As the number and sophistication of cyber threats increases year after year, security systems such as antivirus, firewalls, or Intrusion Detection Systems based on misuse detection techniques are improved in detection capabilities. However, these traditional systems are usually limited to detect potential threats, since they are inadequate to spot zero-day attacks or mutations in behaviour. Authors propose using honeypot systems as a further security layer able to provide an intelligence holistic level in detecting unknown threats, or well-known attacks with new behaviour patterns. Since brute-force attacks are increasing in recent years, authors opted for an SSH medium-interaction honeypot to acquire a log set from attacker's interactions. The proposed system is able to acquire behaviour patterns of each attacker and link them with future sessions for early detection. Authors also generate a feature set to feed Machine Learning algorithms with the main goal of identifying and classifying attacker's sessions, and thus be able to learn malicious intentions in executing cyber threats.
Top1. Introduction
Traditional security systems based on signatures, such as firewalls, antivirus systems or Intrusion Detection Systems (IDS) based on misuse detection techniques (Depren, Topallar, Anarim & Ciliz, 2005), are generally not quite effective against unknown threats or new attack patterns not previously registered. However, IDSs based on anomaly detection techniques are able to recognise unknown threats, but they are prone to generate false positives –alerts generated when identifying the possible existence of a real threat, when they are actually false alerts because the threat is not true. To cover this need and try to get information of novel threats or attacks, honeypots (Spitzner, 2003) arise, which consist of lure or trap systems whose main goal is to simulate a real system that can be attacked. Through gathered information, it is possible to adapt the IDSs with new detection signatures (those based on misuse detection) or label datasets used by those based on anomaly detection (Jorquera et al., 2018) to retrain their search engine, and, therefore, to increase their precision and recall by reducing the number of false alerts. In addition, one of the main objectives of honeypots is to complement the different traditional techniques in threats detection with a system capable of detecting previously unknown threats, thereby providing a higher level of security (Olakanmi & Dada, 2019).
Honeypots, as the name suggests, are designed to attract the attention of attackers or hackers, so that their efforts to attack and cause serious damage to real systems will be diminished because they are running in a virtual environment. These systems simulate networks and application services such as Report Desktop Protocol (RDP), Secure Shell (SSH), File Transfer Protocol (FTP) and Telnet, amongst others. From the attacker's standpoint, the honeypot system is perceived as a vulnerable execution server that can be used to enter in servers that are currently operational and execute any kind of malicious action.
One of the primary advantages of honeypot systems over traditional systems is that honeypots are able to detect zero-day attacks (Zhang, Wang, Jajodia, Singhal & Albanese, 2016), that is, attacks on vulnerabilities that have not been patched or made public. Another benefit of using honeypots is that they only gather data in case an attack is being generated. Therefore, these systems are able to register a reduced dataset, which involves a lower cost in the system and a lower resource consumption by producing a lower number of alerts that will avoid, in some cases, that administrators can ignore alerts due to the existence of a higher alerts amount and a higher rate of false alerts. In the case of honeypots, whatever access to the system is not normally authorised, therefore, through its use enterprises and organisations can decrease the number of false alerts registered. Finally, another benefit supplied by these systems is to help Information Technology (IT) teams identify vulnerabilities in active servers.
Since there are many honeypot systems that simulate different network and application services, this chapter is focused on Medium-Interaction Honeypots (MIH) (Fraunholz, Krohmer, Anton & Schotten, 2017), that is, honeypots that allow capturing and registering logs about activities and executions from attackers without compromising production systems, based on the SSH (Barrett, Silverman & Byrnes, 2005) network service, being this one the most used by attackers to compromise systems exposed on the Internet. In this subcategory, there are several honeypots that provide similar functionalities amongst others. Since many devices exposed to the Internet are based on Unix systems, one of the most popular honeypot systems is Cowrie (Oosterhof, 2019), which records attacker's commands execution on the system. Another of the main reasons so that this software has been selected is due to its capability to monitor activities and executions carried out by attackers. Furthermore, Cowrie is a honeypot based on SSH, being the brute-force attack the most repeated one when a system is threatened (eSentire, 2017). One more determinant reason so that Cowrie is selected is because amongst all available honeypots of the same family, such as Kippo (Valli, Rabadia & Woodward, 2013) or Kojoney2 (Keane, 2019), Cowrie is currently the most up-to-date SSH-based MIH.