Characterizing Large-Scale Adversarial Activities Through Large-Scale Honey-Nets

TL;DR

This study uses a large-scale honey-net deployment over 24 days to analyze cyber attacker behaviors, revealing attack patterns across various services and demonstrating scalable data processing techniques.

Contribution

Introduces HoneyTrap, an adaptive honeypot framework for large-scale attacker behavior analysis, with scalable data transformation and network intelligence enrichment methods.

Findings

HTTP/HTTPS are the most targeted services with over 8 million attempts.

SSH brute-force attacks occurred over 4.6 million times.

Less common services like Minecraft and SMB are also targeted, with notable attack spikes.

Abstract

The increasing sophistication of cyber threats demands novel approaches to characterize adversarial strategies, particularly those targeting critical infrastructure and IoT ecosystems. This paper presents a longitudinal analysis of attacker behavior using HoneyTrap, an adaptive honeypot framework deployed across geographically distributed nodes to emulate vulnerable services and safely capture malicious traffic. Over a 24 day observation window, more than 60.3 million events were collected. To enable scalable analytics, raw JSON logs were transformed into Apache Parquet, achieving 5.8 - 9.3x compression and 7.2x faster queries, while ASN enrichment and salted SHA-256 pseudonymization added network intelligence and privacy preservation. Our analysis reveals three key findings: (1) The majority of traffic targeted HTTP and HTTPS services (ports 80 and 443), with more than 8 million connection attempts and daily peaks exceeding 1.7 million events. (2) SSH (port 22) was frequently subject to brute-force attacks, with over 4.6 million attempts. (3) Less common services like Minecraft (25565) and SMB (445) were also targeted, with Minecraft receiving about 118,000 daily attempts that often coincided with spikes on other ports.