Visible to the public Towards Data-Driven Characterization of Brute-Force Attackers

TitleTowards Data-Driven Characterization of Brute-Force Attackers
Publication TypeConference Paper
Year of Publication2020
AuthorsWilkens, F., Fischer, M.
Conference Name2020 IEEE Conference on Communications and Network Security (CNS)
Date PublishedJuly 2020
ISBN Number978-1-7281-4760-4
Keywordsattacker dictionary, brute force attacks, brute-force attackers, brute-force login attempts, clustering, computer network security, connection metadata, coordinated attacks, data-driven characterization, defensive measures, dictionary-based brute-force attack, Human Behavior, human factors, Internet, invasive software, IP networks, low-threat attacks, malicious login attempts, meta data, Organizations, password, policy-based governance, Protocols, pubcrawl, public Internet, targeted attack campaigns, threat hunters, Timing, timing information, unrelated IP addresses

Brute-force login attempts are common for every host on the public Internet. While most of them can be discarded as low-threat attacks, targeted attack campaigns often use a dictionary-based brute-force attack to establish a foothold in the network. Therefore, it is important to characterize the attackers' behavior to prioritize defensive measures and react to new threats quickly. In this paper we present a set of metrics that can support threat hunters in characterizing brute-force login attempts. Based on connection metadata, timing information, and the attacker's dictionary these metrics can help to differentiate scans and to find common behavior across distinct IP addresses. We evaluated our novel metrics on a real-world data set of malicious login attempts collected by our honeypot Honeygrove. We highlight interesting metrics, show how clustering can be leveraged to reveal common behavior across IP addresses, and describe how selected metrics help to assess the threat level of attackers. Amongst others, we for example found strong indicators for collusion between ten otherwise unrelated IP addresses confirming that a clustering of the right metrics can help to reveal coordinated attacks.

Citation Keywilkens_towards_2020