Containerized cloud-based honeypot deception for tracking attackers

Discovering malicious packets amid a cloud of normal activity, whether you use an IDS or gather and analyze machine and device log files on company infrastructure, may be challenging and time consuming. The vulnerability landscape is rapidly evolving, and it will only become worse as more and more developing technologies, such as IoT, Industrial Automation, CPS, Digital Twins, etc are digitally connected. A honey trap aids in identifying malicious packets easily as, after a few rapid calibrations to eliminate false positives. Besides analyzing and reporting particular invasion patterns or toolkits exploited, it also assists in preventing access to actual devices by simulating the genuine systems and applications functioning in the network thus delaying as well as baffling the invader. In order to analyze and evaluate the hackers’ behavior, an ensemble of research honeypot detectors has been deployed in our work. This paper delivers a robust outline of the deployment of containerized honeypot deployment, as a direct consequence, these are portable, durable, and simple to deploy and administer. The instrumented approach was monitored and generated countless data points on which significant judgments about the malevolent users’ activities and purpose could be inferred.

test, which really is a method for determining whether ports on a node are vulnerable. The intruder may be lured by an open port, enabling the analyst to examine their attack pattern. Honeypot systems are exceptionally good at information collection, and they may also include signature-based intrusion detection, traffic acquisition, and internet protocol assessment, as well as flexible screening and fine-tuning. Honey-potting contrasts with other security techniques in that it is not aimed at preventing intrusions directly. It's objective is to improve a firm's intrusion detection mechanism and incident response so as to handle and mitigate assaults effectively. Anomalous and malicious traffic must be recognized in order for security personnel to analyze and restrict undesirable traffic flows in the communication network. Several machine-learning (ML) approach models that categorize harmful traffic flows using appropriate feature selection techniques [9][10][11] has been presented by researchers in order to avoid fraudulent traffic flows in the network.
The significance of our Experimentation : • Meticulously reviewed and evaluated the entire collection of information accumulated from the honeypot, whilst clearly demonstrating how to interpret them. • Along with implying major motivations as well as alternatives for launching attacks, we could also provide a thorough rational reason for distinguishing botnet attacks. • Successfully implemented a flexible polymeric decoy system that bestowed enthusiasts with a significant amount of information whilst retaining our prime goal, namely to create a prior warning entity.
The following is an overview of the manuscript formation: "Background" presents an outline of honeypot systems, virtualization & containerization, and precised the novelty of our experimentation, "Conceptual models of allied frameworks" sketches the conceptual models of allied security analysis frameworks, "Experimental setup" explored system experimental setup and its implementation details, "Analysis of the captured data" details the analysis of the captured data. Ultimately the paper concludes in "Conclusion and future enhancements".

Background
Honeypot systems. Honeypots have the virtue of being targetable and hence facilitate the investigation of security vulnerabilities or the simulation of security vulnerability countermeasures 12 . Attacking honeypots is not regarded as a hazard as they often contain no vital or genuine information. Instead of acting as a standalone security mechanism like intrusion detection system, intrusion prevention system, and firewall, honeypots are regarded to be a component of surveillance systems, and the type of security mechanism required specifies how they're being positioned. Based on the purpose of honeypots (Fig. 1), they can be categorised as Production Honeypots and Research Honeypots 13,14 . Production honeypots are designed to detect intrusions in the intranet while also deceiving the malignant party. They play alongside real-world production workstations and provide the same functionality. They are commonly positioned close to surveillance assets in order to act as Indicators of Compromise (IoC) for both on-premise and external threats. Research honeypots gather information concerning intrusions, concentrating not only on how adversaries behave inside your own network but also on the broader population. Analyzing information and intelligence using honeypots can assist officials in developing robust defensive systems and determining which upgrades to activate. They are frequently positioned in a network's Demilitarized Zone (DMZ) or that location where no operational activities occur (for example, via VLAN segmentation).
Honeypots are also categorized according to their degree of interactivity, which determines how an attacker performs intrusion on them as-High-interaction honeypot (Although they are not intended to replicate an overall production unit but do perform (or pretend to perform) most of the operations that a production process should, such as a complete operating system. The leveraging entity can observe adversary habits and strategies using this sort of honeypot), the Mid-interaction honeypot (These don't have their own OS, but they do mimic features of the application layer protocol stack. They try to hinder or baffle adversaries so that enterprises get more time trying to sort out how to respond to an invasion), Low-interaction honeypot (These honeypots use  www.nature.com/scientificreports/ fewer resources and collect only fundamental information on the type of risk or where it originated. They use TCP/IP (Transmission Control Protocol /Internet Protocol), and internet services and are reasonably straightforward to configure. There is, indeed, hardly anything within the honeypot that will keep the assailant's focus for an extended period.eg: Honeyd 15 ), Pure honeypot (These are large-scale, production-like system that runs around multiple servers. It is packed with sensors and holds "sensitive" information). Depending on the functional area honeypots can be categorized as:-Malware honeypots (Identify malware by using established replication as well as exploitation channels.eg:-Ghost 16 ), Spam honeypot(Unsecured proxies and email gateways are used in spamming honeypots to entice fraudsters. Spam traps can detect a spammer's attempt and afterwards prohibit them from sending spam), Database honeypot (Create deception databases in order to entice database-specific exploits such as Sql injection attacks, which manipulate data in an unauthorized manner), Honeynets (comprised of multiple honeypots. Various assaults, such as DDoS (Distributed Denial-of-Service ) attacks, assaults on CDN( Content Delivery Network), and advanced persistent threats, can be examined by integrating various types of honeypots).
Depending on their intended application, honeypots can be planted both locally and externally. They are commonly installed in a demilitarized zone 17 (DMZ; sometimes referred to as "perimeter network" or "screened subnet") on the network. DMZ refers to a physical or logical subnetwork that uncovers a corporation's externalfacing services to an unsecured, typically bigger network, namely the World wide web. To track efforts to access the internal network, honeypots can be placed outside the external firewall and pointed at the internet. It can also be installed alongside the servers of a business network. Depending on the honeypot's level of complexity, the type of traffic it hopes to draw, and how proximate it is to critical enterprise network assets, the honeypot's exact positioning alters. Regardless matter where it is located, it will always be substantially clipped off from the production environment. The position is optimal in the three crucial areas of an organization, as demonstrated in Fig. 2 18 .
The major objectives of deploying honeypot can be enumerated as: • To gather more about improbable threats and weaknesses.
• To serve as a predefined capture mechanism in which it draws assailants' interest.
• To uncover fraudulent network activity.
• To provide a defense for actual systems by concealing them so that any attempt would hit the honeypots.
• To identify novel approaches and techniques (like zero-day attacks).
As compared to honeypots, firewalls are typically established over an organization's perimeter to prevent unwanted accessibility by screening specific ports and content, however, they are not very effective at analyzing the traffic. An IDS or vulnerability detection system analyzes the communications and finds any improper, illegal, or unusual activities. But IDSs often experience the 'false warning issue' as signature-based IDSs frequently produce false-negative warnings, whereas IDSs based on anomalies generate false -positive alerts 19 . The integration of IDSs with honeypot can greatly diminish faulty alerts.

Virtualization and containerization.
Most of those conventional methods for using honeypots become quite unproductive as engineers and technology professionals integrate containerization and microservices into their solutions. Containerization renders operating system-level virtualization 20 . The program and its prerequisites are packaged together in a container, which is a secluded virtual arena. As they share the firmware and relevant components with the OS, containers offer a lightweight solution as compared to virtual machines. Concise mono modules are deployed by microservices using containerization which together result in more flexible, Novelty of our experimentation. Existing research 23 on containerized honeypot data analysis has mostly focused on information pertaining to Industrial Control System (ICS) devices and is insufficient to analyze all of the data that has been collected. As the honeypot is deployed in the cloud, hackers could readily distinguish it as a decoy system. Hence, we strongly believe that the findings obtained were the repercussion of bots scanning the cloud and are therefore insufficient to improve the security intelligence of the ICS system as asserted by 23 .
Our exertion could distinctly demonstrate how to interpret data by critically analyzing and evaluating the whole evidence collected from our honeypot experimentation. We could also furnish detailed justification for identifying prevalent DDoS attacks while speculating on potential causes and alternatives. It is thus summarized that the virtue of absolute security can be accomplished by integrating honeypot data with IDS/IPS system. Moreover, the contributions asserted in this review further assist to recommence the areas of investigation in smart security intelligence.

Conceptual models of allied frameworks
Since the year 2000, there were numerous distinct honeypot implementations, including fully accessible as well as commercial. Whilst some of them enable various services and emulation, others were built with a specific objective like protecting against a potential attack. Numerous authors worked in order to compile a list of honeypots.
An open and automated relay spamming research honeypot with Intellectual Simulated Analyzer (SpamPot) 24 utilize Elasticsearch or OpenSearch to store data that has been filtered from received spam. It is comprised of two parts: the analyzer and the receiver. The receiver is a server (SMTP) that takes all emails sent on their way. The email is dumped in a directory together with its associated metadata, such as the IP address of the sender, the emails of the recipients, etc. Analyzer continuously keeps an eye on this directory in order to analyze these communications. The analyzer retrieves spams out from the receiver-shared directory and parses the .eml and metadata document. Information like URLs, attachments, mail body, etc. is extracted. If third-party extensions like VirusTotal, HatchingTriage, etc are set up with API keys, the indicators that have been retrieved from the email can then be queried through those applications. Elasticsearch then indexes this extracted data for subsequent searching and analysis. They still need to be integrated with SMTP verification and VirusTotal lookup.
A project called LaBrea 25 makes a tarpit (or sticky honeypot) that establishes 'virtual computers' that respond to connection requests by taking control of unoccupied Ipv4 on a local area network. The program assumes that the IP in concern is unused when it observes multiple successive ARP queries dispersed many clock cycles apart with no interim ARP response. Then it 'produces' an ARP response and transmits it to the applicant with a fake MAC address. Valicek et al. 26 proposes the use of a windows high interaction honeypot targeted for deployment in an office setting. The authors' goal was a seamless integration of the project into a production setting.
In order to assess the present threat environment as well as how intelligent and crafty bad actors may be in compromising internet-facing ICS (Industry Control System), Rashid et al. 23 implemented flexible low-interaction honeypot within AWS EC2 cloud instance over six distinct zones. Their research primarily focuses on honeypot data relevant to ICS systems and compares the top 10 AS/ASN attackers, interactions with various ICS devices and their geolocation, brute force attack rate, CVE and signature alerts, IP reputation, authentication events, various post-exploitation actions along with its sample instructions, malware signature, and interactions from different sources. Due to its installation in the cloud, hackers could easily distinguish the honeypot from a decoy. As a result, the information collected suspects to be produced by automated bots that scanned the cloud, and therefore insufficient to add on to the security intelligence of ICS systems. Methods that reduce the likelihood of a honeypot being discovered are mentioned in the work [27][28][29][30] .

Experimental setup
Our experimentation is based on the works undertaken by DTAG (developed by Deutsche Telekom) 31 , which use an ensemble of docker containers along with an ELK stack for the honeypot administration and data analysis respectively. It uses docker as well as docker-compose to achieve its objective of executing a large number of tools concurrently and fully leveraging the hardware of the host. After successful implementation in the local device, the approach has been migrated to the cloud. This makes the overall mechanism relatively low maintenance as it enabled us to operate several honeypot sensors without any hassles along the same connection interface. Good segregation of the sandboxes and simple updating procedures are enabled by the docker encapsulation of the honeypot daemon.
The setup is carefully and consciously made to look like a valid target, mirroring the modeling approach of its components, structure, and content. This is done to persuade the opponent that they have gained access to the real system and to tempt them to stay. The program's inbound traffic has been configured to accept all traffic. All persistent data files from the ensemble of honeypots can be found in the folder/data. Data logs related to each honeypot can be found at /var/lib/docker/containers/*/*.log. Filebeat serves as the logging agent or log data shipper, a light-weight shipper, installing itself on the system collecting the system logs, tailing them, and transmitting the information to Logstash for more sophisticated processing. Filebeat initiates one or more inputs that search for log data in the folder designated and launches a harvester for each log it discovers 32 . Whenever the harvester scans a single log for fresh data, it transmits the fresh log data to libbeat, which aggregates the events and delivers the aggregated data to the output that is set up for Filebeat. It was created in the Go language and has been optimized to handle massive amounts of data, support cryptography, and effectively withstand rear pressure. A freeware data engine entitled Logstash (written in Ruby) is used to ingest, process data from multiple viewpoints and outputs the data through the output plug-in to Elasticsearch www.nature.com/scientificreports/ and given advanced downstream visualization and analytical depth 33 . The three steps of the Logstash event processing pipeline include inputs, filters, and outputs. Events are produced by inputs(beats/file/syslog/redis), modified by filters(grok/mutate/drop/clone/goip) , and sent there by outputs(elasticsearch/file). Both inputs and outputs accept codecs, letting you encrypt or decrypt data as it moves through the pipeline without the need for an additional filter. Regardless of format or complexity, it dynamically prepares relevant information like creating patterns from unstructured data, interpreting geographical information from IP addresses, removing all sensitive fields from personally identifiable data, and anonymizing it, regardless of the source of data, structure, or schema, simplifying overall processing. Elasticsearch, a modern search and analytics engine, is a Java-based NoSQL database based on Apache Lucene 34 . With the help of Elasticsearch, organizations can retain, explore, and analyze massive amounts of data fast and in close to real-time, with results arriving in fractions of a second. It examines an index rather than the text itself, which enables it to deliver quick search results. Instead of using records and databases, it employs a framework based on documents and has robust REST APIs (Representational State Transfer Application Programming Interface 35 ) for maintaining and accessing the data. Elasticsearch can be conceptualized as a server that can respond to JSON requests by providing JSON data. Elasticsearch data is visualized and the content is explored using the free and open-source Kibana interface. For instance, because Kibana is frequently used for log analysis, it is utilized to find out information about dissemination URLs, web hits sources, etc. The visualization of data can be commenced with one query and figured out as per requirement through interaction. A significant constraint, however, is the fact that each visualization should only be used with a specific index or indexing sequence. If an index has data that is completely different from another index, then distinct visual representations for each index must be created. Figure 3 depicts an overview of the experimental workflow.
Overview of deployed honeypots. The system implementation provides the following images for various docker honeypots. Cowrie 36-38 , a medium interaction to high interaction SSH and Telnet honeypot that is the successor of the Kippo Honeypot. It is designed in Python and includes a flexible fraudulent file system, and also a falsified shell. Additionally, it is able to copy files via SFTP (SSH File Transfer Protocol) for subsequent analysis. In high interaction (Proxy mode), it functions as an SSH as well as telnet proxy to track the actions of the assailant with another system. Under medium interaction (Shell mode), it imitates a UNIX framework in Py. In the most recent version, Cowrie adds TCP/IP tunneling to capture proxy requests and the associated data. Every interaction is recorded in JSON format, and every session that is made is archived.
For the purpose of tracking and observing Multicast (UDP) Distributed Denial of Service (DDoS) assaults, the DDoSPot honeypot is deployed. It is an UDP-based platform that acts as a booby trap that aids to monitor and track DDoS attacks. The mentioned facilities or honeypot servers are supported by the system in the form of straightforward plugins referred to as pots: DNS (Domain Name System) server, NTP (Network Time Protocol) server, SSDP (Simple Service Discovery Protocol) server, CHAREN (Character Generator) server (port 19), and Random or mock UDP server. Ports 19, 123, 1900  ADBHoney honeypot is a low interaction honeypot for the TCP/IP ADB(Android Debug Bridge) 42 . The Android Debug Bridge (ADB) protocol monitors actual and emulation-based cellphones, televisions, and DVRs linked to a specific host. It includes a number of commands (such as adb shell, adb push, etc.) that help developers push information to the machine while troubleshooting.
To analyze web applications and provide the replies that are then served by SNARE, TANNER honeypot is utilized which renders remote analysis of data and categorization service. When offering replies for SNARE (Web app honeypot detector that draws all kinds of internet coercion), TANNER employs a variety of application vulnerability type emulation strategies. Additionally, TANNER gives dorks to SNARE so that it can power its luring skills. Redis Honeypot, is a high interaction honeypot that traps redis vulnerabilities. ReDiS (Remote Dictionary Server) is an in-memory key-value data store that persists on disc. All redis data resides in memory thus enabling high throughput and low latency 43 .
Log4J honeypot is an internal network low-interaction honeypot that aids in sighting internal threats or intruders who search your network for log4j. It merely keeps an eye out for strange text patterns in queries (in input fields or Http headers) that notify via messages if anything odd shows up. Mailoney, a low-interactive SMTP honeypot that can simulate many vulnerabilities such as open_realy (logs every effort to deliver an email), postfix_creds( logs credentials of login trials), schizo_open_relay( logs every activity).
Honeytrap 44 honeypot serves as a trap for all communication in the setup that has not been caught by another honeypot. It keeps track of arriving frames and launches TCP and UDP observers so that information can be captured. Ciscoassa, low interaction honeypot for Cisco ASA ( Cisco Adaptive Security Appliance element that can find the DoS (Denial of Service) and remote code execution flaw known as CVE 2018-0101 (A flaw in the Cisco ASA (Adaptive Security Appliance) Software's SSL Layer (Secure Socket Layer) VPN capabilities allow unauthenticated, remote potential attackers to force a system restart or remotely perform operations) has also been employed.
CitrixHoneypot identifies and records activities of CVE-2019-19781 exploit (CVE-2019-19781: Citrix Application Delivery Controller (previously known as NetScaler ADC), as well as Citrix Gateway (also known as NetScaler Gateway) have been found to include vulnerabilities that, if abused, might grant an unauthorized attacker access to execute the malicious script). The honeypot Glutton allows for the collection, recording, and analysis of forwarded traffic by serving as a gateway between an adversary and another honeypot. In general, it pays attention to every port and then operates in accordance with rules in rules.yaml (found in /root/tpotce/ docker/glutton/dist/rules.yaml) file. The predominant library used by the proxy to handle packages and carry out its functions is Freki (which orchestrates packets in userspace via NFQueue, a focus of iptables & ip6tables, that outsource the action on packets to a user mode application).
Elasticsearch, Kibana, and Logstash, which are all elements of the ELK Stack 45,46 , were used to analyze and visualize the honeypot data. Built on top of Apache Lucene, Elastic Search is released under the Apache license. For its decentralized search engine, it employs the REST (REpresentational State Transfer) architectural style. Kibana is an analytics software program that uses elastic search, data visualization, and input from other elastic stack elements. Subsequently, Logstash is utilized as an information gathering backend to make it simple and quick to integrate logging file storage and retrieval. The honeypots disclose a combination of well-known and uncommon ports. These include ports such as 80 and 443 (HTTP/HTTPS), port 21 (FTP), port 22 (SSH), and port 445 (SMB and Microsoft Active Directory). Port 64297 was used to give access to the dashboard using authentication mechanisms to the overall system and port 64295 for SSH access.
As decision-making tools for forensics and network surveillance, the honeypot cluster employs FATT (Fingerprint All The Things: built using pyshark, allowing the extraction of networking meta -data and trace evidence from real-time communication or datagram capturing pcap files. JA3 : TLS client or server fingerprinting, HASSH: SSH client or server fingerprinting, RDFP: RDP fingerprinting for RDP protocol guideline,etc. are the profiling techniques it integrates that aid to run threat intelligence techniques inside a communication network), p0f ( Passive Operating system Fingerprinting: Uncover the entities around any TCP/IP interaction (even a regular SYN message), purely silent flow fingerprinting without intervening in any form), and suricata. The folders /OPT/container_name/LOG and /OPT/container_name/DL of the container have logs and files uploaded to the honeypot . These paths are mapped to the host machine volumes /DATA/container_name/LOG. Additionally, certain facilities offer the tools cockpit, cyberchef, elasticsearch head, spiderfoot, and suricata, that further aid in the management, tracking, and assessment of honeypot systems as well as the dissemination of findings to the public. Implementation. The honeypots were set up on Microsoft Azure Cloud in different regions which aid to perform an analysis of the demographics of attack vectors in diverse locations (region 1: Central India, region 2: East Japan). For the entire experiment, each instance operated Debian 11(bullseye-Gen1 image, vm instancetype E2ds_v4) and had two virtual CPUs, 16 gigabytes of memory, 128 gigabyte hard disc, and a static Ip address. The containers set up in the system operate in host-network mode, which shares the host system's network virtualization stack hence no separate IP address is assigned. In total, the system was operational 24 hours a day for 10 days, from 27th June 2022 to 6th July 2022. In order to minimize the discrepancies brought on by week-to-week variations in the attack surface, each instance began and concluded in a synchronized manner. To expose the system to exploitation, all ports are left open for incoming traffic. This experimentation offers even more useful information that will extend cyber security to propel forward. We installed the honeypot by leveraging T-Pot installer on the cloud. Post installation prompt to create a password for the user tsec and / or create a <web-username> and password that will be used for subsequent execution. Furthermore, if tpot.conf file in the tpotce/ iso/installer directory is customized, then the installer can run automatically.

Analysis of the captured data
After setting up the cloud honeypot instances at two regions the front-end interface is examined at https://<external IP address>:64297, and used the credentials created during setup to log in. Figure 4 represents the overall attacks received in both regions. Attacks commenced arriving after the IP was made public on the internet. Knowing that you will experience assaults practically immediately after exposing an IP address makes it obvious that there would be bots or scans constantly searching cloud's IP range. The same emphasizes how crucial it is to protect our cyber assets before enabling accessibility for operations. The attack statistics obtained by our experimentation are sketched in Fig. 4.

Analysis of DDoS strikes.
We executed a deep dive into DDOSPOT honeypot as it had been found to report the highest frequency of hits at both instances. A variety of automated tools and services offered by thirdparty suppliers for DDoS as a service make it simple to start DDoS attacks 47,48 . It is easy for even a beginner in attacking to initiate sophisticated DDoS assaults by using the key aspects of cloud technology. It's not likely that every attack originates from an unidentified source using an unidentified IP . If an user launches any one of the cited commands, warnings may be set off by the majority of SIEMs (Security Information and Event Management). By doing this, you can establish policies to freeze the account until you receive assurance that there was no breach and perform any of those instructions. Building a defense necessitates comprehension of what adversaries undertake after gaining direct exposure. Figure 5 lists the frequently used commands by the malevolent user and Table 1 details it.
Analyzing the data acquired and using it as a point of reference for the auditing process, helps enterprises to better understand their existing security posture. Ddospot honeypot tagged known attacker, malware, tor exit node, bitcoin nodes, form spammer, mass scanner, anonymizer, bot, and crawler and of the total attacks received 71% of the attackers were known attackers that have already been outlined for engaging in despicable activities. We could pindown busybox wget vulnerability exploitation and trinity P2P malware attack (Fig. 6). Many-times, downloading an intermediary script that downloads the malware is preferred over downloading the infection directly. Hence attackers exploit the "busybox wget" vulnerability to download w.sh shell script from the IPs 31.7.58.162 and 163.123.142.144; both tagged in blacklist as per 49 .
From the analysis of Fig. 6, when the device has been impacted with trinity malware attack, it is set up to search for all the other exploitable ones within the network having port 5555 open 50 . A shell is established and the command "pm path com.ufo.miner" is used to check if the malware is already mounted. If it has not, an apk file with the malicious programs will be sent to the entity, which will then be used to configure it and delete the installer. Following the miner's installation, the apk's "am start -n com.ufo.miner/com.example.test.MainActivity" command initiates the ufo bot. If the trinity bot is not already running, the command "ps grep trinity" is performed, and if not, the "trinity", "nohup", and "script" files are installed and the "tmp" directory is cleared. Using chmod, the permissions on the nohup and trinity files are edited in such a way that all have read as well as execute permissions while the owner has read as well as write permissions. The Trinity botnet assault has the consequence of including affected machines in the botnet, which then continues to harvest cryptocurrencies for the assailant.
By tracking fluctuations in the number of distinct source ip addresses over the course of an event window and the number of source IPs with data transmission outstrips a specified threshold, the information on the number of distinct source IPs can be used as a DDoS attack detection component 51   www.nature.com/scientificreports/ ( Fig. 7) to look for security breaches. Both will deviate less from their mean values in normal circumstances, but during an attack, this deviation becomes more prominent.
Owing to the fact that the top four attackers on the list in region1 (Fig. 8)  Suspicious URL commands. Some of the intruders attempted to download malicious content from other sources after they gained access to our honeypot (Fig. 9). The details of the malicious URLs (ref: https:// www. virus total. com) has been listed in Table 2. SHA-256 column in the table denotes the body of the HTTP reply that the server provided back after being asked for the URL being looked up.

Commands Observation
helloworld Proof-of-concept for the possibility of executing arbitrary code through exploitation in which designers would not aim for the code to be executed uname -a uname Display system information like the name of the operating system, the name of the system node, the operating system release and its version, the name of the hardware, and the processor type cat /proc/cpuinfo grep model grep name wc -l cat/proc/cpuinfo grep name head -n 1 awk print $4,$5,$6,$7,$8,$9 Display CPU information like its model, its name prints number of lines in the file ,prints the first CPU information details ls -lh $(which is) List the details of the files in the system, its permission type, created date and time in human-readable format  Fig. 10. Linux is a popular operating system option for hackers for its adaptability, open source nature, portability, command-line interface, and interoperability including well hacking tools. Suricata CVE data is another resourceful element in the interface. CVE identification is offered by the advanced threat engine Suricata 52,53 . Recent CVEs being exploited are CVE-2021-36260(web server flaw: across several Hikvision appliances that involves command injection. Attackers can use the flaw to execute a command injection assault by delivering some messages that include malicious commands since there is inadequate input authentication), CVE-2020-11899 (Treck TCP/IP stack exploit: incorrect input validation when accepting a packet sent by an illegal access attacker in an IPv6 component. This flaw could lead to an out-of-bounds read as well as a Denial of Service). It is obvious that attackers are still using the prior flaws (Fig. 11) and hence organizations should address those deficiencies at the earliest.
ICMP_INFO PING & UDPv4 invalid checksum, are the highly reported alert signature by suricata as shown in Fig. 12. ICMP_INFO PING reveals that ping is still the widely used reconnaissance tool used by hackers to determine whether the specific host is reachable via an IP network or not. In UDP, no assurance that the packets will    54 . This indeed results ultimately contributes to significant hits in the DDoS honeypot. Hits reveal that the overwhelming attacks target SMB on port 445. This is the service that many exploit, including the more current SMBBleed/SMBGhost and Eternal Blue/WannaCry (CVE-2017-0144), (CVE-2020-1206). All throughout the world, strikes were reported, with the typical offenders being named 55 . This information can be used to carefully restrict access to those regions' ASNs and IP addresses for vital services. The interesting fact that there were no hits on the Log4j honeypot could be attributed to the organizations being highly informed and upgrading to a patched Log4j version.

Conclusion and future enhancements
Despite not being a cutting-edge technology, honeypots appear to significantly increase the volume of information that an enterprise can harvest. Whilst honeypot information security would aid in the mapping of the threat landscape, they are equipped in seeing activities aimed only at honeypot. We cannot simply say that a threat doesn't exist just because it hasn't been addressed at the honeypot.     www.nature.com/scientificreports/ We were successful in operationalizing a quick polymeric system that offers researchers a great deal of information while keeping in mind our primary objective for the work, that of a real-time warning asset. The honeypots performed effectively in obtaining high associations and a lot of samples of malware that were significant during our experiment. We could also catch events for DDoS attack which was predominant. System setup offered a great all-in-one solution to commence tracking actual attacks on numerous services in real-time. The front-end monitors offered a fantastic approach for analyzing and organizing patterns among attacks and creating visually striking and potent perspectives from the front line of the web. Several honeypot frameworks have been proposed merely as proofs of concepts, and their designers no more provide assistance for them. Long-term ventures are infrequent. Works in the future can utilize the knowledge gathered from the system to investigate zero-day vulnerabilities and develop IP delisting and intrusion detection and prevention system policies. In our forthcoming revision, we envisage addressing the failure of the system to give an early warning when DDoS traffic is spotted by integrating intelligence.

Data availibility
The datasets generated and analyzed during the current study are available at the link: RAW DATA.