A Novel Approach towards Analysis of AttackerBehavior in DDoS Attacks

. Traditionally, research in Network Security has largely focused on Intrusion Detection and the use of Machine Learning techniques towards identifying malicious agents as well as work on methods towards protecting ourselves from such attacks. In this paper, we wish to make use of the same techniques to analyze the proﬁle of the attacker in the case of a DDoS attack on a distributed honeypot.


Introduction
The username password combination is one of the primary methods of authentication in most of the organizations portals.Many methods such as the man in the middle attack [3], DNS spoofing [6], and phishing attacks [16] are used to obtain username password combinations.All of these activities are examples of penetration attacks as they allow an attacker to intercept the connection and make them believe that they are on the right website.[1] In the aforementioned approaches, the user is fooled into giving their access credentials.Here, we analyze another type of attack, known as a brute force attack.In this approach, the attacker attempts to guess the username and password with the help of tools that make use of dictionaries of a username and password combinations.This approach leads to an increase in load on the server, which in turn block the actual user from logging in, this is an example of a denial of service attack.In the scenario in which, such an attack is distributed, it is an example of a distributed denial of service attack.[7,5,13] In this paper, we make use of Kippo honeypot [4,10], which helps us log brute force attacks and help us understand the behavior patterns of the hacker.The hacker attempts to gain access with the help of a Secure Shell session.Here, we have made use of the data obtained from a honey pot deployed within the Information Security Lab of BITS Pilani, Hyderabad Campus.[14,17] The primary reason for targeting SSH sessions is due to the fact that a significant number of servers are not well maintained and often make use of weak credentials which make a perfect target for malicious agents.[12] A preliminary analysis of credentials and passwords on SSH remote login servers from securehoney.netgave the following results: The primary motive of our research is to find out how data with respect to login credentials propagates [15], once a hacker has been successful in obtaining access to an SSH server.Fig. 1 shows how successful attacks on the honey tend to be clustered around certain locations.[9] Fig. 1.From the above heatmap, we can see that most of the successful attacks seem to be stemming from North America, Europe, and Southeast Asia.
We also have an image that shows us a zoomed-in perspective in China, from which the majority of the attacks had originally originated.As we can see from the image it appears as if all the attacks appear in pockets, which lends some preliminary support to the hypothesis that data of the credentials appears to spread in the vicinity of the original successful attempt.In the remainder of the paper, we make use of a variety of clustering methods to catch patterns that may escape the human eye.

Related Work
Babak Nabiyev in his work on the application of Clustering Techniques for the detection of DDoS attacks had made use of the KDD CUP 99 dataset which had been developed by DARPA.He attempted to differentiate between Normal Traffic and DDoS traffic with the help of K-Means and EM Clustering techniques.He had clubbed together six cases of DoS attacks as a single type and he defined normal traffic flow to be the other type of behavior.Consquently, he made use of these two classes for the final clustering analysis.[8] Shi Zhong also had made use of different clustering techniques for intrusion detection.In addition, he had also made use of the DARPA intrusion detection project for his dataset.Furthermore, he had done a comparative study on different clustering algorithms for intrusion detection, in which he concluded that unsupervised clustering algorithms performed better than supervised learning methods.Out of all the clustering algorithms, his proposed self-labeling heuristic performed the best with an overall accuracy of 93.6 %. [19] Nikolskaia Kseniia analyzed IP traffic with the help of clustering on IP packet headers.He considered multiple parameters such as the classification parameters based on packet and transmission properties, choice of clustering methods and the number of clusters.He concluded that real-time data is too complex to dynamically change features or clustering algorithms.A hybrid neural network approach showed the best results with about 95% correctness.[11] Jie Wang argues that clustering algorithms may not work very properly for intrusion detection because the similarity level of data points cannot be controlled.He proposes a two seed expanding algorithm that splits the attacks into different phases.The preprocessing includes creating a network flow and changing continuous-valued features to binary features.Based on these features, the algorithm selects seeds until all flows are divided into clusters.Their experiments show that two seed expanding algorithm performs better than the k -means and other clustering methods.[18] Geoff Boeing used k-means clustering and dbscan techniques to cluster 1759 points of latitude and longitude data and they were reduced to 138 points and obtained 92% compression, without losing out on the key features of the information that had been spatially represented within the dataset.[2] 3 Research Framework Experimental Setup We have deployed honey pots with the distributed architecture as shown in Fig.The hypervisor runs five virtual machines, each of which runs a mini-Ubuntu 16.04.Each instance, in turn, runs a different honeypot.The traffic to the virtual machines is controlled with the help of a firewall and Network Address Translation(NAT) to assist us to communicate with the outside world.The server runs within the Information Security Laboratory of BITS, Pilani-Hyderabad campus network.The server continuously monitors the activity that occurs on the public IP addresses.

Attackers origin
The origin of the attacker refers to the country or the city location from which the attack is being initiated.The source of their IP address help determines the location of the attacker.We made use of the urllib2 library to find the location of the attackers.However, IP addresses do not prove to be useful if the attacker makes use of a VPN or Tor Network.The results of the analysis have been mentioned in Table 3: We observe that there seem to be clusters of activity followed by patches of inactivity as seen in fig 4 .Here, we observe there as spikes of activity in the second week and the last week of June as well as the second week of July as well as the end of October and the beginning of November.On the other hand, there seem to be very less attacks initiated in the months of August and September and hence they were not accommodated in the graph.

Traffic Analysis
We had segmented the data into files of 1MB size and had a total of 250MB data.The configuration had allowed at most 21 attempts from a particular IP before the IP was banned.Total 870 usernames and 9027 unique passwords were attempted.The most attempted username was "root" and the most attempted password was "admin".In addition to the popular combination of 'root' and 'admin' we also get to see that the attackers tried other popular default passwords such as ubnt (as we made use of the Ubuntu operating system) as well as 1234, support and password.Furthermore, the hackers had also made use of popular usernames such as admin, user and guest.This analysis shows something as simple as setting a strong username password combination can reduce the number of successful breaches in security.Finally, we observe that an overwhelming majority of attacks on the distributed honeypot system appear to be coming from China.

Machine Learning Analysis
On this data, we have made use of three clustering methods which has helped us gain insight on the attacker's profile after obtaining access to the system.Here, we have pooled the data in a manner that is similar to that used within n-gram models of Natural language processing.Thus, the data comes in three forms--Single day data -Two days at a time -Three days at a time We have made use of 3 different clustering algorithms namely mean shift clustering, GMM Clustering and Kmeans clustering to gain a better insight on the information presented through the data.From the figures 5,6 and 7 we observe that most of the attacks seem to be concentrated only in certain parts of the world.This means that the information gained by the attacker seems to be spreading only to the vicinity to the earliest attack, rather than spreading randomly over the world.On the other hand there seem to be some key differences- -The mean shift algorithm appears to be more susceptible to outliers, which causes it to detect a greater number of clusters.-On the other hand, the algorithm behaves better when we increase the number of data points as in the case of 2 gram and 3 gram.
To better understand why the clustering algorithms have singled out these locations, we have probed the data from 1 gram, 2 gram and 3 gram on specific geographic locations so as to search for patterns that could help us better understand how the attack seems to propogate.In the 1 gram analysis for table 7, we observe that all the successful attacks have appeared to have taken place one after another after short intervals of time.In addition, we can see that once an attacker gains access, it seems like the others in the vicinity gain access after a short interval of time.
In Table 8, we observe the following observation.The set of IP addresses that make a successful attempt on the first day are the same as those which are obtained on the following day.However, we notice that now there is a new IP from the same location that is now able to successfully gain access to the honeypot.This means either the attacker has gained access to a new IP or another attacker has received information about the same from another attacker in the same geolocation.In Table 9, the pattern in the data obtained from the 3 gram analysis further strengthens the observations that we had made in the case of 2 gram.Here, we can clearly observe that the same set of IP addresses make attack in regular intervals of time.In addition, to those we see additional IP addresses which orig-inate from the same or nearby locations which gives weight to the argument that the information about the credentials is spreading to the geographical vicinity.

Conclusion
We would like to draw the conclusion that attacks appear to be concentrated in certain regions.Furthermore, it appears as if the data with respect to the access credentials does not seem to spread randomly rather, it appears as if the success with respect to successful attacks seems to spread in the near vicinity of the first attack.

Fig. 3 .
Fig. 3.The Honey Pot Architecture which was used For the D-DoS Attack .

Table 1 .
Most common SSH Usernames and Passwords.

Table 2 .
Spec table of the Honeypot used -Kippo.

Table 3 .
Successful attempts city and country wise .

Table 4 .
Most popular Passwords and Number of Attempts

Table 5 .
Most popular Passwords and Number of Attempts

Table 6 .
Two Day of Interactions for the Ho Chi Minh City, Vietnam on 26th Juneand 27thJune, 2018 -Obtained by 2 gram Clustering Approach

Table 7 .
One Day of Interaction for the Date 27th October,2018 from China on -Obtained from the 1 gram clustering approach

Table 8 .
Two Day of Interactions for the Ho Chi Minh City, Vietnam on 26 th June and 27 th June, 2018 -Obtained by 2 gram Clustering Approach

Table 9 .
3 Days of Interactions for the country of Vietnam from 6 th June to 8 th June 2018 -Obtained by 3 gram Clustering Approach