DORA: Dionaea Observation and Data Collection Analysis for Real-Time Cyberattack Surveillance and Threat Intelligence

Hartinah Hartinah, Andi Syarwani, Ardiansyah Ardiansyah, Irfan Syamsuddin

DORA: Dionaea Observation and Data Collection Analysis for Real-Time Cyberattack Surveillance and Threat Intelligence

Číslo: 3/2025
Periodikum: Acta Informatica Pragensia
DOI: 10.18267/j.aip.277

Klíčová slova: Honeypot; Cybersecurity; Malware detection and analysis; Cyber threat detection; Network security; Real-time threat intelligence; Vulnerability assessment

Pro získání musíte mít účet v Citace PRO.

Přečíst po přihlášení

Anotace: Background: As assaults get more sophisticated, honeypots like Dionaea become an essential tool for analysing attack behaviours and detecting weaknesses. Despite their growing importance in cybersecurity, honeypots' role in real-time cyberattack surveillance and threat intelligence is largely unknown. Many studies concentrate on identifying attacks rather than delivering actionable intelligence for defensive solutions. Furthermore, previous research frequently lacks thorough methodology for comparing attack data to real-world incidents and does not investigate the integration of honeypots with external intelligence services.

Objective: This study assesses the Dionaea honeypot's ability to detect and analyse cyberattack trends, with an emphasis on attack patterns, malware dispersion, and geographical threat sources. The project will look into how Dionaea honeypots, when combined with external analysis services such as VirusTotal, might provide more thorough insights into cyberattack tactics and improve proactive cybersecurity defence mechanisms.

Methods: The Dionaea honeypot was used to identify a range of attacks on vulnerable services including Telnet (Port 23), SMB (Port 445), and MySQL (Port 3306). Over a seven-day observation period, 32,395 attack connections from 6,276 distinct IP addresses were detected, yielding 2,892 malware samples. These samples were examined using VirusTotal, and the findings were categorised by malware type, attack vector, and geographical origin. Geospatial and service-specific attack patterns were also investigated to detect emerging trends and high-risk sites.

Results: The investigation identified WannaCry ransomware as the most common malware, accounting for 1,076 incidents, demonstrating the continuous exploitation of the MS17-010 vulnerability in SMB (Port 445). The most frequently attacked ports were Port 23 (Telnet), Port 445 (SMB), and Port 3306 (MySQL), which received 7,988, 6,898, and 3,589 attack attempts, respectively. Geographically, the leading sources of assault activity were China (42%), the United States (17%), and Japan (13%). The findings demonstrate that honeypots are not only effective attack detection tools, but also significant sources of intelligence for understanding cyber threat methods and adversary behaviours.

Conclusion: This study proposes DORA (Dionaea Observation and Data Collection Analysis), an integrated system that enhances the existing Dionaea honeypot by combining its data with external analysis services like VirusTotal. This integration provides critical insights into real-time cyberattack detection, malware analysis, and attack vector identification. The findings highlight vulnerabilities in services like Telnet and SMB, particularly the exploitation of MS17-010. DORA improves threat intelligence workflows, enhancing malware detection accuracy and classifying threats more efficiently. Additionally, it helps identify high-risk attack surfaces, forming the basis for adaptive cybersecurity strategies. This research contributes to developing resilient defence systems capable of addressing emerging threats.