Abstract

Since its introduction, the honeypot has been used by researchers to track and learn the cyber attack into organization infrastructures. With the continuous rise of cyberattacks, deception technology, i.e., honeypot, has been eyed by organizations as a prominent tool to provide early detection of attack capability and defense mechanism after learning from the interaction between the attacker and the tool. In this research, a new enhanced framework is introduced to categorize attacker behaviors detected through our honeypots. The framework provides a finer-grained result allowing representation of the actual attacker behaviors as he/she interacts with the honeypot. Complete threat categories both on high-volume and low-volume attack traffic are presented.