issue of common defensive measures in current cyber confrontations that frequently lead to disadvantages. To tackle the progressively severe cyberspace security problem, we propose the adoption of honeypot technology to shift from a reactive to a proactive approach. This system uses honeypot technology for active defense, tempting attackers into a predetermined sandbox to observe the attacker's behavior and attack methods to better protect equipment and information security. During the research, it was found that due to the singularity of traditional honeypots and the limitations of low-interactivity honeypots, the application of honeypot technology has difficulty in achieving the desired protective effect. Therefore, the system adopts a highly interactive honeypot and a modular design idea to distinguish the honeypot environment from the central node of data processing, so that the honeypot can obtain more sufficient information and the honeypot technology can be used more easily. By managing honeypots at the central node, i.e., adding, deleting, and modifying honeypots and other operations, it is easy to maintain and upgrade the system, while reducing the difficulty of using honeypots. The high-interactivity honeypot technology not only attracts attackers into pre-set sandboxes to observe their behavior and attack methods, but also performs a variety of advanced functions, such as network threat analysis, virtualization, vulnerability perception, tracing reinforcement, and camouflage detection. We have conducted a large number of experimental comparisons and proven that our method has significant advantages compared to traditional honeypot technology and provides detailed data support. Our research provides new ideas and effective methods for network security protection.

Zain Shamsi,Daniel Zhang,Daehyun Kyoung,Alex Liu

DOI: https://doi.org/10.48550/arXiv.2206.13614

2022-06-28

Abstract:Network honeypots are often used by information security teams to measure the threat landscape in order to secure their networks. With the advancement of honeypot development, today's medium-interaction honeypots provide a way for security teams and researchers to deploy these active defense tools that require little maintenance on a variety of protocols. In this work, we deploy such honeypots on five different protocols on the public Internet and study the intent and sophistication of the attacks we observe. We then use the information gained to develop a clustering approach that identifies correlations in attacker behavior to discover IPs that are highly likely to be controlled by a single operator, illustrating the advantage of using these honeypots for data collection.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Ekzhin Ear,Jose L. C. Remy,Antonia Feffer,Shouhuai Xu

DOI: https://doi.org/10.48550/arXiv.2309.04878

2023-09-10

Abstract:Cybersecurity of space systems is an emerging topic, but there is no single dataset that documents cyber attacks against space systems that have occurred in the past. These incidents are often scattered in media reports while missing many details, which we dub the missing-data problem. Nevertheless, even "low-quality" datasets containing such reports would be extremely valuable because of the dearth of space cybersecurity data and the sensitivity of space systems which are often restricted from disclosure by governments. This prompts a research question: How can we characterize real-world cyber attacks against space systems? In this paper, we address the problem by proposing a framework, including metrics, while also addressing the missing-data problem, by "extrapolating" the missing data in a principled fashion. To show the usefulness of the framework, we extract data for 72 cyber attacks against space systems and show how to extrapolate this "low-quality" dataset to derive 4,076 attack technique kill chains. Our findings include: cyber attacks against space systems are getting increasingly sophisticated; and, successful protection against on-path and social engineering attacks could have prevented 80% of the attacks.

Cryptography and Security

MA Li-bo,DUAN Hai-xin,LI Xing

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.037

2005-01-01

Abstract:Using honeypots to detect and monitor malware behaviors for network security trend analysis and early warning has become a new research direction.Honeypot deployment is the basic and all-important problem facing effectively collecting information of attackers.In this paper,research layers of honeypot deployment are firstly given and then some factors such as the interactive grade,the position,the number and the deploying model,etc.which are related to honeypot deployment are detailedly described.Especially under the condition of uniform distribution,the proper ratio of the number of honeypots to network total resources is deferred from theory and limited numbers of honeypots in IPv4 and IPv6 network are given according to the ratio.Practical low interactive honeypots data statistical analysis is performed at last to give practical evidence for honeypot deployment research.

Yue Shi,Yingying Zhang

DOI: https://doi.org/10.1145/3617184.3618056

2023-09-22

Abstract:Honeypot is an active security defense technology that uses false information to lure attackers into attacking and record their behavior. Traditional honeypots are usually static, and inherent features and services can accelerate attackers' recognition of honeypots, causing them to lose value. We designs a dynamic honeypot based on machine learning, which can adapt to dynamic and constantly changing network environments while improving the authenticity of the honeypot. It automatically generates configuration files, simulates the characteristics and behavior of devices in the network. The method proposed is to achieve active monitoring and defense of network attacks by actively scanning Nmap and obtaining network device information through P0f, and combining feature clustering methods to classify devices and generate honeypot configuration files, active monitoring and defense of network attacks can be achieved. The results shows that this methods can effectively enhance the attack capture ability and camouflage ability of honeypots.

Computer Science

Farhan Sadique,Shamik Sengupta

DOI: https://doi.org/10.1109/ICC42927.2021.9500859

2021-06-09

Abstract:Traditional reactive approach of blacklisting botnets fails to adapt to the rapidly evolving landscape of cyberattacks. An automated and proactive approach to detect and block botnet hosts will immensely benefit the industry. Behavioral analysis of botnet is shown to be effective against a wide variety of attack types. Current works, however, focus solely on analyzing network traffic from and to the bots. In this work we take a different approach of analyzing the chain of commands input by attackers in a compromised host. We have deployed several honeypots to simulate Linux shells and allowed attackers access to the shells to collect a large dataset of commands. We have further developed an automated mechanism to analyze these data. For the automation we have developed a system called CYbersecurity information Exchange with Privacy (CYBEX-P). Finally, we have done a sequential analysis on the dataset to show that we can successfully predict attacker behavior from the shell commands without analyzing network traffic like previous works.

Cryptography and Security

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Armin Ziaie Tabari,Xinming Ou

DOI: https://doi.org/10.48550/arXiv.2003.01218

2020-03-03

Abstract:With the rapid growth of Internet of Things (IoT) devices, it is imperative to proactively understand the real-world cybersecurity threats posed to them. This paper describes our initial efforts towards building a honeypot ecosystem as a means to gathering and analyzing real attack data against IoT devices. A primary condition for a honeypot to yield useful insights is to let attackers believe they are real systems used by humans and organizations. IoT devices pose unique challenges in this respect, due to the large variety of device types and the physical-connectedness nature. We thus create a multiphased approach in building a honeypot ecosystem, where researchers can gradually increase a low-interaction honeypot's sophistication in emulating an IoT device by observing real-world attackers' behaviors. We deployed honeypots both on-premise and in the cloud, with associated analysis and vetting infrastructures to ensure these honeypots cannot be easily identified as such and appear to be real systems. In doing so we were able to attract increasingly sophisticated attack data. We present the design of this honeypot ecosystem and our observation on the attack data so far. Our data shows that real-world attackers are explicitly going after IoT devices, and some captured activities seem to involve direct human interaction (as opposed to scripted automatic activities). We also build a low interaction honeypot for IoT cameras, called Honeycamera, that present to attackers seemingly real videos. This is our first step towards building a more comprehensive honeypot ecosystem that will allow researchers to gain concrete understanding of what attackers are going after on IoT devices, so as to more proactively protect them.

Cryptography and Security

Veronica Valeros,Maria Rigaki,Sebastian Garcia

2023-05-02

Abstract:Honeypots are a well-known and widely used technology in the cybersecurity community, where it is assumed that placing honeypots in different geographical locations provides better visibility and increases effectiveness. However, how geolocation affects the usefulness of honeypots is not well-studied, especially for threat intelligence as early warning systems. This paper examines attack patterns in a large public dataset of geographically distributed honeypots by answering methodological questions and creating behavioural profiles of attackers. Results show that the location of honeypots helps identify attack patterns and build profiles for the attackers. We conclude that not all the intelligence collected from geographically distributed honeypots is equally valuable and that a good early warning system against resourceful attackers may be built with only two distributed honeypots and a production server.

Cryptography and Security,Networking and Internet Architecture

Armin Ziaie Tabari,Xinming Ou,Anoop Singhal

DOI: https://doi.org/10.48550/arXiv.2112.10974

2021-12-21

Abstract:The growing number of Internet of Things (IoT) devices makes it imperative to be aware of the real-world threats they face in terms of cybersecurity. While honeypots have been historically used as decoy devices to help researchers/organizations gain a better understanding of the dynamic of threats on a network and their impact, IoT devices pose a unique challenge for this purpose due to the variety of devices and their physical connections. In this work, by observing real-world attackers' behavior in a low-interaction honeypot ecosystem, we (1) presented a new approach to creating a multi-phased, multi-faceted honeypot ecosystem, which gradually increases the sophistication of honeypots' interactions with adversaries, (2) designed and developed a low-interaction honeypot for cameras that allowed researchers to gain a deeper understanding of what attackers are targeting, and (3) devised an innovative data analytics method to identify the goals of adversaries. Our honeypots have been active for over three years. We were able to collect increasingly sophisticated attack data in each phase. Furthermore, our data analytics points to the fact that the vast majority of attack activities captured in the honeypots share significant similarity, and can be clustered and grouped to better understand the goals, patterns, and trends of IoT attacks in the wild.

Cryptography and Security,Machine Learning

Jiangxing Wu

DOI: https://doi.org/10.1007/978-3-030-29844-9_2

2020-01-01

Abstract:With the ever-evolving cyber attacks as well as defense technologies, the attack behaviors are characterized by uncertainty, complexity, and diversity, and the attack operations are becoming large-scale, synergistic, and multilevel. To study any cyber attacks, it is necessary to establish an objective and scientific and descriptive methodology for accurate feature analysis so as to come up with some general laws based on which the overall defense strategies will be put forward. So far, there is not a universal scientific theoretical model for us to depict the cyber attack behaviors, and the existing theoretical models are proposed for specific scenarios or certain attack categories. The scientific description of cyber attack behaviors is the premise and basis for analyzing the theory of cyber attacks and establishing a general theory of cyber defense. This chapter is an overview or an attempted summary of the existing formal description methods of mainstream network attacks and proposes some preliminary suggestions for the formal analysis of cyber attacks against the complicated dynamic heterogeneous redundant (DHR) network environments. The content herein, though not directly applied in the following chapters, is of guiding significance and reference value for the research on the theory of cyber attacks based on vulnerabilities or backdoors, the formulation of cyberspace defense strategies, and the design of cyber attack defense mechanisms.

Zhichun Li,Anup Goyal,Yan Chen,Vern Paxson

DOI: https://doi.org/10.1109/tifs.2010.2086445

IF: 7.231

2011-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Botnets dominate today's attack landscape. In this work, we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes." In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer-using purely local observation-information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties, such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.

Zhichun Li,Anup Goyal,Yan Chen,Vern Paxson

DOI: https://doi.org/10.1145/1533057.1533063

2009-01-01

Abstract:Botnets dominate today's attack landscape. In this work we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes". In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer---using purely local observation---information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.

Hironori Uchibori,Katsunari Yoshioka,Kazumasa Omote

DOI: https://doi.org/10.1109/access.2024.3357785

IF: 3.9

2024-02-07

IEEE Access

Abstract:In recent years, the convenience and potential use of crypto-assets such as Bitcoin and Ethereum have attracted increasing attention. On the other hand, there have been reports of attacks on the blockchain networks that support crypto-assets in an attempt to steal other users' assets. In the past, research on attack observation against blockchains has used techniques such as holding real crypto-assets to lure attackers into honeypots or falsifying balances to attackers. However, these methods risk losing crypto-assets to attackers or being exposed as honeypots to attackers. To solve these problems, we propose a new RPC (Remote Procedure Call) honeypot method that returns the wallet address of another party holding a high balance in response to an attacker's request, thereby luring the attacker without having the real crypto-assets. Our experimental evaluation shows that this method can attract more attackers than the method with zero-balance wallets and can observe more sophisticated attacks. Furthermore, we proposed a risk reduction strategy for crypto-asset theft by applying the idea of our method. In the log analysis process, we devised a new clustering method using the number of times an attacker executes a specific method as a feature. By applying this method, we successfully classified attackers based on their objectives, demonstrating the efficient analysis of vast amounts of log data.

computer science, information systems,telecommunications,engineering, electrical & electronic