Towards real-time profiling of human attackers and bot detection

Avgoustinos Filippoupolitis, George Loukas, Stylianos Kapetanakis

Research output: Chapter in Book/Conference proceeding with ISSN or ISBNConference contribution with ISSN or ISBNpeer-review


Characterising the person behind a cyber attack can be highly useful. At a practical security and forensic level, it can help profile adversaries during and after an attack, and at a theoretical level it can allow us to build improved threat models. This is, however, a challenging problem, as relevant data cannot easily be found. They are not often released publicly and may be the result of criminal investigation. Moreover, the identity of an attacker is rarely revealed in an attack. Here, we attempt a rather unusual approach. We attempt to classify the adversary as a type of human user, arguing that if it does not fit in any realistic profile of a human user, then it is probably a bot. Hence, we are working towards a system that is both a human attacker profiler and an anomaly-based bot detector. For this, we first need to build a technical system that collects relevant data in realtime. As no such information exists, we experimented with several different measurable input data and human profile characteristics, evaluating the usefulness of the former in determining the latter. We then present a case-based reasoning approach that classifies an attacker based on the values of these metrics. For this, we use experimental data that we have previously collected and are the result of a set of cyber-attack scenarios carried out by 87 users. As a practical application, we have developed an automated profiling tool demonstrating the potential real-time use of the proposed system in a quasi-realistic setting. We discuss this approach’s ability for an adversary that has already gained access to a target system. The profile identified should tell us the characteristics of the adversary if it is human. If no profile can be identified, we argue that this is a good indication it is a bot.
Original languageEnglish
Title of host publicationCFET 2014 7th International Conference on Cybercrime Forensics Education & Training
Place of PublicationCanterbury
Number of pages2
Publication statusPublished - 1 Jan 2014
EventCFET 2014 7th International Conference on Cybercrime Forensics Education & Training - Canterbury, UK, 10-11 July 2014
Duration: 1 Jan 2014 → …


ConferenceCFET 2014 7th International Conference on Cybercrime Forensics Education & Training
Period1/01/14 → …

Bibliographical note

© 2014 The authors


Dive into the research topics of 'Towards real-time profiling of human attackers and bot detection'. Together they form a unique fingerprint.

Cite this