A green line is creeping across the world map towards Athens. “There – look – another attack,” says Florian Volk of the Telecooperation Group, Department of Computer Science (CS) at the TU Darmstadt. The screen, which measures about two square metres, displays hacker attacks on computers that the research team has set virtually as bait, so-called honeypots. Professor Mühlhäuser and his team want to record as many of these attacks as possible in order to identify patterns in them. Learning computer programs are becoming increasingly reliable at discovering identifying features. The idea is to uncover the tactics used by an industrially organised digital shadow economy. The aim: to organise an equally efficient defence by bundling the power of the affected individuals. “Coordinated distributed defences,” Volk calls it.
Attacks by hijacked computers
At the moment, according to the specialist, there is no equality of arms between the malicious hackers and the people who are the targets of their attacks. The lonely hacker unleashing his computer viruses on an unsuspecting world is a cliché. “There is a clear division of labour in cyber criminality: one section sets up an infrastructure, known as a botnet. They hire these out to the others for massive distributed attacks,” he explains. Botnets are essentially an army of electronic helpers: hijacked PCs or, increasingly, devices such as thermostats that are connected to Well organised to defeat hacker networks the Internet. Invading the computers is by itself a computer-automated task. While the CS specialist is speaking, there are countless attacks on the honeypots – more than 60,000 a month. The actual perpetrators now use the botnets for attacks with names like “Denial of Service”. In this example, thousands of hijacked computers simultaneously send queries to the victim’s server, which collapses under the load.
The victims, mostly companies, tended to keep the attacks to themselves, says Volk. “Which is a shame,” he adds. “Were attack patterns more regularly exchanged, the next victim could be able to identify the attack in advance and respond, perhaps by deliberately rejecting the queries.”
At the heart of the TU researchers’ work is the development of a tool that will allow potential victims to fight the hacker industry’s superior strength collaboratively. Companies could then exchange information about the attack without revealing any knowledge of their own IT infrastructures. Volk explains that the attack would be displayed in the form of a “basic data structure”. This is a kind of fingerprint of the event, which would enable other companies to instantly identify such an attack and be able to defend themselves in time.
“As identifying a pattern is easier and more successful the more data you have, it would be important to set far more honeypots,” he adds. This would result in an infrastructure that could face up to the well-organised substructure of the hackers.