Article
A Comparative Analysis of Honeypots on Different
Cloud Platforms
Christopher Kelly
1
, Nikolaos Pitropakis
1,2,
* , Alexios Mylonas
3,
* , Sean McKeown
1
and William J. Buchanan
1
Citation: Kelly, C.; Pitropakis, N.;
Mylonas, A.; McKeown, S.; Buchanan,
W.J. A Comparative Analysis of
Honeypots on Different Cloud
Platforms. Sensors 2021, 21, 2433.
https://doi.org/10.3390/s21072433
Academic Editor: Yuh-Shyan Chen
Received: 22 January 2021
Accepted: 26 March 2021
Published: 1 April 2021
Publisher’s Note: MDPI stays neutral
with regard to jurisdictional claims in
published maps and institutional affil-
iations.
Copyright: © 2021 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
1
School of Computing Edinburgh Napier University, Edinburgh EH10 5DT, UK;
40204337@live.napier.ac.uk (C.K.); S.McKeown@napier.ac.uk (S.M.); B.Buchanan@napier.ac.uk (W.J.B.)
2
Eight Bells LTD, Nicosia 2002, Cyprus
3
Department of Computer Science, University of Hertfordshire, Hatfield AL10 9AB, UK
* Correspondence: nikolaos.pitropakis@8bellsresearch.com or n.pitropakis@napier.ac.uk (N.P.);
a.mylonas@herts.ac.uk (A.M.)
Abstract:
In 2019, the majority of companies used at least one cloud computing service and it is
expected that by the end of 2021, cloud data centres will process 94% of workloads. The financial and
operational advantages of moving IT infrastructure to specialised cloud providers are clearly com-
pelling. However, with such volumes of private and personal data being stored in cloud computing
infrastructures, security concerns have risen. Motivated to monitor and analyze adversarial activities,
we deploy multiple honeypots on the popular cloud providers, namely Amazon Web Services (AWS),
Google Cloud Platform (GCP) and Microsoft Azure, and operate them in multiple regions. Logs were
collected over a period of three weeks in May 2020 and then comparatively analysed, evaluated and
visualised. Our work revealed heterogeneous attackers’ activity on each cloud provider, both when
one considers the volume and origin of attacks, as well as the targeted services and vulnerabilities.
Our results highlight the attempt of threat actors to abuse popular services, which were widely used
during the COVID-19 pandemic for remote working, such as remote desktop sharing. Furthermore,
the attacks seem to exit not only from countries that are commonly found to be the source of attacks,
such as China, Russia and the United States, but also from uncommon ones such as Vietnam, India
and Venezuela. Our results provide insights on the adversarial activity during our experiments,
which can be used to inform the Situational Awareness operations of an organisation.
Keywords: cloud computing; cybersecurity; honeypot; Google Cloud; AWS; Microsoft Azure
1. Introduction
It is estimated that one in four businesses will run their applications solely on the
cloud within a year [
1
]. This involves moving all their IT infrastructure to cloud-based
providers to utilise either a private and/or public cloud structure. As cloud providers’ IP
address subnets are public knowledge, this has opened channels for attackers to deploy
mass scanners to automate attacks and take advantage of poorly configured services and
protocols that are deployed in cloud instances.
In the current threat landscape, threat actors are active constantly across the world,
attempting to exploit new and existing vulnerabilities, which often could be decades old.
Such an incident happened recently, where yet another large-scale breach was witnessed
with Capital One’s customers data being exposed [
2
]. A misconfigured Amazon Web
Services (AWS) instance allowed the exposure of hundreds of thousands of customers
details, including bank account and social security numbers. It is therefore necessary to
learn and investigate how cyber criminals scan and interact with systems that are accessible
publicly. To understand such activity honeypots are often deployed, which can emulate
a vast range of different services across a system and network to lure potential attackers
into initiating interaction. The results gathered from honeypots can be extremely useful
Sensors 2021, 21, 2433. https://doi.org/10.3390/s21072433 https://www.mdpi.com/journal/sensors
