Ghost Without Shell: Measuring Non-Interactive SSH Attacks on Honeypots

Computer Science > Cryptography and Security [Submitted on 26 Jun 2026] Ghost Without Shell: Measuring Non-Interactive SSH Attacks on Honeypots Veronica Valeros, Muris Sladić, Sebastian Garcia Cyber deception research has focused on improving honeypot deception capabilities to increase attacker engagement and extend their interactions to collect more and better intelligence. For SSH honeypots, this relies on the assumption that attackers log in, open a shell, and type. We tested whether this still held by deploying eleven SSH honeypots that served both interactive and non-interactive session requests for fifteen days. We collected 177,622 authenticated sessions and validated our results against an independent Cowrie dataset over the same time window. We found that 99.23% of sessions were non-interactive. Interactive sessions account for only 0.10%. The same pattern held in the comparative third-party dataset used for evaluation. This finding is important because a honeypot that focuses on interactive shells or evaluates success based on session length and the number of commands can miss most authenticated attacks and draw the wrong conclusions about what attackers do after login. Comments: 5 pages Subjects: Cryptography and Security (cs.CR) Cite as: arXiv:2606.28006 [cs.CR]   (or arXiv:2606.28006v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2606.28006 Focus to learn more Submission history From: Veronica Valeros [view email] [v1] Fri, 26 Jun 2026 12:03:27 UTC (137 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-06 Change to browse by: cs References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)