Identifying Attack Propagation Patterns in Honeypots using Markov Chains Modeling and Complex Networks Analysis

Honeypots are computer resources that are used to detect and deflect network attacks on a protected system. The data collected from honeypots can be utilized to better understand cyber-attacks and provide insights for improving security measures, such as intrusion detection systems. In recent years, attackers' sophistication has increased significantly, thus additional and more advanced analytical models are required. In this paper we suggest several unique methods for detecting attack propagation patterns using Markov Chains modeling and complex networks analysis. These methods can be applied on attack datasets collected from honeypots. The results of these models shed light on different attack profiles and interaction patterns between the deployed sensors in the honeypot system. We evaluate the suggested methods on a massive data set which includes over 167 million observed attacks on a globally distributed honeypot system. Analyzing the results reveals interesting patterns regarding attack correlations between the honeypots. We identify central honeypots which enable the propagation of attacks, and present how attack profiles may vary according to the attacking country. These patterns can be used to better understand existing or evolving attacks, and may aid security experts to better deploy honeypots in their system.