Unsupervised attack pattern detection in honeypot data using Bayesian topic modelling

by   Francesco Sanna Passino, et al.

Cyber-systems are under near-constant threat from intrusion attempts. Attacks types vary, but each attempt typically has a specific underlying intent, and the perpetrators are typically groups of individuals with similar objectives. Clustering attacks appearing to share a common intent is very valuable to threat-hunting experts. This article explores topic models for clustering terminal session commands collected from honeypots, which are special network hosts designed to entice malicious attackers. The main practical implications of clustering the sessions are two-fold: finding similar groups of attacks, and identifying outliers. A range of statistical topic models are considered, adapted to the structures of command-line syntax. In particular, concepts of primary and secondary topics, and then session-level and command-level topics, are introduced into the models to improve interpretability. The proposed methods are further extended in a Bayesian nonparametric fashion to allow unboundedness in the vocabulary size and the number of latent intents. The methods are shown to discover an unusual MIRAI variant which attempts to take over existing cryptocurrency coin-mining infrastructure, not detected by traditional topic-modelling approaches.


Towards Dynamic Threat Modelling in 5G Core Networks Based on MITRE ATT CK

This article discusses how the gap between early 5G network threat asses...

Analyzing Cyber-Attack Intention for Digital Forensics Using Case-Based Reasoning

Cyber-attacks are increasing and varying dramatically day by day. It has...

Topic Grouper: An Agglomerative Clustering Approach to Topic Modeling

We introduce Topic Grouper as a complementary approach in the field of p...

Effective user intent mining with unsupervised word representation models and topic modelling

Understanding the intent behind chat between customers and customer serv...

TopicResponse: A Marriage of Topic Modelling and Rasch Modelling for Automatic Measurement in MOOCs

This paper explores the suitability of using automatically discovered to...

Session-layer Attack Traffic Classification by Program Synthesis

Writing classification rules to identify malicious network traffic is a ...

Please sign up or login with your details

Forgot password? Click here to reset