Affiliation:
1. Computer Security Problems Laboratory, St. Petersburg Federal Research Center of the Russian Academy of Sciences, 199178 Saint-Petersburg, Russia
Abstract
The notion of the attacker profile is often used in risk analysis tasks such as cyber attack forecasting, security incident investigations and security decision support. The attacker profile is a set of attributes characterising an attacker and their behaviour. This paper analyzes the research in the area of attacker modelling and presents the analysis results as a classification of attacker models, attributes and risk analysis techniques that are used to construct the attacker models. The authors introduce a formal two-level attacker model that consists of high-level attributes calculated using low-level attributes that are in turn calculated on the basis of the raw security data. To specify the low-level attributes, the authors performed a series of experiments with datasets of attacks. Firstly, the requirements of the datasets for the experiments were specified in order to select the appropriate datasets, and, afterwards, the applicability of the attributes formed on the basis of such nominal parameters as bash commands and event logs to calculate high-level attributes was evaluated. The results allow us to conclude that attack team profiles can be differentiated using nominal parameters such as bash history logs. At the same time, accurate attacker profiling requires the extension of the low-level attributes list.
Subject
Electrical and Electronic Engineering,Biochemistry,Instrumentation,Atomic and Molecular Physics, and Optics,Analytical Chemistry
Reference43 articles.
1. Attack Intention Recognition: A Review;Ahmed;Int. J. Netw. Secur.,2017
2. Abdlhamed, M., Kifayat, K., Shi, Q., and Hurst, W. (2017). Information Fusion for Cyber-Security Analytics, Springer.
3. Kheir, N., Cuppens-Boulahia, N., Cuppens, F., and Debar, H. (2010, January 20–22). A service dependency model for cost-sensitive intrusion response. Proceedings of the European Symposium on Research in Computer Security, Athens, Greece.
4. Threat agent library helps identify information security risks;Casey;Intel White Pap.,2007
5. Bar, A., Shapira, B., Rokach, L., and Unger, M. (2016, January 23–24). Identifying attack propagation patterns in honeypots using Markov chains modeling and complex networks analysis. Proceedings of the 2016 IEEE International Conference on Software Science, Technology and Engineering (SWSTE), Beer Sheva, Israel.
Cited by
2 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献