Measuring and Clustering Network Attackers using Medium-Interaction Honeypots. (arXiv:2206.13614v1 [cs.CR])

Network honeypots are often used by information security teams to measure the
threat landscape in order to secure their networks. With the advancement of
honeypot development, today’s medium-interaction honeypots provide a way for
security teams and researchers to deploy these active defense tools that
require little maintenance on a variety of protocols. In this work, we deploy
such honeypots on five different protocols on the public Internet and study the
intent and sophistication of the attacks we observe. We then use the
information gained to develop a clustering approach that identifies
correlations in attacker behavior to discover IPs that are highly likely to be
controlled by a single operator, illustrating the advantage of using these
honeypots for data collection.