Skip navigation

Towards real-time profiling of human attackers and bot detection

Towards real-time profiling of human attackers and bot detection

Filippoupolitis, Avgoustinos, Loukas, George and Kapetanakis, Stelios (2014) Towards real-time profiling of human attackers and bot detection. In: Proceedings of the 7th International Conference on Cybercrime Forensics Education and Training (CFET). Canterbury Christ Church University, UK. ISBN 9781909067158

[img]
Preview
PDF (Author's Accepted Manuscript)
14947_Loukas_Towards real time profiling (AAM) 2014..pdf - Accepted Version

Download (620kB) | Preview

Abstract

Characterising the person behind a cyber attack can be highly useful. At a practical security and forensic level, it can help profile adversaries during and after an attack, and at a theoretical level it can allow us to build improved threat models. This is, however, a challenging problem, as relevant data cannot easily be found. They are not often released publicly and may be the result of criminal investigation. Moreover, the identity of an attacker is rarely revealed in an attack. Here, we attempt a rather unusual approach. We attempt to classify the adversary as a type of human user, arguing that if it does not fit in any realistic profile of a human user, then it is probably a bot. Hence, we are working towards a system that is both a human attacker profiler and an anomaly-based bot detector. For this, we first need to build a technical system that collects relevant data in real- time. As no such information exists, we experimented with several different measurable input data and human profile characteristics, evaluating the usefulness of the former in determining the latter. We then present a case-based reason- ing approach that classifies an attacker based on the values of these metrics. For this, we use experimental data that we have previously collected and are the result of a set of cyber-attack scenarios carried out by 87 users. As a practical application, we have developed an automated profiling tool demonstrating the potential real-time use of the proposed system in a quasi-realistic setting. We discuss this approach’s ability for an adversary that has already gained access to a target system. The profile identified should tell us the characteristics of the adversary if it is human. If no profile can be identified, we argue that this is a good indication it is a bot.

Item Type: Conference Proceedings
Title of Proceedings: Proceedings of the 7th International Conference on Cybercrime Forensics Education and Training (CFET)
Uncontrolled Keywords: Security, hacker profiling, user profiling, cyber security
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Faculty / Department / Research Group: Faculty of Architecture, Computing & Humanities
Faculty of Architecture, Computing & Humanities > Department of Computing & Information Systems
Last Modified: 21 Nov 2016 13:09
Selected for GREAT 2016: None
Selected for GREAT 2017: None
Selected for GREAT 2018: None
Selected for GREAT 2019: None
URI: http://gala.gre.ac.uk/id/eprint/14947

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year

View more statistics