Honeypot medium-interaction, Internet threat, Malware, Trojan, AS, RIR Country of origin, Session duration, Threat detection, Threat dissemination, IPv4

New Internet threats emerge on daily basis and honeypots have become widely used for capturing them in order to investigate their activities. The paper focuses on a detailed analysis of the behavior of various attacks agains 7 Linux-based honeypots. The attacks were analyzed according to the threat type, session duration, AS, country and RIR of the attack origin. Clusters of similar objects were formed accordingly and certain typical attack patterns for potential detection automation as well as some aspects of threat dissemination were identified.