pith. sign in

arxiv: 2508.11325 · v2 · submitted 2025-08-15 · 💻 cs.CR

Salty Seagull: A VSAT Honeynet to Follow the Bread Crumb of Attacks in Ship Networks

Georgios Michail Makrakis , Jeroen Pijpker , Remco Hassing , Rob Loves , Stephen McCombie This is my paper

Pith reviewed 2026-05-18 23:06 UTC · model grok-4.3

classification 💻 cs.CR
keywords VSAT honeynetmaritime cybersecurityship networkscyber deceptionhoneynet deploymentattack analysisVSAT vulnerabilitiesthreat intelligence
0
0 comments X

The pith

A VSAT honeynet for ships draws mostly generic attacks, with only one knowledgeable intruder gaining access.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes and deploys Salty Seagull, a honeynet that simulates a working VSAT communication system used on ships, including a web dashboard, CLI interface, and deliberately added existing vulnerabilities. The goal is to attract real attackers and trace their actions in order to understand the specific cyber threats facing maritime networks, which often rely on legacy equipment and have operational constraints that limit standard security practices. A sympathetic reader would care because ships represent critical infrastructure whose networks are increasingly connected yet hard to defend, and concrete data on what kinds of attacks actually occur can help prioritize protections beyond generic internet threats.

Core claim

The Salty Seagull honeynet simulates a functional VSAT system onboard ships and integrates existing vulnerabilities to increase attacker engagement. When exposed to the Internet for 30 days, it experienced numerous generic attacks, but only one curious attacker possessing knowledge of the system's nature and vulnerabilities managed to access it, without however exploring its full potential. This demonstrates the potential of cyber-deception techniques to gather insights into attack campaigns targeting the maritime sector.

What carries the argument

Salty Seagull, a honeynet that mimics VSAT operations on ships through a web dashboard and CLI while embedding known vulnerabilities to lure and record attacker behavior.

If this is right

  • Maritime operators can gather targeted threat data by deploying similar deception systems instead of relying solely on conventional monitoring.
  • Successful access to ship-like networks tends to come from attackers who already understand VSAT and maritime-specific weaknesses.
  • Embedding known vulnerabilities in a honeynet increases the likelihood of drawing engaged, knowledgeable intruders.
  • Results can help focus defensive resources on protecting legacy ship systems from informed rather than opportunistic threats.
  • Repeated deployments may begin to reveal recurring patterns in attack methods or origins unique to the maritime domain.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same honeynet model could be adapted for other ship systems such as navigation or cargo management to build a fuller picture of maritime threats.
  • The dominance of generic probes suggests that simply exposing maritime-like systems publicly may not draw many specialized attackers unless the setup is clearly identifiable as ship-related.
  • Cross-referencing honeynet logs with actual maritime security incident reports could test how well the simulation matches real-world targeting.
  • Such controlled environments might supply training data for defensive tools tailored to operational technology networks on vessels.

Load-bearing premise

The simulated VSAT environment with its integrated vulnerabilities is realistic enough to attract and engage attackers who specifically target maritime ship networks rather than generic internet devices.

What would settle it

Observing multiple distinct attackers who show clear knowledge of VSAT maritime systems and proceed to fully explore or compromise the honeynet would contradict the reported pattern of limited sophisticated engagement.

Figures

Figures reproduced from arXiv: 2508.11325 by Georgios Michail Makrakis, Jeroen Pijpker, Remco Hassing, Rob Loves, Stephen McCombie.

Figure 1
Figure 1. Figure 1: The architecture of the proposed honeynet. [PITH_FULL_IMAGE:figures/full_fig_p009_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: An example of the VSAT menu page for the SysAdmin. [PITH_FULL_IMAGE:figures/full_fig_p010_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Change in the number of log entries gathered per day. [PITH_FULL_IMAGE:figures/full_fig_p013_3.png] view at source ↗
read the original abstract

Cyber threats against the maritime industry have increased notably in recent years, highlighting the need for innovative cybersecurity approaches. Ships, as critical assets, possess highly specialized and interconnected network infrastructures, where their legacy systems and operational constraints further exacerbate their vulnerability to cyberattacks. To better understand this evolving threat landscape, we propose the use of cyber-deception techniques and in particular honeynets, as a means to gather valuable insights into ongoing attack campaigns targeting the maritime sector. In this paper we present Salty Seagull, a honeynet conceived to simulate a VSAT system for ships. This environment mimics the operations of a functional VSAT system onboard and, at the same time, enables a user to interact with it through a Web dashboard and a CLI environment. Furthermore, based on existing vulnerabilities, we purposefully integrate them into our system to increase attacker engagement. We exposed our honeynet for 30 days to the Internet to assess its capability and measured the received interaction. Results show that while numerous generic attacks have been attempted, only one curious attacker with knowledge of the nature of the system and its vulnerabilities managed to access it, without however exploring its full potential.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper presents Salty Seagull, a honeynet that simulates a functional VSAT satellite communication system onboard ships, incorporating known vulnerabilities and providing Web/CLI interfaces for interaction. After exposing the system to the internet for 30 days, the authors report numerous generic attacks but only a single access by one knowledgeable attacker who did not explore the system's full potential, positioning this as evidence for gathering maritime-specific threat insights.

Significance. If the simulation's fidelity to real ship VSAT systems can be established, the work provides empirical observations from a specialized maritime honeynet deployment, contributing to cyber-deception techniques for understanding targeted attacks on critical infrastructure like ship networks. The direct 30-day exposure data offers a starting point for threat landscape analysis in an understudied domain, though its value hinges on distinguishing maritime-specific engagements from generic internet probing.

major comments (2)
  1. [Deployment and Results sections] Deployment and Results sections: The central claim that the single access demonstrates an attacker with 'knowledge of the nature of the system and its vulnerabilities' is not supported by any provided analysis of interaction logs, protocol responses, or comparison to expected maritime VSAT behaviors; without baselines, error analysis, or raw data, this interpretation of maritime-specific targeting remains only moderately supported by the observations.
  2. [Honeynet Design section] Honeynet Design section: The description of the simulated VSAT environment, including integrated vulnerabilities and operational mimicry, supplies no validation or comparison against actual maritime VSAT deployments (such as specific Inmarsat/Iridium configurations, legacy SCADA integration, or bandwidth constraints), which is load-bearing for the assumption that the honeynet attracts and engages attackers targeting ship networks rather than appearing as a generic device.
minor comments (1)
  1. [Abstract] The abstract and results could more explicitly define the metrics used to 'measure the received interaction' and clarify how generic versus sophisticated attacks were categorized.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for their constructive and detailed review of our manuscript. We have carefully considered each major comment and provide point-by-point responses below, including revisions to strengthen the presentation of our results and design choices.

read point-by-point responses

  1. Referee: [Deployment and Results sections] Deployment and Results sections: The central claim that the single access demonstrates an attacker with 'knowledge of the nature of the system and its vulnerabilities' is not supported by any provided analysis of interaction logs, protocol responses, or comparison to expected maritime VSAT behaviors; without baselines, error analysis, or raw data, this interpretation of maritime-specific targeting remains only moderately supported by the observations.

    Authors: We appreciate the referee pointing out the need for stronger evidentiary support. In the revised manuscript, we have expanded the Results section with a detailed narrative of the attacker's observed actions, including the sequence of commands and interface interactions that align more closely with VSAT management practices than with broad internet scans. We added a brief comparison to the generic attack traffic recorded during the same period to establish a baseline. Full raw logs and complete protocol traces cannot be included, as they risk exposing active attack techniques and could affect the continued operation of the honeynet; a limitations paragraph has been added to discuss this constraint and its impact on interpretation strength. revision: partial

  2. Referee: [Honeynet Design section] Honeynet Design section: The description of the simulated VSAT environment, including integrated vulnerabilities and operational mimicry, supplies no validation or comparison against actual maritime VSAT deployments (such as specific Inmarsat/Iridium configurations, legacy SCADA integration, or bandwidth constraints), which is load-bearing for the assumption that the honeynet attracts and engages attackers targeting ship networks rather than appearing as a generic device.

    Authors: We agree that explicit validation strengthens the claim of maritime relevance. The revised Honeynet Design section now includes direct references to publicly documented Inmarsat and Iridium VSAT characteristics, such as standard web dashboards, CLI command sets, and reported vulnerabilities from maritime cybersecurity sources. We map these elements to our implementation choices and explain how they support operational mimicry. Complete access to proprietary configurations, exact bandwidth limits, or legacy SCADA integrations remains unavailable due to industry access restrictions; however, the selected vulnerabilities are grounded in documented maritime incidents to improve the probability of engaging relevant attackers rather than generic probes. revision: yes

standing simulated objections not resolved
  • Full provision of raw interaction logs, protocol responses, and error analysis, due to operational security requirements and the risk of disclosing sensitive attacker tactics.

Circularity Check

0 steps flagged

No significant circularity in observational honeynet deployment study

full rationale

The paper presents the design, implementation, and 30-day internet exposure of a VSAT honeynet, reporting direct observational counts of generic attacks versus one knowledgeable access. No equations, fitted parameters, predictive models, or derivation chains exist that could reduce results to inputs by construction. The central claim rests on measured interactions from the deployed system rather than any self-definitional, fitted-prediction, or self-citation load-bearing step. This is a standard empirical cybersecurity report whose findings are independent of prior author choices.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper rests on the domain assumption that a simulated VSAT system with added vulnerabilities will draw attackers interested in real maritime targets and that 30 days of exposure is informative.

axioms (1)
  • domain assumption The simulated VSAT system accurately represents real ship network operations and vulnerabilities.
    Invoked to justify that observed interactions reflect genuine maritime threat activity rather than generic internet noise.

pith-pipeline@v0.9.0 · 5756 in / 1257 out tokens · 50778 ms · 2026-05-18T23:06:33.416542+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

  • IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear
    ?
    unclear

    Relation between the paper passage and the cited Recognition theorem.

    We propose the design and implementation of a VSAT honeynet capable of attracting, recording, and analyzing early-stage interactions from potential attackers targeting shipboard communication systems... only one curious attacker with knowledge of the nature of the system and its vulnerabilities managed to access it.

  • IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear
    ?
    unclear

    Relation between the paper passage and the cited Recognition theorem.

    The design choices are made based on the assumption that we can acquire more precise results about techniques attackers might exploit... implemented the Web interface of a Sea Tel VSAT management portal.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

32 extracted references · 32 canonical work pages

  1. [1]

    Honeynet Project (2025)

    AG, D.T.: T-pot: A multi-honeypot platform. Honeynet Project (2025)

    work page 2025

  2. [2]

    Network 2(1), 123–138 (2022)

    Akpan, F., Bendiab, G., Shiaeles, S., Karamperidis, S., Michaloliakos, M.: Cy- bersecurity challenges in the maritime sector. Network 2(1), 123–138 (2022). https://doi.org/10.3390/network2010009, https://www.mdpi.com/2673-8732/2/ 1/9

    work page doi:10.3390/network2010009 2022

  3. [3]

    Brouwer, S.: HoneyShip: A Maritime VSAT Honeypot to Collect Cyberattacks and AnalyzeThreats.Master’sthesis,RijksuniversiteitGroningen,9712CPGroningen, Netherlands (2024)

    work page 2024

  4. [4]

    In: Proc

    Cheswick, B.: An evening with berferd in which a cracker is lured, endured, and studied. In: Proc. Winter USENIX Conference, San Francisco. pp. 20–24 (1992)

    work page 1992

  5. [5]

    CYDOME: Lab dookhtegan cyber attack on iranian oil tankers disrupts op- erations, https://cydome.io/lab-dookhtegan-cyber-attack-on-iranian-oil- tankers-disrupts-operations/, accessed 2025-04-27

    work page 2025

  6. [6]

    IEEE Communications Surveys & Tutorials23(4), 2351–2383 (2021) 16

    Franco, J., Aris, A., Canberk, B., Uluagac, A.S.: A survey of honeypots and hon- eynets for internet of things, industrial internet of things, and cyber-physical sys- tems. IEEE Communications Surveys & Tutorials23(4), 2351–2383 (2021) 16

    work page 2021

  7. [7]

    Trend Micro Research (2020)

    Hilt, S., Maggi, F., Perine, C., Remorin, L., Rösler, M., Vosseler, R.: Caught in the act: Running a realistic factory honeypot to capture real threats. Trend Micro Research (2020)

    work page 2020

  8. [8]

    IACS: Recommendations on voyage data recorder, https://web.archive.org/ web/20230202060115/https://iacs.org.uk/download/1871, accessed 2025-04-01

    work page arXiv 2025

  9. [9]

    out-of-the-box

    Jiang,X.,Wang,X.:“out-of-the-box” monitoringofvm-basedhigh-interactionhon- eypots. In: International Workshop on Recent Advances in Intrusion Detection. pp. 198–218. Springer (2007)

    work page 2007

  10. [10]

    In: Proceedings of the 18th International Conference on Avail- ability, Reliability and Security

    Kempinski, S., Ichaarine, S., Sciancalepore, S., Zambon, E.: ICSvertase: A Framework for Purpose-based Design and Classification of ICS Hon- eypots. In: Proceedings of the 18th International Conference on Avail- ability, Reliability and Security. pp. 1–10. ACM, Benevento Italy (Aug 2023). https://doi.org/10.1145/3600160.3605020, https://dl.acm.org/doi/10....

    work page doi:10.1145/3600160.3605020 2023

  11. [11]

    In: Eurocon 2013

    Koniaris, I., Papadimitriou, G., Nicopolitidis, P.: Analysis and visualization of ssh attacks using honeypots. In: Eurocon 2013. pp. 65–72. IEEE (2013)

    work page 2013

  12. [12]

    In: CEUR Workshop Proceedings

    Mahmoud, R.V., Pedersen, J.M.: Deploying a university honeypot: A case study. In: CEUR Workshop Proceedings. vol. 2443, pp. 27–38. CEUR Workshop Proceed- ings (2019)

    work page 2019

  13. [13]

    Martin, L., Benson, B.: Ics/ot cybersecurity considerations for maritime trans- portation (2023), https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ WP_ICS_OTCybersecuritMaritimeTransp_Final%20(1).pdf, accessed: 2025-04-03

    work page 2023

  14. [14]

    MITRE: Cve-2018-5266, https://nvd.nist.gov/vuln/detail/cve-2018-5266, accessed 2025-04-03

    work page 2018

  15. [15]

    MITRE: Cve-2018-5267, https://nvd.nist.gov/vuln/detail/cve-2018-5267, accessed 2025-04-03

    work page 2018

  16. [16]

    MITRE: MITRE ATT&CK®, https://attack.mitre.org/, accessed 2025-04-03

    work page 2025

  17. [17]

    Oosterhof, M.: Cowrie ssh/telnet honeypot, https://github.com/ micheloosterhof/cowrie, accessed 2025-04-01

    work page 2025

  18. [18]

    In: 2020 IEEE Symposium on Security and Privacy (SP)

    Pavur, J., Moser, D., Strohmeier, M., Lenders, V., Martinovic, I.: A tale of sea and sky on the security of maritime vsat communications. In: 2020 IEEE Symposium on Security and Privacy (SP). pp. 1384–1400. IEEE (2020)

    work page 2020

  19. [19]

    Rajaram, P., Goh, M., Zhou, J.: Guidelines for cyber risk management in shipboard operationaltechnologysystems.In:JournalofPhysics:ConferenceSeries.vol.2311, p. 012002. IOP Publishing (2022)

    work page 2022

  20. [20]

    URL https://gpsd

    Raymond, E.S.: Nmea revealed. URL https://gpsd. gitlab. io/gpsd/NMEA. html (2019)

    work page 2019

  21. [21]

    Honeynet Project (conpot

    Rist, L., Vestergaard, J., Haslinger, D., Pasquale, A., Smith, J.: Conpot ics/scada honeypot. Honeynet Project (conpot. org) (2013)

    work page 2013

  22. [22]

    The Honeynet Project4, 2 (2010)

    Rist, L., Vetsch, S., Kossin, M., Mauer, M.: Know your tools: Glastopf-a dynamic, low-interaction web application honeypot. The Honeynet Project4, 2 (2010)

    work page 2010

  23. [23]

    Rivieramm: Fishing vessel owners turn to vsat, https://www.rivieramm.com/ opinion/opinion/fishing-vessel-owners-turn-to-vsat-35069 , accessed 2025- 04-01

    work page 2025

  24. [24]

    SeaTel: Document ima cli protocol specification, https://www.yumpu.com/ en/document/read/50984924/document-ima-cli-protocol-specification- livewire-connections-ltd, accessed 2025-04-03

    work page arXiv 2025

  25. [25]

    Addison-Wesley Longman Publishing Co., Inc

    Spitzner, L.: Honeypots: tracking hackers. Addison-Wesley Longman Publishing Co., Inc. (2002)

    work page 2002

  26. [26]

    IEEE Security & Privacy 1(2), 15–23 (2003) 17

    Spitzner, L.: The honeynet project: Trapping the hackers. IEEE Security & Privacy 1(2), 15–23 (2003) 17

    work page 2003

  27. [27]

    vul- nerable

    Srinivasa, S., Pedersen, J.M., Vasilomanolakis, E.: Deceptive directories and “vul- nerable” logs: a honeypot study of the ldap and log4j attack landscape. In: 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). pp. 442–447. IEEE (2022)

    work page 2022

  28. [28]

    Simon and Schuster (1989)

    Stoll, C.: The cuckoo’s egg: tracking a spy through the maze of computer espionage. Simon and Schuster (1989)

    work page 1989

  29. [29]

    In: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy

    Tambe, A., Aung, Y.L., Sridharan, R., Ochoa, M., Tippenhauer, N.O., Shabtai, A., Elovici, Y.: Detection of threats to iot devices using scalable vpn-forwarded honeypots. In: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy. pp. 85–96 (2019)

    work page 2019

  30. [30]

    Tools, D.: Web honeypot, https://github.com/DinoTools/dionaea/, accessed 2025-04-01

    work page 2025

  31. [31]

    transmitterdan: Vdrplayer - play voyage data recorder files over ip link.,https: //github.com/transmitterdan/VDRplayer, accessed 2025-04-01

    work page 2025

  32. [32]

    In: Proceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks

    Willbold, J., Schloegel, M., Bisping, R., Strohmeier, M., Holz, T., Lenders, V.: Vsaster: Uncovering inherent security issues in current vsat system practices. In: Proceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks. pp. 288–299 (2024) 18

    work page 2024