Cybersecurity is becoming increasingly more important, as the number of connected devices, as well as the number of cyber attacks continues to rise. We use honeypots to observe the attackers. To better understand their behaviour, the thesis focuses on the analysis of the data generated by the honeypots, with the goal of identifying different tools used by the attackers.
In the theoretical part of the thesis we have presented the different kinds of cyber attacks, as well as the system of honeypots used to observe and analyse the attacks. We have presented the selected tools, used in the practical part of the thesis and analysed the corresponding logs, generated by the honeypots. For each of the tools we have presented the results of the analysis. We have presented the characteristics of each tool found in the logs, which can be used to identify their use. Finally, we have compared the success and reliability of detection for each of the tools.
We have also tested the use of large language models for log analysis and tool identification. We have compared the results of using large language models with the results of the previous analysis.
The results of the analysis show that we can successfully detect the use of tools, which attack the SSH honeypot. These are Hydra, Ncrack, certain Metasploit modules and some options of Nmap. We have also successfully detected SQLmap and Nikto. In some types of port scans we cannot distinguish between uses of Nmap and Metasploit. The most difficult tool to detect was Wfuzz, where we only found one characteristic for detection, which the attacker can change, thus making detection impossible.
|
