Identification of SSH Honeypots Using Machine Learning Techniques Based on Multi-Fingerprinting

Honeypots-a new active defense technique-can accomplish the goal of identifying security vulnerabilities and extracting attack features by constructing controlled vulnerability traps and deceiving attackers into launching intrusion assaults. Attackers typically use honeypot identification techniques to go around honeypots in order to conceal their attack strategies. In this paper, we proposes a new method for detecting and classifying SSH honeypots based on multi-fingerprinting. Target samples are first classified into suspected honeypots and normal hosts using the Random Forest algorithm, and then suspected honeypots are classified using multi-fingerprint features. This five-element detection model can increase the accuracy of honeypot classification while also cutting down on wasted time. Finally, through experimental measurements and comparative analysis with the other method for identifying honeypot, the method in this paper significantly improves the accuracy of identifying SSH honeypot types. It is also more efficient in classifying and detecting large-scale target IPs for honeypots, and there are a lot of real SSH honeypot IPs that can be found by searching the Internet, which can then be further analyzed to obtain their geographical distribution and survival rate characteristics.