Secure Shell (SSH) remains a foundational protocol in modern network infrastructures, enabling encrypted and authenticated remote access. However, its broad adoption has made it a frequent target for attackers employing brute-force scripts, reconnaissance tools, and vulnerability scanners to exploit exposed SSH endpoints. While low-interaction honeypots like Kippo and Cowrie are commonly used to monitor such threats, their limited realism and shallow interaction models often fail to sustain engagement with sophisticated adversaries, reducing their effectiveness and making them easier to detect. To address these limitations, we present CyberBait—a next-generation SSH honey-pot designed to simulate a highly interactive and convincing environment, capture attacker behavior in real time, and enhance threat intelligence. CyberBait offers robust Linux terminal emulation, an extensive command set, and a structured virtual file system containing decoy files that resemble sensitive data like configuration backups and credentials. A key innovation is a covert self-reporting module that silently collects attacker metadata (IP, username, access time) and securely transmits it for analysis. CyberBait’s performance was tested over 72 h on a publicly accessible cloud host. We evaluated its effectiveness in capturing attacker Tactics, Techniques, and Procedures (TTPs), calculating Call-back Success Rate (CSR), and assessing system resilience via response latency and throughput under heavy load. Additionally, a brute-force attack detection algorithm was evaluated using Precision, Recall, and F1 score. Results demonstrate CyberBait’s strong adversary engagement, accurate intrusion logging, effective callback tracking, and stable performance, affirming its value in proactive cybersecurity defense.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

CyberBait: Strengthening Network Deception via Realistic SSH Honeypots

  • Rupali Vairagade,
  • Nilakshi Jain,
  • Archita Bharat Jain,
  • Meghali Kalyankar

摘要

Secure Shell (SSH) remains a foundational protocol in modern network infrastructures, enabling encrypted and authenticated remote access. However, its broad adoption has made it a frequent target for attackers employing brute-force scripts, reconnaissance tools, and vulnerability scanners to exploit exposed SSH endpoints. While low-interaction honeypots like Kippo and Cowrie are commonly used to monitor such threats, their limited realism and shallow interaction models often fail to sustain engagement with sophisticated adversaries, reducing their effectiveness and making them easier to detect. To address these limitations, we present CyberBait—a next-generation SSH honey-pot designed to simulate a highly interactive and convincing environment, capture attacker behavior in real time, and enhance threat intelligence. CyberBait offers robust Linux terminal emulation, an extensive command set, and a structured virtual file system containing decoy files that resemble sensitive data like configuration backups and credentials. A key innovation is a covert self-reporting module that silently collects attacker metadata (IP, username, access time) and securely transmits it for analysis. CyberBait’s performance was tested over 72 h on a publicly accessible cloud host. We evaluated its effectiveness in capturing attacker Tactics, Techniques, and Procedures (TTPs), calculating Call-back Success Rate (CSR), and assessing system resilience via response latency and throughput under heavy load. Additionally, a brute-force attack detection algorithm was evaluated using Precision, Recall, and F1 score. Results demonstrate CyberBait’s strong adversary engagement, accurate intrusion logging, effective callback tracking, and stable performance, affirming its value in proactive cybersecurity defense.