AAU Student Projects is unavailable between June 15th 1.30pm and 17th 1.30pm due to planned system maintenance. The projects cannot be downloaded during this period.
AAU Student Projects - visit Aalborg University's student projects portal
An executive master's programme thesis from Aalborg University
Book cover


Automated ATT&CK Mapping and Adversary Classification in SSH Honeypot Sessions

Authors

;

Term

4. semester

Education

Cyber Security, Master

Publication year

2026

Submitted on

Pages

88

Abstract

Honeypots are decoy systems used to observe attacker activity, but the logs they collect are often low-level and hard to interpret. This thesis explores an automated way to analyze SSH (Secure Shell) honeypot sessions by combining two methods: mapping shell commands to the MITRE ATT&CK framework and classifying sessions as human-driven or automated. The work follows a Design Science Research approach and uses a deployed Cowrie honeypot, a live analysis pipeline, and a dashboard that supports structured review of sessions. The first classifier maps individual commands to ATT&CK techniques with a search-and re-ranking method built from ATT&CK data, Atomic Red Team examples, and command normalization (standardizing command formats). The second classifier applies machine learning to session-level behavioral features to decide whether a session is likely controlled by a person or by scripts or bots. Results indicate that this approach can make SSH honeypot data easier to analyze in a consistent way. The thesis also notes important limitations: reliance on heuristic labels, limited context around each command, a modest dataset size, and ambiguity in how some commands should be interpreted.

Honeypots er lokkesystemer, der bruges til at observere angriberes adfærd, men de indsamlede logfiler er ofte lavniveau og svære at forstå. Dette projekt undersøger en automatiseret måde at analysere SSH (Secure Shell) honeypot-sessioner på ved at kombinere to metoder: at kortlægge shell-kommandoer til MITRE ATT&CK-rammen og at klassificere sessioner som enten menneskestyrede eller automatiserede. Arbejdet følger en Design Science Research-tilgang og bygger på en implementeret Cowrie-honeypot, en live analysepipeline og et dashboard, der understøtter struktureret gennemgang af sessioner. Den første klassifikator kortlægger individuelle kommandoer til ATT&CK-teknikker med en søge- og re-ranking-metode baseret på ATT&CK-data, Atomic Red Team-eksempler og normalisering af kommandoer (standardisering af kommandotekst). Den anden klassifikator bruger maskinlæring på adfærdsmæssige træk på sessionsniveau til at afgøre, om en session sandsynligvis styres af en person eller af scripts/bots. Resultaterne viser, at tilgangen kan gøre SSH-honeypotdata lettere at analysere på en mere ensartet måde. Projektet fremhæver også vigtige begrænsninger: brug af heuristiske labels, begrænset kontekst omkring den enkelte kommando, et begrænset datasæt og uklarhed i fortolkningen af nogle kommandoer.

[This apstract has been rewritten with the help of AI based on the project's original abstract]

Keywords

Honeypot ; Cowrie ; MITRE ATT&CK ; Bot detection ; Human attacker ; Behavioural analysis ; Machine learning ; Natural language processing ; Semantic retrieval ; Threat intelligence

Documents

Download PDF
View record in AAU Student Projects