Analysing Attackers and Intrusions on a High-Interaction Honeypot System

Attackers and malware are a major threat to the growing number of servers and devices on the internet. Therefore, it is essential to study characteristics of malicious activities which can be used to aid future security mechanisms in finding and preventing these threats. Honeypots are a powerful tool to get insight into current attack techniques, malware and botnets. In this paper, we present our findings from observing the behaviour of attackers on a high-interaction Linux honeypot. We focused on attacks targeting the SSH service and analysed all steps of the intrusions, starting from the initial dictionary attack and leading to the final intrusion executing commands or malware on the honeypot. Further, we present our approach on how to decrypt and analyse the encrypted network traffic.