Network and information security continues to be one of the largest areas that require greater attention and improvement over the current state of infrastructure within enterprise information systems. Intruders to enterprise networks are no longer just hacking for fun or to show off their programming skills; rather they are now doing it for profit-making motives. As a result, developing profiles for the behavior of intruders, trespassing upon business information systems within an enterprise networking environment, has become a primary focus of cyber-security research recently. In the proposed on-going project, we deploy a novel honeynet system using advanced virtualization technologies, in order to collect the forensic evidence of an attack, by allowing attackers to interact with compromised computers in a real enterprise network. We then analyze the behavior of intruders in order to investigate and compare their hidden linkages as compared with enterprise networks, and the attacker(s)’ potential group structures, including attributes such as geographic distribution and service communities, thus providing strategies for enterprise-network administrators to stay protected against malicious attacks from external intruders. Preliminary results on the proposed research is very promising, showing intruders’ behaviors over one month were distributed across over 60 different countries, and our work demonstrated that the most popular service intruders like use to interact with is the very HTTP Web itself.
Xue, Ling and Lu, Wei, "Profiling Behavior of Intruders on Enterprise Honeynet: Deployment and Analysis" (2015). CONF-IRM 2015 Proceedings. 7.