Maimon Publishes Paper Studying Behavior of Hackers

news story image

David Maimon

A data breach at a major institution or business can cost millions of dollars—the average cost of a single data breach for an American organization in 2014 was $5.8 million and has only grown.  

So while organizations work to prevent themselves from becoming targets, researchers are working to understand how hackers operate—both from a technical and psychological standpoint.

David Maimon, an assistant professor of criminology and criminal justice with an appointment in the Maryland Cybersecurity Center (MC2), explores the need for comprehensive studies that examine hackers’ behavior in addition to their physical cybercrime methods.

Maimon recently co-authored a paper, “On the Relevance of Spatial and Temporal Dimensions in Assessing Computer Susceptibility to System Trespassing Incidents,” that looked at online criminal behavior from a variety of viewpoints: mainly, geographical location of network users and their daily online routines with the network.

The paper was published in the British Journal of Criminology and featured researchers from UMD, Zhejiang Gongshang University in China, and Hebrew University in Israel.

The research team noted that extensive research is already being done to study the tools and methods hackers employ in their attempts to infiltrate organizational computers. However, only a few previous criminological initiatives have explored the opposite end of the spectrum—the way network users expose their systems. 

The researchers conducted a study to examine the relationship between the daily online routines and location of network users, and the daily trends and geographical origins of hackers’ successful attempts to guess their targets’ login passwords. The researchers also looked at initial system trespassing incidents.

"The notion in the cyber world is that hackers can reach you from any place and hack your computer, but in reality we see that they are more likely to launch a break-in attempt and a system trespassing event from computers that are closer to their targets."

David Maimon

To test their theories, they set up “honeypots,” which are cybertraps set to detect and analyze unauthorized use of information systems, on the computer networks of two academic institutions in China and Israel.

Their findings showed that attacks on the Chinese honeypots were more likely to originate in South Asia, while attacks on the Israeli honeypots were more likely to be from Europe and the U.S.

“The notion in the cyber world is that hackers can reach you from any place and hack your computer, but in reality we see that they are more likely to launch a break-in attempt and a system trespassing event from computers that are closer to their targets,” Maimon says. “They are doing this in order to improve connectivity with the attacked system. So in contrast to the common notion that suggests that your computer can be hacked from anywhere around the globe, we find that they are more likely to get attacks from nearby geographical locations.”

They also discovered that hackers are more likely to break into honeypots during the academic institution’s business hours.

“We show that victims’ daily routines play a very important role in determining the timing of a break-in attempt to the system,” Maimon says. “The reason for that is that since attackers are trying many combinations of passwords when breaking in to the system, they need to make sure the system operates for a long period of time, and the victims’ system is more likely to be on from 9 a.m. – 5 p.m.”

The researchers say their findings emphasize the need for rethinking the research methods cyber criminologists typically use to study computer users’ and computer networks’ vulnerabilities to attacks.

- Story by Melissa Brachfeld