Towards real-time profiling of human attackers and bot detection
Tools
Tools
Filippoupolitis, Avgoustinos, Loukas, George 
ORCID: https://orcid.org/0000-0003-3559-5182 and Kapetanakis, Stelios
(2014)
Towards real-time profiling of human attackers and bot detection.
In: Proceedings of the 7th International Conference on Cybercrime Forensics Education and Training (CFET).
Canterbury Christ Church University, UK.
ISBN 9781909067158
Preview |
PDF (Author's Accepted Manuscript)
14947_Loukas_Towards real time profiling (AAM) 2014..pdf - Accepted Version Download (620kB) | Preview |
Abstract
Characterising the person behind a cyber attack can be highly useful. At a practical security and forensic level, it can help profile adversaries during and after an attack, and at a theoretical level it can allow us to build improved threat models. This is, however, a challenging problem, as relevant data cannot easily be found. They are not often released publicly and may be the result of criminal investigation. Moreover, the identity of an attacker is rarely revealed in an attack. Here, we attempt a rather unusual approach. We attempt to classify the adversary as a type of human user, arguing that if it does not fit in any realistic profile of a human user, then it is probably a bot. Hence, we are working towards a system that is both a human attacker profiler and an anomaly-based bot detector. For this, we first need to build a technical system that collects relevant data in real- time. As no such information exists, we experimented with several different measurable input data and human profile characteristics, evaluating the usefulness of the former in determining the latter. We then present a case-based reason- ing approach that classifies an attacker based on the values of these metrics. For this, we use experimental data that we have previously collected and are the result of a set of cyber-attack scenarios carried out by 87 users. As a practical application, we have developed an automated profiling tool demonstrating the potential real-time use of the proposed system in a quasi-realistic setting. We discuss this approach’s ability for an adversary that has already gained access to a target system. The profile identified should tell us the characteristics of the adversary if it is human. If no profile can be identified, we argue that this is a good indication it is a bot.
| Item Type: | Conference Proceedings |
|---|---|
| Title of Proceedings: | Proceedings of the 7th International Conference on Cybercrime Forensics Education and Training (CFET) |
| Uncontrolled Keywords: | Security, hacker profiling, user profiling, cyber security |
| Subjects: | Q Science > QA Mathematics > QA75 Electronic computers. Computer science |
| Faculty / School / Research Centre / Research Group: | Faculty of Engineering & Science > School of Computing & Mathematical Sciences (CMS) Faculty of Engineering & Science |
| Last Modified: | 04 Mar 2022 13:07 |
| URI: | http://gala.gre.ac.uk/id/eprint/14947 |
Actions (login required)
 |
View Item |
Downloads
Downloads per month over past year