Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Characterizing Large-Scale Adversarial Activities Through Large-Scale Honey-Nets

Tonia Haikal, Eman Hammad, Shereen Ismail

TL;DR

The study advances large-scale adversarial analysis by deploying HoneyTrap across geo-distributed nodes and processing 60.3 million events over 24 days with a Parquet-based pipeline and ASN enrichment. It reveals dominant HTTP/HTTPS scanning, persistent SSH brute-force activity, and opportunistic targeting of Minecraft and SMB, alongside coordinated, port-hopping and infrastructure-driven behaviors. The approach combines scalable data engineering with privacy-preserving preprocessing to illuminate attacker strategies across multiple ports and services, informing defense and attribution efforts. Together, these contributions offer a framework for real-time, cross-service threat profiling and infrastructure protection in IoT and critical systems.

Abstract

The increasing sophistication of cyber threats demands novel approaches to characterize adversarial strategies, particularly those targeting critical infrastructure and IoT ecosystems. This paper presents a longitudinal analysis of attacker behavior using HoneyTrap, an adaptive honeypot framework deployed across geographically distributed nodes to emulate vulnerable services and safely capture malicious traffic. Over a 24 day observation window, more than 60.3 million events were collected. To enable scalable analytics, raw JSON logs were transformed into Apache Parquet, achieving 5.8 - 9.3x compression and 7.2x faster queries, while ASN enrichment and salted SHA-256 pseudonymization added network intelligence and privacy preservation. Our analysis reveals three key findings: (1) The majority of traffic targeted HTTP and HTTPS services (ports 80 and 443), with more than 8 million connection attempts and daily peaks exceeding 1.7 million events. (2) SSH (port 22) was frequently subject to brute-force attacks, with over 4.6 million attempts. (3) Less common services like Minecraft (25565) and SMB (445) were also targeted, with Minecraft receiving about 118,000 daily attempts that often coincided with spikes on other ports.

Characterizing Large-Scale Adversarial Activities Through Large-Scale Honey-Nets

TL;DR

The study advances large-scale adversarial analysis by deploying HoneyTrap across geo-distributed nodes and processing 60.3 million events over 24 days with a Parquet-based pipeline and ASN enrichment. It reveals dominant HTTP/HTTPS scanning, persistent SSH brute-force activity, and opportunistic targeting of Minecraft and SMB, alongside coordinated, port-hopping and infrastructure-driven behaviors. The approach combines scalable data engineering with privacy-preserving preprocessing to illuminate attacker strategies across multiple ports and services, informing defense and attribution efforts. Together, these contributions offer a framework for real-time, cross-service threat profiling and infrastructure protection in IoT and critical systems.

Abstract

The increasing sophistication of cyber threats demands novel approaches to characterize adversarial strategies, particularly those targeting critical infrastructure and IoT ecosystems. This paper presents a longitudinal analysis of attacker behavior using HoneyTrap, an adaptive honeypot framework deployed across geographically distributed nodes to emulate vulnerable services and safely capture malicious traffic. Over a 24 day observation window, more than 60.3 million events were collected. To enable scalable analytics, raw JSON logs were transformed into Apache Parquet, achieving 5.8 - 9.3x compression and 7.2x faster queries, while ASN enrichment and salted SHA-256 pseudonymization added network intelligence and privacy preservation. Our analysis reveals three key findings: (1) The majority of traffic targeted HTTP and HTTPS services (ports 80 and 443), with more than 8 million connection attempts and daily peaks exceeding 1.7 million events. (2) SSH (port 22) was frequently subject to brute-force attacks, with over 4.6 million attempts. (3) Less common services like Minecraft (25565) and SMB (445) were also targeted, with Minecraft receiving about 118,000 daily attempts that often coincided with spikes on other ports.

Paper Structure

This paper contains 16 sections, 11 figures.

Table of Contents

  1. Introduction
  2. Related Work
  3. Background - HoneyTrap Architecture
  4. Approach
  5. Dataset Summary
  6. Data Preparation and Pre-processing
  7. Data Format Obstacles
  8. Data Format Selection
  9. Data Cleaning
  10. Temporal Patterns of Attack Activity
  11. Key Observations
  12. Coordinated and Infrastructure-Based Behavior
  13. Adversarial Tactics and Persistence
  14. IP Churn vs. Persistence
  15. Port Hopping
  16. ...and 1 more sections

Figures (11)

  • Figure 1: HoneyTrap setup at Merit Network ismailHoneypot
  • Figure 2: Top 5 Ports - Daily Connections
  • Figure 3: Top 5 Destination IPs - Total Connection Attempts. (Destination IPs are salted hashes for anonymity)
  • Figure 4: Unique Destination Ports Hitting Top 5 Destination IPs - Last 24 Days. (Destination IPs are salted hashes for anonymity; Ports are raw)
  • Figure 5: Top 5 Destination IPs - Total Connection Attempts. (Destination IPs are salted hashes for anonymity)
  • ...and 6 more figures