Picky attackers: Quantifying the role of system properties on intruder behavior


Honeypots constitute an invaluable piece of technology that allows researchers and security practitioners to track the evolution of break-in techniques by attackers and discover new malicious IP addresses, hosts, and victims. Even though there has been a wealth of research where researchers deploy honeypots for a period of time and report on their findings, there is little work that attempts to understand how the underlying properties of a compromised system affect the actions of attackers. In this paper, we report on a four-month long study involving 102 medium-interaction honeypots where we vary a honeypot’s location, difficulty of break-in, and population of files, observing how these differences elicit different behaviors from attackers. Moreover, we purposefully leak the credentials of dedicated, hard-to-brute-force, honeypots to hacking forums and paste-sites and monitor the actions of the incoming attackers. Among others, we find that, even though bots perform specific environment-agnostic actions, human attackers are affected by the underlying environment, e.g., executing more commands on honeypots with realistic files and folder structures. Based on our findings, we provide guidance for future honeypot deployments and motivate the need for having multiple intrusion-detection systems.

Proceedings of the 33rd Annual Computer Security Applications Conference

Artifacts contents:

  • cowrie_logs.tar.gz
    • contains log files from all experiments
  • paper_figures_scripts
    • scripts that analyzed log files and produced statistics and figures for the paper
  • honeypot_deploy
    • for those interested in setting up honeypots we provide the Ansible scripts we used for deployment

Download here.