Analysis of attempted intrusions: intelligence gathered from SSH honeypots

Honeypots are a defensive cyber security countermeasure used to gather data on intruder activities. By analysing the data collected by honeypots, mitigation strategies for cyberattacks launched against cyber-enabled infrastructures can be developed. In this paper, intelligence gathered from six Secure Shell (SSH) honeypots is presented. The paper is part of an ongoing investigation into analysing malicious activities captured by the honeypots. This paper focuses on the time of day attempted intrusions have occurred. The honeypot data has been gathered from 18th July 2012 until 13th January 2016; a period of 1,247 days. All six honeypots have the same hardware and software configurations, located on the same IPv4/24 subnet. Preliminary analysis of the data from all six hosts has been combined to show the number of attempted intrusions recorded by each honeypot and the top 20 countries attacking IP addresses have originated from. However, there is a variation in the number of attempted intrusions recorded on each of the six hosts. Findings from the research conducted suggest, there is a pattern of organised attempted intrusions from attacking IP addresses originating from China and Hong Kong during an 8am to 6pm working day. An additional investigation into the possible use of organised attacking workforces was conducted.