Modeling and Analyzing Attacker Behavior in IoT Botnet using Temporal Convolution Network (TCN)

by   Farhan Sadique, et al.

Traditional reactive approach of blacklisting botnets fails to adapt to the rapidly evolving landscape of cyberattacks. An automated and proactive approach to detect and block botnet hosts will immensely benefit the industry. Behavioral analysis of attackers is shown to be effective against a wide variety of attack types. Previous works, however, focus solely on anomalies in network traffic to detect bots and botnet. In this work we take a more robust approach of analyzing the heterogeneous events including network traffic, file download events, SSH logins and chain of commands input by attackers in a compromised host. We have deployed several honeypots to simulate Linux shells and allowed attackers access to the shells. We have collected a large dataset of heterogeneous threat events from the honeypots. We have then combined and modeled the heterogeneous threat data to analyze attacker behavior. Then we have used a deep learning architecture called a Temporal Convolutional Network (TCN) to do sequential and predictive analysis on the data. A prediction accuracy of 85-97% validates our data model as well as our analysis methodology. In this work, we have also developed an automated mechanism to collect and analyze these data. For the automation we have used CYbersecurity information Exchange (CYBEX). Finally, we have compared TCN with Long Short-Term Memory (LSTM) and Gated Recurrent Unit (GRU) and have showed that TCN outperforms LSTM and GRU for the task at hand.


Analysis of Attacker Behavior in Compromised Hosts During Command and Control

Traditional reactive approach of blacklisting botnets fails to adapt to ...

Traffic Prediction Based on Random Connectivity in Deep Learning with Long Short-Term Memory

Traffic prediction plays an important role in evaluating the performance...

Using LSTM for the Prediction of Disruption in ADITYA Tokamak

Major disruptions in tokamak pose a serious threat to the vessel and its...

DeepTaskAPT: Insider APT detection using Task-tree based Deep Learning

APT, known as Advanced Persistent Threat, is a difficult challenge for c...

Detecting Cybersecurity Events from Noisy Short Text

It is very critical to analyze messages shared over social networks for ...

Tracking Temporal Evolution of Network Activity for Botnet Detection

Botnets are becoming increasingly prevalent as the primary enabling tech...

RanStop: A Hardware-assisted Runtime Crypto-Ransomware Detection Technique

Among many prevailing malware, crypto-ransomware poses a significant thr...

Please sign up or login with your details

Forgot password? Click here to reset