Journal article Open Access

What's in a Name? Using Words' Uniqueness to Identify Hackers in Brute Force Attacks

Amit Rechavi; Tamar Berenblum

MARC21 XML Export

<?xml version='1.0' encoding='UTF-8'?>
<record xmlns="">
  <controlfield tag="005">20210508134808.0</controlfield>
  <controlfield tag="001">3766652</controlfield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="a">Tamar Berenblum</subfield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="s">12368833</subfield>
    <subfield code="z">md5:d20971446050142f78af3c0fb500857f</subfield>
    <subfield code="u"></subfield>
  <datafield tag="542" ind1=" " ind2=" ">
    <subfield code="l">open</subfield>
  <datafield tag="260" ind1=" " ind2=" ">
    <subfield code="c">2020-04-26</subfield>
  <datafield tag="909" ind1="C" ind2="O">
    <subfield code="p">openaire</subfield>
    <subfield code="o"></subfield>
  <datafield tag="100" ind1=" " ind2=" ">
    <subfield code="a">Amit Rechavi</subfield>
  <datafield tag="245" ind1=" " ind2=" ">
    <subfield code="a">What's in a Name? Using Words' Uniqueness to Identify Hackers in Brute Force Attacks</subfield>
  <datafield tag="540" ind1=" " ind2=" ">
    <subfield code="u"></subfield>
    <subfield code="a">Creative Commons Attribution 4.0 International</subfield>
  <datafield tag="650" ind1="1" ind2="7">
    <subfield code="a">cc-by</subfield>
    <subfield code="2"></subfield>
  <datafield tag="520" ind1=" " ind2=" ">
    <subfield code="a">&lt;p&gt;&lt;em&gt;Do hacker subgroups share unique practices and knowledge? Is there a spatial characteristic to this sharing? The study investigates whether hackers who perform brute force attacks (BFAs) from different countries (different IPs) use a spatially based corpus of words for usernames and passwords. The study explores the usage of 975,000 usernames (UNs) and passwords (PWs) in brute force attacks on honeypot (HP) computers. The results suggest that hacker subgroups attacking from different countries use different combinations of UNs and PWs, while a few attacks coming from different IPs share the same corpus of words. This significant result can help in tracing the source of BFAs by identifying and analyzing the terms used in such attacks.&lt;/em&gt;&lt;/p&gt;</subfield>
  <datafield tag="773" ind1=" " ind2=" ">
    <subfield code="n">doi</subfield>
    <subfield code="i">isVersionOf</subfield>
    <subfield code="a">10.5281/zenodo.3766651</subfield>
  <datafield tag="024" ind1=" " ind2=" ">
    <subfield code="a">10.5281/zenodo.3766652</subfield>
    <subfield code="2">doi</subfield>
  <datafield tag="980" ind1=" " ind2=" ">
    <subfield code="a">publication</subfield>
    <subfield code="b">article</subfield>
All versions This version
Views 108108
Downloads 2424
Data volume 296.9 MB296.9 MB
Unique views 107107
Unique downloads 2020


Cite as