DShield (Cowrie) Honeypot Stats and When Sessions Disconnect, (Mon, Mar 30th)

This analysis of 1.2M+ Cowrie honeypot telnet/SSH sessions (Apr 2022–Mar 2026) summarizes command counts, session durations, and common last commands to distinguish automated bot activity from interactive attackers; it finds most sessions run ~20 commands in ~20 seconds, many sessions appear automated or scripted, and some sessions construct ELF binaries (one file tied to Mirai-like detections). The report recommends improving session similarity detection by normalizing variable inputs, hardening honeypot responses to better mimic real systems, and investigating outlier sessions and artifacts.