Ghost Without Shell: Measuring Non-Interactive SSH Attacks on Honeypots

📅 2026-06-26
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This study addresses a critical limitation in traditional SSH honeypots, which typically assume attackers initiate interactive shells and consequently overlook the prevalence of non-interactive attacks, leading to mischaracterization of adversarial behavior. For the first time, this work systematically quantifies the proportion of non-interactive SSH attacks through a multi-node honeypot deployment, session-type classification, and large-scale log collection, with findings cross-validated against the Cowrie dataset. Among 177,622 authenticated sessions, 99.23% were non-interactive, while only 0.10% exhibited interactivity—a distribution consistently observed across independent datasets. These results expose a significant blind spot in current honeypot designs and challenge the conventional paradigm that evaluates honeypot efficacy based on interaction duration and command count.
📝 Abstract
Cyber deception research has focused on improving honeypot deception capabilities to increase attacker engagement and extend their interactions to collect more and better intelligence. For SSH honeypots, this relies on the assumption that attackers log in, open a shell, and type. We tested whether this still held by deploying eleven SSH honeypots that served both interactive and non-interactive session requests for fifteen days. We collected 177,622 authenticated sessions and validated our results against an independent Cowrie dataset over the same time window. We found that 99.23% of sessions were non-interactive. Interactive sessions account for only 0.10%. The same pattern held in the comparative third-party dataset used for evaluation. This finding is important because a honeypot that focuses on interactive shells or evaluates success based on session length and the number of commands can miss most authenticated attacks and draw the wrong conclusions about what attackers do after login.
Problem

Research questions and friction points this paper is trying to address.

SSH honeypot
non-interactive attacks
cyber deception
attacker behavior
authenticated sessions
Innovation

Methods, ideas, or system contributions that make the work stand out.

non-interactive SSH attacks
honeypot
cyber deception
attack behavior analysis
SSH authentication