Temporal and Stochastic Modelling of Attacker Behaviour

Cyber Threat Analysis is one of the emerging focus of information security. Its main functions include identifying the potential threats and predicting the nature of an attacker. Understanding the behaviour of an attacker remains one of the most important aspect of threat analysis, much work has been focused on the detection of concrete network attacks using Intrusion Detection System to raise an alert which subsequently requires human attention. However, we think inspecting the behavioural aspect of an attacker is more intuitive in order to take necessary security measures. In this paper, we propose a novel approach to analyse the behaviour of an attacker in cowrie honeypot. First, we introduce the concept of Honeypot and then model the data using semi-supervised Markov Chains and Hidden Markov Models. We evaluate the suggested methods on a dataset consisting of over a million simulated attacks on a cowrie honeypot system. Along with proposed stochastic models, we also explore the use of Long Short-Term Memory (LSTM) based model for attack sequence modelling. The LSTM based model was found to be better for modelling of long attack sequences as compared to Markov models due to their inability to capture long term dependencies. The results of these models are used to analyse different attack propagation and interaction patterns in the system and predict attacker's next action. These patterns can be used for a better understanding of the existing or evolving attacks and may also aid security experts to comprehend the mindset of an attacker.