Applying Clustering to Predict Attackers Trace in Deceptive Ecosystem by Harmonizing Multiple Decoys Interactions Logs

Full Text (PDF, 742KB), PP.35-44

Views: 0 Downloads: 0

Author(s)

Jalaj Pateria 1,* Laxmi Ahuja 1 Subhranil Som 2 Ashish Seth 3

1. Amity Institute of Information Technology (AIIT), Amity, Noida, Uttar Pradesh, Pin 201303, India

2. Bhairab Ganguly College, Kolkata, West Bengal., India

3. School of Global Convergence Studies (SGCS), Inha University, S. Korea

* Corresponding author.

DOI: https://doi.org/10.5815/ijitcs.2023.05.04

Received: 4 Apr. 2023 / Revised: 29 Jun. 2023 / Accepted: 9 Aug. 2023 / Published: 8 Oct. 2023

Index Terms

Deception Technology, Log Data Analysis, Machine Learning, Cybersecurity, Network Monitoring, Intrusion Detection, KNN, Classification

Abstract

Bluff and truth are major pillars of deception technology. Deception technology majorly relies on decoy-generated data and looks for any behavior deviation to flag that interaction as an attack or not. But at times a legitimate user can also do suspicious decoy interactions due to lack of knowledge and can be categorized under the “ATTACK” category which in a true sense should not be flagged that way. Hence, there is a need of doing collaborative analysis on honeypot, which are set up to monitor and log activities of sources that compromise or probe them. This goldmine provides ample information about the attacker intent and target, how it is moving forward in the kill chain as this information can be used to enhance threat intelligence and upgrade behaviors analysis rules.
In this paper, decoys which are strategically placed in the network pointing to various databases, services, and Ips are used providing information of interactions made. This data is analyzed to understand underlying facts which can help in strengthening defense strategy, it also enhances confidence on the findings as analysis is not restricted to single decoy interaction which could be false positive or un-intentional in nature but analyzing holistically to conclude on the exact attack patten and progression. With experiment we have highlighted is reconciling various honeypots data and weighing IP visits and Honeypot interaction counts against scores and then using KNN and Weightage KNN to derive inclination of target IP against Source IP which can also be summarized as direction of Attack and count/frequency of interaction from highlights criticality of the interactions. Used KNN and W-KNN have shown approx. 94% accuracy which is best in class, also silhouette score highlighted high cohesion of data points in the experiment. Moreover, this was also analyzed that increasing the number of decoys in the analysis helps in getting better confidence on attack probability and direction.

Cite This Paper

Jalaj Pateria, Laxmi Ahuja, Subhranil Som, Ashish Seth, "Applying Clustering to Predict Attackers Trace in Deceptive Ecosystem by Harmonizing Multiple Decoys Interactions Logs", International Journal of Information Technology and Computer Science(IJITCS), Vol.15, No.5, pp.35-44, 2023. DOI:10.5815/ijitcs.2023.05.04

Reference

[1]A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda, “Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks,” in Detection of Intrusions and Malware, and Vulnerability Assessment, vol. 9148 of Lecture Notes in Computer Science, pp. 3–24, Springer International Publishing, Cham, 2015.View at: Publisher Site | Google Scholar
[2]A. L. Buczak and E. Guven, "A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection," in IEEE Communications Surveys & Tutorials, vol. 18, no. 2, pp. 1153-1176, Secondquarter 2016, doi: 10.1109/COMST.2015.2494502.
[3]Anand Handa; Rohit Negi; Sandeep Kumar Shukla, "Part I Deception Technologies & Threat Visibility – Honeypots and Security Operations," in Implementing Enterprise Cybersecurity with Open-Source Software and Standard Architecture, River Publishers, 2021, pp.3-3.
[4]A. Sivanathan, H. H. Gharakheili and V. Sivaraman, "Detecting Behavioral Change of IoT Devices Using Clustering-Based Network Traffic Modeling," in IEEE Internet of Things Journal, vol. 7, no. 8,
[5]B. K. Alese, F. M. Dahunsi, R. A. Akingbola, O. S. Adewale and T. J. Ogundele, "Improving deception in honeynet: Through data manipulation," The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014), 2014, pp. 198-204, doi: 10.1109/ICITST.2014.7038805.
[6]D. D. Updyke, G. B. Dobson, T. G. Podnar, L. J. Osterritter, B. L. Earl, and A. D. Cerini, “GHOSTS in the Machine: A Framework for Cyber - Warfare Exercise NPC Simulation,” 2018.Accessed: Jul. 03, 2020. [Online]. Available: http://www.sei.cmu.edu.
[7]D. Sgandurra, L. Mu±oz-Gonzßlez, R. Mohsen, and E. C. Lupu, “Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection,” https://arxiv.org/abs/1609.03020.View at: Google Scholar
[8]E. A. Cranford, C. Gonzalez, P. Aggarwal, S. Cooney, M. Tambe, and C. Lebiere, “Toward Personalized Deceptive Signaling for Cyber Defense Using Cognitive Models,” Top. Cogn. Sci. ,vol. 12, no. 3, pp. 992 – 1011, 2020.
[9]Edwin K. Serem, David M. Mugo, and Boaz K. Too, DeceptiveDecoys: Combining Believable User and Network Activities and Deceptive NetworkSetup in Enhancing Effectiveness, International Journal of Electrical Engineering and Technology (IJEET),12(6),2021, pp. 281292.https://iaeme.com/Home/issue/IJEET?Volume=12&Issue=6
[10]E. Vasilomanolakis, S. Karuppayah, M. Muhlhauser, and M. Fischer, “Taxonomy and survey of collaborative intrusion detection,” ACM Computing Surveys, vol. 47, no. 4. Association for Computing Machinery, May 01, 2015, doi: 10.1145/2716260.
[11]J. Chigada and R. Madzinga, “Cyberattacks and threats during COVID-19: A systematic literature review,” South African J. Inf. Manag., vol. 23, no. 1, pp. 1 – 11, 2021.
[12]J. Kim, J. Nam, S. Lee, V. Yegneswaran, P. Porras and S. Shin, "BottleNet: Hiding Network Bottlenecks Using SDN-Based Topology Deception," in IEEE Transactions on Information Forensics and Security, vol. 16, pp. 3138-3153, 2021, doi: 10.1109/TIFS.2021 .3075845.
[13]Jiajia Liu; Abderrahim Benslimane, "3 Unmanned Driving Security and Navigation Deception," in Intelligent and Connected Vehicle Security, River Publishers, 2021, pp.117-165.
[14]Jonathan Voris, Yingbo Song, Malek Ben Salem, Shlomo Hershkop, Salvatore Stolfo, Active authentication using file system decoys and user behavior modeling: results of a large scale study,Computers & Security,Volume 87,2019,101412,ISSN 0167-4048, https://doi.org/10.1016/j.cose.2018.07.
[15]M. Beham, M. Vlad, and H. P. Reiser, “Intrusion detection and honeypots in nested virtualization environments,” in 2013 43rd Annual IEEE/IFIP international conference on dependable systems and networks (DSN), 2013, pp. 1 – 6.
[16]N. Provos and T. Holz,Virtual honeypots: from botnet tracking to intrusion detection. Pearson Education, 2007.
[17]N. Van Huynh, D. T. Hoang, D. N. Nguyen and E. Dutkiewicz, "DeepFake: Deep Dueling-Based Deception Strategy to Defeat Reactive Jammers," in IEEE Transactions on Wireless Communications, vol. 20, no. 10, pp. 6898-6914, Oct. 2021, doi: 10.1109/TWC.2021.3078439.
[18]Q. Cao, Y. Qiao and Z. Lyu, "Machine learning to detect anomalies in web log analysis," 2017 3rd IEEE International Conference on Computer and Communications (ICCC), 2017, pp. 519-523, doi: 10.1109/CompComm.2017.8322600.
[19]S. Allagi and R. Rachh, "Analysis of Network log data using Machine Learning," 2019 IEEE 5th International Conference for Convergence in Technology (I2CT), 2019, pp. 1-3, doi: 10.1109/I2CT45611.2019.9033737.
[20]William Steingartner, Darko Galinec, Andrija Kozina. "Threat Defense: Cyber Deception Approach and Education for Resilience in Hybrid Threats Model", Symmetry, 2021
[21]Yaoqing Liu; Garegin Grigoryan; Charles A. Kamhoua; Laurent L. Njilla, "Leverage SDN for Cyber‚ÄźSecurity Deception in Internet of Things," in Modeling and Design of Secure Internet of Things, IEEE, 2020, pp.479-503, doi: 10.1002/9781119593386.ch21
[22]Z. H. Wang, X. Wu, C. G. Liu, Q. X. Liu, and J. L. Zhang, “RansomTracer: Exploiting Cyber Deception for Ransomware Tracing,” in Proceedings of the IEEE Third International Conference on Data Science in Cyberspace, pp. 227–234, 2018.View at: Google Scholar
[23]Mohan, P.V.; Dixit, S.; Gyaneshwar, A.; Chadha, U.; Srinivasan, K.; Seo, J.T. Leveraging Computational Intelligence Techniques for Defensive Deception: A Review, Recent Advances, Open Problems and Future Directions. Sensors 2022, 22, 2194. https://doi.org/10.3390/s22062194