Attacker Profiling Through Analysis of Attack Patterns in Geographically Distributed Honeypots

TL;DR

This study investigates how the geographical placement of honeypots influences attack pattern detection and attacker profiling, revealing that strategic placement enhances threat intelligence and early warning capabilities.

Contribution

It provides a novel analysis of attack behaviors in geographically distributed honeypots and demonstrates that effective threat profiling can be achieved with minimal deployment.

Findings

Location-based attack patterns identified

Behavioral profiles of attackers constructed

Two honeypots can suffice for early warning

Abstract

Honeypots are a well-known and widely used technology in the cybersecurity community, where it is assumed that placing honeypots in different geographical locations provides better visibility and increases effectiveness. However, how geolocation affects the usefulness of honeypots is not well-studied, especially for threat intelligence as early warning systems. This paper examines attack patterns in a large public dataset of geographically distributed honeypots by answering methodological questions and creating behavioural profiles of attackers. Results show that the location of honeypots helps identify attack patterns and build profiles for the attackers. We conclude that not all the intelligence collected from geographically distributed honeypots is equally valuable and that a good early warning system against resourceful attackers may be built with only two distributed honeypots and a production server.