Honeypot-Assisted Masquerade Detection with Character-Level Machine Learning

Abstract

Intrusions into the shell of Linux operating systems through ssh, telnet, etc. are critical. It is important to detect the access of newly-emerging attackers, distinguishing them from the legitimate users. We propose the use of honeypots for collecting the trend of malicious commands, and to train character-level machine learning models for masquerade detection. In this paper, we provide a profiling of 1,314,834 commands collected in 173 days with our honeypot in 2021. We also provide our evaluation with Logistic Regression and several configurations of 1D-CNN and 2D-CNN, using the honeypot commands and legitimate commands collected from 32 users on 27 servers. The evaluation results indicate that 1D-CNN(shallow) and 2D-CNN(large) models provide a good performance regarding detection rate and false positive rate. Even when the trends of honeypot commands changed, the detection rate were almost 100% and the false positive rate were 0.0% regarding the two models.