15th International Conference on Information Security and Cryptography, ISCTURKEY 2022, Ankara, Türkiye, 19 - 20 Ekim 2022, ss.49-54
The increase in the amount of assets and services in cyberspace encourages attackers to create new threats based on more advanced techniques. To protect cyber assets from cyber threats, honeypots are also utilized to detect attack methods and tools within the scope of cyber threat intelligence efforts besides reactive measures such as firewalls and intrusion prevention systems. In this study, we obtained 2,161,988 lines of raw data of IP addresses, connection requests, access credentials, executed commands, connected URL addresses, and downloaded malicious files through Cowrie honeypot set up in the cloud, which was specifically configured to listen SSH and TELNET connection requests. The raw data including honeypot logs was processed with auxiliary tools, the data volume was reduced by 82%, and the raw data was transformed into a structured dataset. Then the dataset was imported to the Hadoop environment and analyzed. Possible botnet campaigns were determined by performing basic and comparative analysis, and findings were visualized as charts and heatmaps through the Hadoop- Power BI integration. The results showed that four different possible botnet campaigns are active on Internet and one of these botnets has cryptocurrency mining features.