Conference PaperPDF Available

Approaches for Preventing Honeypot Detection and Compromise

  • October 2018
DOI:10.1109/GIIS.2018.8635603
  • Conference: Global Information Infrastructure and Networking Symposium (GIIS’18)
  • At: Thessaloniki, Hellas
Authors:
Michael Tsikerdekis at Western Washington University
Michael Tsikerdekis
Sherali Zeadally
Sherali Zeadally
Sherali Zeadally
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Amy Schlesener
Amy Schlesener
Nicolas Sklavos at University of Patras
Nicolas Sklavos
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

Honeypots have been used extensively for over two decades. However, their development is rarely accompanied with an understanding of how attackers are able to detect them. Further, our understanding of effective evasion strategies that prevent the detection of honeypots is limited. We present a classification of honeypot characteristics as well as honeypot detection evasion strategies which minimize the detection rates of honeypots.We also provide recommendations for future honeypot software which is more adaptable, modular and incorporate a dynamic intelligence design.
Figures - uploaded by Nicolas Sklavos
Author content
All figure content in this area was uploaded by Nicolas Sklavos
Content may be subject to copyright.
Content uploaded by Nicolas Sklavos
Author content
All content in this area was uploaded by Nicolas Sklavos on Oct 30, 2018
Content may be subject to copyright.
Approaches for Preventing Honeypot Detection and
Compromise
Michail Tsikerdekis
Computer Science Department
Western Washington University
Bellingham, WA, USA
Email: Michael.Tsikerdekis@wwu.edu
Sherali Zeadally
College of Communication and Information
University of Kentucky
Lexington, KY, USA
Email: szeadally@uky.edu
Amy Schlesener
Computer Science Department
Western Washington University
Bellingham, WA, USA
Email: schlesa@wwu.edu
Nicolas Sklavos
Computer Engineering & Informatics Department
University of Patras
Patra, Greece
Email: nsklavos@ceid.upatras.gr
Abstract—Honeypots have been used extensively for over two
decades. However, their development is rarely accompanied with
an understanding of how attackers are able to detect them.
Further, our understanding of effective evasion strategies that
prevent the detection of honeypots is limited. We present a
classification of honeypot characteristics as well as honeypot
detection evasion strategies which minimize the detection rates of
honeypots. We also provide recommendations for future honeypot
software which is more adaptable, modular and incorporate a
dynamic intelligence design.
Index Terms—Detection, honeypot, protocol, security
I. INTRODUCTION
Honeypots have been used as a standard mechanism to
provide a more holistic cybersecurity strategy to organizations
for over two decades [1]. They have been credited with directly
assisting the discovery of a system’s compromise and in some
cases, they have also helped to uncover the identity of cyber-
criminals across countries [2]. However, the proliferation of
tools and technologies such as machine learning and artificial
intelligence has enabled attackers to not only detect honeypots
but identify ways for further exploitation. To date, much of the
literature has focused on the development of novel honeypots
that often target a particular aspect (such as defending a
Demilitarized Zone (DMZ) zone) without providing a holistic
understanding of how honeypot can be designed so as to avoid
detection by attackers.
Today, all types of organizations face probing from a glob-
ally connected cyberspace. A recent study of five small public
municipalities from the state of Washington has demonstrated
that even smaller networks are not immune to probing by a
range of attackers from various countries [3]. Organizations
employ honeypots to some degree as a mechanism for de-
tecting system probing and compromise from both internal
and external threats. Since the intent behind honeypots is
for them to be exploited by attackers, any traffic originating
from a honeypot is suspect [4]. Specifically, the rate of false
positives by a honeypot is expected to be virtually zero and
as such the trust placed in alerts coming from such systems
by cybersecurity analysts is high. Honeypot detection by an
attacker often boils down to a comparison of fidelity (how
realistic a honeypot’s behavior is compared to the system
it mimics). However, studies have shown that high fidelity
honeypots can still be detected and are expensive to maintain
[5], [6].
Contributions of this work
We summarize the main contributions of this work as
follows:
We identify the key characteristics that differentiate var-
ious honeypots.
We review some of the recent approaches that have been
found to make honeypots more difficult to detect by
attackers and classify which honeypots benefit the most
from these approaches.
We discuss some of the characteristics that future hon-
eypots need to have in order to keep up with emerging
threats.
The rest of the paper is organized as follows. In section
II, we present an overview of various honeypots and their
respective uses along with their key characteristics. In section
III, we identify how honeypot characteristics influence their
ability to avoid detection by attackers and provide a classi-
fication for such characteristics for developers of honeypots.
Finally, in section IV, we present a few characteristics that
future honeypots need to have with respect to the tools that
are available to attackers.
II. HO NE YP OTS
At its simplest, a honeypot is a resource that is utilized to
detect and prevent attempts of unauthorized access and use of
systems. Its value is found in its exploitative state [1]. The
expectation is that an attacker will interact with the honeypot
and will unknowingly provide information to cybersecurity978-1-5386-5150-6/18/$31.00 © 2018 IEEE
professionals revealing his or her whereabouts and intent.
The latter is of utmost importance one of the most important
defense measures is to quickly detect zero day vulnerabilities
(vulnerabilities not previously known) and reacting to such
compromises. As such, the information gained through this
process can be used to uncover such vulnerabilities or help
minimize risks associated with an attacker’s specific attack
goals, which lead to attack vector customization that may
be difficult to otherwise detect. Offensive honeypots include
honeypots involving drive-by-downloads [7] and P2P honeypot
bots developed to control and monitor botnets [8]. Honeypots
are also used in network areas that cannot be otherwise effec-
tively monitored by network monitoring tools. For example,
once an employee’s network access credentials are obtained
by a remote attacker (e.g., Secure Shell (SSH) credentials),
intrusion detection systems that are often placed near the edge
router of a network are unable to inform security analysts
about the actions of the attacker. A honeypot, however, can
indicate the compromise of the employee’s account if the at-
tacker attempts to connect to it via the employee’s workstation.
An example of this is presented on Fig. 1.
Fig. 1. Example attack scenario on a network with network intrusion detection
sensors and honeypot.
Honeypots today are extensively used in a range of govern-
mental as well as non-governmental organizations. For exam-
ple, one of the requirements by the Health Insurance Porta-
bility and Accountability Act (HIPPA) that governs healthcare
security requirements in the United States is interpreted as
a need for monitoring systems. Often this requirement for
healthcare providers as well as business associates interpret
this as a need for Intrusion Detection Systems (IDS) that
include the use of honeypots to some extent [9]. Other critical
areas that make use of honeypots include financial institutions
[10] and industrial control networks [11].
The type of data collected by honeypots vary depending
on the organization and the type of application but in general
they involve extensive logs of user and system actions as well
as network traffic. These logs are often forwarded in a larger
data storage (e.g., Elasticsearch) that contains network sensor
data (e.g., netflow or full packet captures) along with alerts
from IDS. Alert correlation is further used in order to better
establish a timeline for an attacker’s actions or eliminate false
positives [12]. Security analysts then analyze the honeypot
data. However, unlike other network data (full packet captures,
netflows, and so on) that is collected, the honeypot data is more
valuable and its analysis is a lot cheaper because it contains
less false positives [13].
A. Honeypot Characteristics
Various types of honeypots have been developed for a
diverse set of applications. Some are more generic whereas
some are highly specific characteristics such as the ability to
emulate a particular network encryption (e.g., Secure Sockets
Layer Version 3 (SSLv3)). We have identified several honeypot
characteristics and we have also reviewed their major benefits
as well as their drawbacks. Next, we discuss the following
honeypot characteristics: objective, fidelity, implementation
and scalability.
1) Objective: There are two primary categories for honey-
pots: research and production [14]. Research honeypots are
used to generate threat intelligence about attackers. They are
often placed in a network’s DeMilitarized Zone (DMZ) or
otherwise in an area where production activities do not take
place (e.g., through Virtual Local Area Networks (VLAN)
segmentation). In contrast, production honeypots are often
placed near security assets with the purpose of serving as
indicators of compromise(IOC) for internal as well as external
threats. Simply put, the functionality of these honeypots are for
alerting defenders of an attack, and only limited intelligence
is gathered about the attacker (in sharp contrast with research
honeypots). The earliest precursor of production honeypots is
monitoring darknets (the unused IP address space in a local
network) [13]. The general principle of production honeypots
is that since they serve no functional purpose for legitimate
users, any attempt to access and use them is considered
to carry a bad intent [15]. From an attack perspective, the
difference between production and research can be thought in
terms of “attack duration” with research honeypot involving
longer times.
2) Fidelity: Honeypots can be characterized based on the
level of interaction that they allow between them and the
attacker. Low interaction honeypots allow for interactions with
them only for a short period of time. At the completion
of the interaction an attacker may or may not discover the
deceptive nature of the honeypot depending on the intent of the
honeypot developers. This may be the case with an OpenSSH
honeypot server that follows the SSH protocol and accepts
various authorization credentials but provides no further shell
functionality (revealing in effect to the attacker the deceptive
nature of the honeypot). Such a honeypot is typically placed
in a local network’s DMZ or within an IP subnet whose
network traffic is not monitored by an IDS. On the other hand,
high interaction honeypots can either simulate or provide all
high level functions of a system they are mimicking. The
expectation here is that their deceptive nature should not be
detectable by an attacker. Often such honeypots are used
exclusively for research where the main objective is to discover
the intent and methods of an attacker [14]. High interaction
honeypots are usually used where zero day vulnerabilities are
more likely to be discovered [1].
3) Implementation: A honeypot implementation involves
the use of software,hardware or hybrid. Hardware honeypots
can vary from regular computers to specialized Supervisory
Control and Data Acquisition (SCADA) systems (e.g., GasPot,
a gas pump SCADA honeypot). The degree of emulation
of functions based on the system that a honeypot mimics
can vary but often many functions are embedded into the
hardware which makes the development and maintenance
of such honeypots more expensive. Software honeypots are
cheaper to develop and maintain. Virtualization technology is
also often used as a means to simulate hardware functions
[16].
4) Scalability: Scalability refers to the ability of a honeypot
or parts thereof to scale. This characteristic becomes particu-
larly important with the emergence of botnets as well as the
overall increase in the number of cyberattacks and state actors
that aim to attack organizations. Several scalable honeypots
exist and they vary from Peer-to-Peer (P2P) functionality
to automatic re-deployment mechanisms [17], [18]. Other
honeypots developed have focused on handling hundreds of
thousands of concurrent connections [5].
B. Honeypot Detection
Honeypot detection lies in an attacker’s ability to detect
and find out about the deceptive nature of the honeypot.
Often this relies on the limited ability of a honeypot to
align with an attacker’s mental model based on the attacker’s
expectation of what a realistic environment should look like.
The constraints are often economical, which involves hardware
as well as development costs. An early example of this is
the Honeypot Hunter that was deployed to uncover mail
server honeypots [19]. The software utilized its own fake
mail server and attempted to proxy back to it through the
honeypot’s mail server. The action was enough to uncover
the honeypot because most honeypot mail servers at the time
offered a low overall interaction. There are also additional
design constraints for honeypots that attackers are aware of.
There are legal constraints that prevent realistic emulations [8].
Such constraints are due to the nature of defenders having to
abide by the law and as such attacker’s knowingly look for
signs of such legal constraints (e.g., a honeypot bot that is part
of a botnet cannot legally perform denial of service attacks to
systems).
III. AVOIDING HONEYPOT DET EC TI ON
Given the challenges involved in successfully deploying a
non-detectable honeypot, it is important to not only understand
recently proposed approaches that have been shown to be
successful but also how the characteristics of a honeypot may
influence the success of applying these approaches.
A. Proposed Approaches for Avoiding Honeypot Detection
We describe several approaches for honeypots that have
been proven to be effective against attacker detection and
highlight how they succeed in doing so.
1) Automatic Honeypot Redeployment: Low interaction
honeypots are more expensive to develop with built in anti-
detection because their scope and functionality are limited in
contrast to high interaction honeypots. Upon discovery by an
attacker, modifying an existing honeypot configuration may be
too costly. Consequently, one approach for avoiding honeypot
detection involves automated re-deployment of the honeypot
that in turn reduces the need for anti-detection honeypot con-
figurations. One study that has explored the development and
implementation of such a mechanism automatically re-deploys
a honeynet when it identifies that an attacker has detected it
[20]. Inbound and outbound Internet Control Message Protocol
(ICMP) packets are monitored and any drop in the number
of ICMP packets below a pre-determined threshold indicates
that the attacker has disconnected (indicative of the honeypot
being discovered). The honeypot is then automatically rede-
ployed with an altered configuration with the intent to trap
the same attacker. The method reduces setup overheads and
development of anti-detection mechanisms for honeypots.
2) Honeypot Delay Reduction: A substantial detection risk
for honeypots stems from the fact that arbitrary delays are
introduced in processes that a honeypot mimics (e.g., authen-
tication via SSH that is delayed due to further logging or log
forwarding required by a honeypot) that would otherwise not
have such delays. These delays enable attackers to detect the
honeypot. One method for delay reduction that directly identi-
fied the benefits of minimizing delays introduced by an active
honeypot bot designed to connect back to a botnet is described
in [18]. This method is used to avoid honeypot detection in
P2P botnets and it combines the use of IP address spoofing
and fake TCP three-way handshake to break the authentication
procedure used to allow infected hosts to join a botnet. The
authors focused on the Advanced Two-Stage Reconnaissance
Worm (ATSRW). The worm uses an authentication procedure
before allowing infected hosts to join the botnet. However,
the authors of the active honeypot bot discovered that their
authentication method that mimicked that of the original botnet
was detectable by attackers. The authors of [18] spoofed the
authentication by finding an already infected vulnerable peer
and infecting it in order to obtain the authentication that
was used to authenticate back to the botnet in order to join.
The process of the bot learning the authentication procedure
introduced a time delay and as a result it revealed that a
honeypot was attempting to connect to the botnet. By reducing
the time delay to match more closely that of a real infected
host, the risk of detecting the honeypot was lowered.
Delay reduction as an optimization for honeypots has also
demonstrated its effectiveness in avoiding honeypot’s detection
when applied to Honeyd (a readily available open-source
honeypot) [21]. Honeyd is a virtual (software) honeypot that
emulates the protocol stack (such as the TCP/IP stack) so that
attackers are convinced they are attacking a real vulnerable
system. In Honeyd, an attacker may deduce that the system is
a honeypot by measuring the end-to-end latency. Since Honeyd
operates on a virtual network, the link latency can be used to
detect the presence of the honeypot. Specifically, end-to-end
latency in Honeyd’s design is a multiple of 10 milliseconds. By
comparing latencies between a physical (real) network and a
virtual (honeypot) network we can define a threshold in which
the two latencies are different. Using that threshold we can
detect honeypot networks that use Honeyd. Attackers can use
measurements of round trip times (e.g., by using ICMP, TCP,
or UDP echo-reply) to detect the presence of honeypots. The
study found that camouflaging Honeyd by modifying it to have
a lower link latency was effective in avoiding the honeypot
system being detected by attackers. The threshold selected
was close to the physical network’s link latency. The study
concluded that although the method was successful with the
Honeyd honeypot system, it can also be broadly applied to
other virtual honeypot systems.
3) Honeypot Process Transparency: Another side effect
of the way honeypots operate is the lack of transparency
that leads to revealing their deceptive design. An example of
this can be observed in hybrid honeypot systems. In these
types of honeypots, both low and high interaction honeypots
are used with a frontend honeypot forwarding connections
to a backend honeypot (similar to the way load balancing
web servers work). Current TCP connection handover mech-
anisms in hybrid honeypot systems can be easily detected
by attackers [5]. As such, one study proposed a transparent
TCP connection handover mechanism that uses different ports
of an OpenFlow-based switch to isolate honeypots while
TCP connection parameters (SEQ, ACK numbers) remain the
same [5]. The hybrid honeypots require network traffic to
be re-directed from the frontends to the backends and this
traffic redirection is often not transparent enough to evade
an attacker’s detection. The study’s alternative mechanism
consists of three phases. Phase one is initiated by an attacker
sending a TCP connection request to the target honeypot.
The honeypot controller forwards the request to the frontend
which performs the TCP three-way handshake to establish a
connection with the attacker. Phase two involves transferring
the TCP session from the frontend to the backend using a
TCP replaying approach. This approach replays the three-
way handshake using the saved attacker’s SYN packet. SEQ
and ACK numbers are then synchronized leading to the third
phase in which the packets are exchanged directly between
the attacker and the backend. The study concluded that this
approach makes the hybrid honeypot much stealthier at the
expense of reduced performance . In general, honeypots need
to ensure that operations that are being emulated need to
maintain transparency. In other words, they need to hide any
modified sequence of events that is not realistic.
4) Dedicated Hardware: Although expensive, the use of
dedicated hardware for honeypots can help minimize their
detection (e.g., by reducing arbitrary software delays). Ad-
ditionally, they also provide an additional layer of security
against honeypot compromise. These benefits were demon-
strated in a study which showed a more efficient honeypot
architecture for malware sample collection. This architecture
implemented honeypots using dedicated hardware instead of
a general-purpose processor and it also made use of a high-
speed implementation of the IP stack [22]. Additionally, the
approach used a specialized stateless TCP hardware, which
is highly tuned to the application domain. The stateless TCP
hardware can manage hundreds of thousands of simultaneous
connections thereby enabling the system to support large hon-
eynets. Further, the dedicated hardware used by the honeypot
increased the speed of execution of TCP operations, which in
turn may reduce the likelihood of a honeypot being detected by
an attacker. An additional benefit of implementing honeypot
operations in hardware instead of software using general-
purpose processors is that it also reduces the risk of the
honeypot software being compromised and used for attacks
[22].
5) Dynamic Intelligence on Honeypots: The advent of
dynamic approaches to honeypot development as well as
novel techniques in machine learning and artificial intelligence
provide an opportunity for more diverse honeypots that alter
their behavior depending on the actions of an attacker. The
result is a more adaptable honeypot that is more difficult
to detect. In general, dynamic honeypots have a behavior
that is not fixed but changes based on some condition and
adapts to the current environment [23], [24]. In this case,
we do not need to perform configuration or re-configuration.
An example of such a system is a high interaction honeypot
that uses reinforced learning in order to dynamically change
its behavior based on the interaction that it has with an
attacker [25]. The honeypot can strategically block program
execution, alter program names in order to lure attackers and
can deceive attackers with the intent of having them reveal
their ethnic background, which is particularly important for
research honeypots.
B. Classification Summary of Honeypot Characteristics and
Approaches Avoiding Honeypot Detection
The various methods we have described above provide an
insight into the diverse array of options that can increase
the difficulty of an attacker to detect the deceptive nature
of a honeypot. However, many of these approaches may or
may not be applicable depending on the honeypot’s char-
acteristics. Table I presents a summary of approaches and
honeypot characteristics that can work together in order to help
honeypot designers better assess their honeypot development
and honeypot uses.
Automatic re-deployment can be used for both research
and production objectives although it focuses mainly for low
interaction honeypots since altering large parts of configuration
for high interaction honeypots is expensive. The approach
applies to software-based honeypots because hardware based
honeypot configuration is too restrictive to yield significant
benefits in avoiding detection when altered. The automatic re-
deployment method for software-based honeypots is also quite
scalable.
By reducing delays in a honeypot system the strategy is
effective in reducing the number of hints to attackers for both
research and production honeypots. Reduced delays benefit
honeypots across all levels of honeypot interaction including
hybrid honeypots (involving low and high interactions). The
cost of scalability also remains low because many of the parts
of the honeypot that can be optimized for avoiding detection
are software-based.
Assuring transparency for modified operations (e.g., sand-
boxed program execution or TCP connection handover) is
important for research honeypots where an attacker is expected
to leak more information and have higher level interactions
with the honeypot. Since the primary components are software
based, they tend to be more scalable as demonstrated by one
of the recent studies [22].
Use of dedicated hardware is the most expensive choice in
terms of scalability cost but has also been demonstrated to be
highly effective for both low and high interaction honeypots.
This approach is most suitable when the honeypot interaction’s
duration is expected to be rather short such as in production
honeypots.
Finally, a major benefit for research high interaction honey-
pots can be achieved through the use of dynamic intelligence
in honeypots. The approach is software based and therefore
the computational overhead requirements may result in high
overheads when scaling up especially if artificial intelligence
is involved (that may include long training times).
IV. THE FU TU RE O F HON EY POTS
Over the past decade several types of honeypots [6], [24],
[23], [16] have been proposed with a long history of develop-
ment . Krawetz [19] predicted the cat and mouse game that
has been prevalent in the development of these honeypots.
Although honeypot software has not become obsolete, it
appears that it has not made the leap that other cybersecurity
tools (e.g., Intrusion Detection System (IDS)) have undergone.
The majority of honeypots available, although open-source
and free, are still monolithic in their architecture with odd
development cycles and maintenance. While they are avail-
able to security professionals, they are known and highly
predictable to attackers with a limited ability to adapt. In
fact, more than 50 honeypots that are included in a recent
review [6] are falling behind in ensuring detection avoidance
from attackers (often having a known vulnerability that signals
their deceptive nature). Additionally, many of these tools have
terminated their development cycle several years ago. As such,
we propose that the new generation of honeypots needs to
consider all these shortcomings by embracing a more adaptive
design, based on more agile software engineering paradigms
(e.g., microservice) and ensure some rigidness against the
advent of more advanced detection techniques. We argue that
by leveraging AI or machine learning (including adversarial
machine learning) [26] we can make the next generation of
honeypots more scalable, robust, cost-effective in avoiding
their detection from cyber attackers.
By incorporating adaptive techniques in a honeypot’s
core functionality we can improve ”non-discernible” pseudo-
randomness in a honeypot’s functions and ensure that the
honeypot adapts to its network environment. For example, a
honeypot software that is placed within a financial network can
“learn” based on a training set what files and services typically
run in a banking environment and mimic their configuration
as close as possible to real-world scenarios. The ultimate goal
of this adaptability characteristic is to ensure the persistence
of an interaction between an attacker and a honeypot.
Honeypots need to also adopt a modular design by embrac-
ing polilithic [27], [28] architecture paradigms. This trans-
formation can ensure that module updates are automatically
transferred to the honeypots that use them. For example, a
database honeypot can make use of natural language process-
ing and build fake databases on the fly based on the input of
an attacker. The decision about making these fake databases
and tables will need be structured and can be offered in a
modular manner or via an Application Programming Interface
(API) (e.g., RESTful API).
Finally, honeypots need not underestimate that machine
learning and adversarial machine learning techniques can
make static honeypots that do not adapt obsolete. Even those
honeypots that support dynamic intelligence (or based on some
AI technique) are in danger of becoming detectable unless they
retain their training knowledge sets secret and update or alter
them frequently.
V. CONCLUSION
In this work, we have identified several approaches that
can be used to ensure detection avoidance for honeypots.
We have reviewed and discussed recently proposed successful
approaches which should be a first step forward to ensure that
honeypots are less detectable by attackers. However, a leap
forward is long overdue for honeypot developers to design
better deceptive software. New emerging technologies for
achieving this goal are already available but a more holistic
approach is needed to ensure the next generation of honey-
pots. Given that honeypots are mainly intelligence gathering
devices, their designs and implementations must evolve with
TABLE I
HON EYP OT CHARACTERISTICS AND APPR OACH ES FO R AVOIDING DET ECT IO N
Detection Avoidance Techniques Honeypot Characteristics
Approach Primary Objective Interaction Level Implementation Scalability Cost
Automatic Redeployment Research or Production Low Interaction Software Low
Delay Reduction Research or Production Low & High Interaction Software Low
Transparency Research High Interaction Software Low
Dedicated Hardware Production Low & High Interaction Hardware High
Dynamic Intelligence Research High Interaction Software High
the fast changing landscape of cybersecurity threats in the 21st
century.
REFERENCES
[1] R. McGrew, “Experiences with Honeypot Systems: Development, De-
ployment, and Analysis,” in Proceedings of the 39th Annual Hawaii
International Conference on System Sciences (HICSS’06), vol. 9, 2006,
pp. 220a–220a.
[2] C. Stoll, The Cuckoo’s Egg: Tracking a Spy through a Maze of Computer
Espionage. Doubleday, 1989.
[3] C. Hubbard, T. Baker, and M. Tsikerdekis, “Public Entity Network
Security Monitoring by Student Security Analysts,” in 22nd Colloquium
for Information Systems Security Education (CISSE), New Orleans, LA,
2018.
[4] L. Spitzner, “The Honeynet Project: trapping the hackers,IEEE Security
& Privacy, vol. 99, no. 2, pp. 15–23, 2003.
[5] W. Fan and D. Fernandez, “A novel SDN based stealthy TCP connection
handover mechanism for hybrid honeypot systems,” in 2017 IEEE
Conference on Network Softwarization (NetSoft), 2017, pp. 1–9.
[6] M. Nawrocki, M. W¨
ahlisch, T. C. Schmidt, C. Keil, and J. Sch¨
onfelder,
“A Survey on Honeypot Software and Data Analysis,” Tech. Rep., aug
2016. [Online]. Available: http://arxiv.org/abs/1608.06249
[7] B. Endicott-Popovsky, J. Narvaez, C. Seifert, D. A. Frincke, L. R.
O’Neil, and C. Aval, “Use of Deception to Improve Client Honeypot
Detection of Drive-by-Download Attacks,” in Foundations of Augmented
Cognition. Neuroergonomics and Operational Neuroscience, D. D.
Schmorrow, I. V. Estabrooke, and M. Grootjen, Eds. Berlin, Heidelberg:
Springer Berlin Heidelberg, 2009, pp. 138–147.
[8] C. C. Zou and R. Cunningham, “Honeypot-Aware Advanced Botnet
Construction and Maintenance,” in International Conference on Depend-
able Systems and Networks (DSN’06), 2006, pp. 199–208.
[9] A. Brown and T. Andel, “What’s in your Honeypot?” in 11th Interna-
tional Conference on Cyber Warfare and Security: ICCWS2016, Boston,
MA, USA, 2016, pp. 355–362.
[10] C. Herley and D. Florˆ
encio, “Protecting Financial Institutions from
Brute-Force Attacks BT - Proceedings of The Ifip Tc 11 23rd Inter-
national Information Security Conference,” S. Jajodia, P. Samarati, and
S. Cimato, Eds. Boston, MA: Springer US, 2008, pp. 681–685.
[11] P. Simoes, T. Cruz, J. Proenc¸a, and E. Monteiro, On the use of Honeypots
for Detecting Cyber Attacks on Industrial Control Networks, jul 2013.
[12] Y. B. Mustapha, H. D ´
ebar, and G. Jacob, “Limitation of Honey-
pot/Honeynet Databases to Enhance Alert Correlation,” in Computer
Network Security, I. Kotenko and V. Skormin, Eds. Berlin, Heidelberg:
Springer Berlin Heidelberg, 2012, pp. 203–217.
[13] C. Sanders and J. Smith, Applied Network Security Monitoring. Else-
vier, 2014.
[14] A. Mairh, D. Barik, K. Verma, and D. Jena, “Honeypot in Network
Security: A Survey,” in Proceedings of the 2011 International
Conference on Communication, Computing & Security, ser. ICCCS
’11. New York, NY, USA: ACM, 2011, pp. 600–605. [Online].
Available: http://doi.acm.org/10.1145/1947940.1948065
[15] L. Spitzner, Honeypots: Tracking Hackers. Boston, MA, USA: Addison
Wesley, 2002.
[16] F. H. Abbasi and R. J. Harris, “Experiences with a Generation III
virtual Honeynet,” in 2009 Australasian Telecommunication Networks
and Applications Conference (ATNAC), 2009, pp. 1–6.
[17] W. Fan, Z. Du, D. Fernandez, and V. A. Villagra, “Enabling an Anatomic
View to Investigate Honeypot Systems: A Survey,IEEE Systems
Journal, pp. 1–14, 2017.
[18] M. M. Al-Hakbani and M. H. Dahshan, “Avoiding honeypot detection
in peer-to-peer botnets,” in 2015 IEEE International Conference on
Engineering and Technology (ICETECH), 2015, pp. 1–7.
[19] N. Krawetz, “Anti-honeypot technology,” IEEE Security & Privacy,
vol. 2, no. 1, pp. 76–79, 2004.
[20] H. Wang and Q. Chen, “Dynamic Deploying Distributed Low-interaction
Honeynet,” Journal of Computers, vol. 7, no. 3, mar 2012.
[21] X. Fu, W. Yu, D. Cheng, X. Tan, K. Streff, and S. Graham, “On
Recognizing Virtual Honeypots and Countermeasures,” in Proceedings
of the 2Nd IEEE International Symposium on Dependable, Autonomic
and Secure Computing, ser. DASC ’06. Washington, DC, USA:
IEEE Computer Society, 2006, pp. 211–218. [Online]. Available:
https://doi.org/10.1109/DASC.2006.36
[22] S. M¨
uhlbach and A. Koch, “An FPGA-based scalable platform for high-
speed malware collection in large IP networks,” in 2010 International
Conference on Field-Programmable Technology, 2010, pp. 474–478.
[23] W. Zanoramy Ansiry Zakaria and M. Laiha Mat Kiah, “A review of
dynamic and intelligent honeypots,” p. 1, 2013.
[24] W. Z. A. Zakaria and M. L. M. Kiah, “A review on artificial intel-
ligence techniques for developing intelligent honeypot,” in 2012 8th
International Conference on Computing Technology and Information
Management (NCM and ICNIT), vol. 2, 2012, pp. 696–701.
[25] G. Wagener, R. State, T. Engel, and A. Dulaunoy, “Adaptive and self-
configurable honeypots,” in 12th IFIP/IEEE International Symposium
on Integrated Network Management (IM 2011) and Workshops, 2011,
pp. 345–352.
[26] L. Huang, A. D. Joseph, B. Nelson, B. I. P. Rubinstein, and J. D.
Tygar, “Adversarial Machine Learning,” in Proceedings of the 4th
ACM Workshop on Security and Artificial Intelligence, ser. AISec ’11.
New York, NY, USA: ACM, 2011, pp. 43–58. [Online]. Available:
http://doi.acm.org/10.1145/2046684.2046692
[27] G. Kecskemeti, A. C. Marosi, and A. Kertesz, “The ENTICE approach
to decompose monolithic services into microservices,” in 2016 Inter-
national Conference on High Performance Computing & Simulation
(HPCS), 2016, pp. 591–596.
[28] M. Villamizar, O. Garc´
es, H. Castro, M. Verano, L. Salamanca, R. Casal-
las, and S. Gil, “Evaluating the monolithic and the microservice archi-
tecture pattern to deploy web applications in the cloud,” in 2015 10th
Computing Colombian Conference (10CCC), 2015, pp. 583–590.
... As defined by Joshi and Sardana [3], a honeypot is "A program that takes the appearance of an attractive service, set of services, an entire operating system or even an entire network, but is in reality, a tightly sealed compartment built to lure and contain an attacker". Covered by Tsikerdekis et al [4], most of the work available today concentrates on the development of unique honeypots that frequently target a specific feature, without offering a comprehensive understanding of how they might be built to prevent detection by attackers. ...
... Further explained by Tsikerdekis et al [4] and summarized in Table 1, honeypots that follow the Secure Shell (SSH) protocol without allowing much shell functionality and allow interactions for limited periods of time can be classified as low-interaction honeypots, usually placed in networks not being monitored by Intrusion Detection Systems (IDS). They are prone to detection and are configured as such. ...
... While these studies explore past literature and future implementation strategies in detail, the challenge of minimizing detection also depends on a thorough understanding of the challenges that require these solutions in the first place. Prior to the study by Tsikerdekis et al [4], Du [7] conducted research on the same, determining that honeypots mainly face issues in (i) hiding capture tools while collecting as much data as possible, (ii) capturing session data encrypted on the hacker's side, and (iii) collecting and transmitting data through secret channels. To combat the same, they proposed the following solutions: (i) Capture Tool Hiding via a) Module Hiding -deleting the pointer of the capture module of any data capturing tool loaded to the Linux kernel upon system initialization, and b) Process Hiding -changing the system call used to query process information in a system using the "ps" command, in order to stop programs using the system call from accessing the file, thus hiding the process. ...
A Comprehensive Research Study on Low-Interaction Secure Shell Honeypot
Article
Full-text available
  • Dec 2022
This paper details information acquired from a secure shell honeypot, including plaintext login credentials and comprehensive attack data. As the number of data breaches and password leaks rises year after year, more dictionaries of reverse-engineered hashed passwords develop. Besides contributing to educational password dictionaries, this article also attempts to provide information about the geographical makeup of hackers encountered, as well as favored protocols. Its goal is to encourage developers to produce practical honeypot solutions for organizations with limited resources for their cyber-protection, as well as to encourage organizations to implement such measures and study their data. The low-interaction, user-friendly honeypot created is capable of running without manual intervention, and without interfering with parallelly running processes. Besides collecting login credentials used with SSH, in plaintext, its capabilities include recording, analyzing, and sending notifications about suspicious network traffic.
View
... Similarly, KFSensor [10] is a commercial honeypot for Windows OS. HoneyD [11] is probably the most known honeypot capable of emulating at the same time multiple hosts. Tiny Honeypot [12] is a server-based honeypot, which listens to all Transmission Control Protocol (TCP) ports, logging all interaction activities. ...
... By assuming Rayleigh fading, h i follows the exponential distribution with parameter κ. Thus, (11) can be written as ...
Strategic Honeypot Deployment in Ultra-Dense Beyond 5G Networks: A Reinforcement Learning Approach
Article
Full-text available
  • Jun 2022
The progression of Software Defined Networking (SDN) and the virtualisation technologies lead to the beyond 5G era, providing multiple benefits in the smart economies. However, despite the advantages, security issues still remain. In particular, SDN/NFV and cloud/edge computing are related to various security issues. Moreover, due to the wireless nature of the entities, they are prone to a wide range of cyberthreats. Therefore, the presence of appropriate intrusion detection mechanisms is critical. Although both Machine Learning (ML) and Deep Learning (DL) have optimised the typical rule-based detection systems, the use of ML and DL requires labelled pre-existing datasets. However, this kind of data varies based on the nature of the respective environment. Another smart solution for detecting intrusions is to use honeypots. A honeypot acts as a decoy with the goal to mislead the cyberatatcker and protect the real assets. In this paper, we focus on Wireless Honeypots (WHs) in ultradense networks. In particular, we introduce a strategic honeypot deployment method, using two Reinforcement Learning (RL) techniques: (a) e−Greedy and (b) Q−Learning. Both methods aim to identify the optimal number of honeypots that can be deployed for protecting the actual entities. The experimental results demonstrate the efficacy of both methods.
View
... As a result, the information collected suspects to be produced by automated bots that scanned the cloud, and therefore insufficient to add on to the security intelligence of ICS systems. Methods that reduce the likelihood of a honeypot being discovered are mentioned in the work [27][28][29][30] . ...
Containerized cloud-based honeypot deception for tracking attackers
Article
Full-text available
  • Jan 2023
Discovering malicious packets amid a cloud of normal activity, whether you use an IDS or gather and analyze machine and device log files on company infrastructure, may be challenging and time consuming. The vulnerability landscape is rapidly evolving, and it will only become worse as more and more developing technologies, such as IoT, Industrial Automation, CPS, Digital Twins, etc are digitally connected. A honey trap aids in identifying malicious packets easily as, after a few rapid calibrations to eliminate false positives. Besides analyzing and reporting particular invasion patterns or toolkits exploited, it also assists in preventing access to actual devices by simulating the genuine systems and applications functioning in the network thus delaying as well as baffling the invader. In order to analyze and evaluate the hackers’ behavior, an ensemble of research honeypot detectors has been deployed in our work. This paper delivers a robust outline of the deployment of containerized honeypot deployment, as a direct consequence, these are portable, durable, and simple to deploy and administer. The instrumented approach was monitored and generated countless data points on which significant judgments about the malevolent users’ activities and purpose could be inferred.
View
... As was said previously, a honeypot is a piece of equipment that has value only when it is scanned and attacked [2]. A number of virtual computers have been set up to show how the network functions while the honeypot system imitates the protected system's web services [13,14]. The constructed honeypot will be contacted if the inbound services pose a threat. ...
Spark-Based Network Security Honeypot System: Detailed Performance Analysis
Article
Full-text available
  • Dec 2022
In the contemporary world, network security has been of the biggest importance and acute worry in both individual and institutional wisdom, concurrent with the newly emerging technologies. Firewalls, encryption techniques, intrusion detection systems, and honeypots are just a few of the systems and technologies that have been developed to ensure information security. Systems for safeguarding an organizational environment through various defensive strategies are traditionally developed. "The enemy continues on attacking" is a primarily defensive statement. By empowering an organization to take action, Honeypot demonstrates its importance. An institution can discover, gather, address, and absorb new security policy flaws with the aid of honeypots. This methodology allows an organization's security measures to continuously incorporate new threats and penetration methods. This is the main justification of creating, developing, and using a honeypot. It is a resource that is meant to be taken advantage of and compromised. To evaluate the methodology, a spark-based honeypot strategy has been designed, put into practice, and tested in this study. The suggested study strategy has undergone many days of testing on a campus-based network. The designed system's primary function is to behave as a fully resourced computer or vault to draw intruders with the requirement that they not defend against or respond to intrusions. The studies were carried out using a number of parameters that were designed.
View
... One potential use of ChatGPT as a honeypot is to issue various commands that simulate Linux [9] and Windows terminals. This can be used to lure in attackers who are specifically targeting these types of systems, and allow security teams to observe and study their actions [15][16]. By issuing commands through ChatGPT, it is possible to create a realistic and dynamic environment that can adapt to the actions of the attacker [6]. ...
Chatbots in a Honeypot World
Preprint
Full-text available
  • Jan 2023
Question-and-answer agents like ChatGPT offer a novel tool for use as a potential honeypot interface in cyber security. By imitating Linux, Mac, and Windows terminal commands and providing an interface for TeamViewer, nmap, and ping, it is possible to create a dynamic environment that can adapt to the actions of attackers and provide insight into their tactics, techniques, and procedures (TTPs). The paper illustrates ten diverse tasks that a conversational agent or large language model might answer appropriately to the effects of command-line attacker. The original result features feasibility studies for ten model tasks meant for defensive teams to mimic expected honeypot interfaces with minimal risks. Ultimately, the usefulness outside of forensic activities stems from whether the dynamic honeypot can extend the time-to-conquer or otherwise delay attacker timelines short of reaching key network assets like databases or confidential information. While ongoing maintenance and monitoring may be required, ChatGPT's ability to detect and deflect malicious activity makes it a valuable option for organizations seeking to enhance their cyber security posture. Future work will focus on cybersecurity layers, including perimeter security, host virus detection, and data security.
View
A Q-Learning Based Method to Simulate the Propagation of APT Malware
Chapter
  • Aug 2023
Advanced persistent threats are cyberattacks characterized by its complexity, persistence and stealth. One of the basic tools employed in an APT campaign is specific specimens of advanced malware whose malicious payload consists of infecting some concrete devices. Consequently, this type of malware needs to have some type of knowledge of the network and devices. The main goal of this work is to introduce a novel model to obtain the most efficient path that a malware must follow to achieve its objective when no kind of information about the devices and network is known. The proposed model is based on Q-Learning methodology and it allows to consider some security countermeasures like honeypots (the model is able of find a path that avoids these honeypots). Furthermore, in order to avoid that APT malware gathers the information of the network, we propose using Moving Target Defense (MTD) which does not avoid malware propagation but it triggers that malware learns in a not proper way.KeywordsMalware propagationQ-LearningAdvanced Persistent ThreatsMachine LearningMoving Target DefenseCybersecurity
View
Ponzi Scheme Identification of Smart Contract Based on Multi Feature Fusion
Chapter
  • Jul 2023
Due to the anonymity and imperfect supervision of the blockchain, criminal acts committed by criminals on the blockchain are difficult to be investigated. In recent years, scams based on district smart contracts have emerged one after another, among which the losses caused by Ponzi schemes have reached millions of dollars. However, there is little research on smart contract fraud identification at present, and for fraud detection, information utilization is not comprehensive, only based on a single feature or simply fused multiple features directly, without considering the duplication and connection between features. In order to solve these problems, in this paper, we propose a multi feature fusion scheme identification model (MFFSI) for smart contracts. Our contributions mainly include the following two points: 1) In terms of information use, the operands containing the information about the jump relationship of the opcode execution are retained; 2) In feature fusion, the operation code (opcode) and application binary interface (ABI) sequence features are extracted, and attention modules are used to guide the fusion of features to alleviate the interference of irrelevant features on classification. The results show that the model proposed in this paper has a good detection effect. The F1 score is higher than 86%, which is better than the previous.KeywordsBlockchainsmart contractPonzi schemedeep learningmulti feature fusion
View
View
View
View
A Novel SDN based Stealthy TCP Connection Handover Mechanism for Hybrid Honeypot Systems
Conference Paper
Full-text available
  • Jul 2017
Honeypots have been largely used to capture and investigate malicious behavior through deliberately sacrificing their own resources in order to be attacked. Hybrid honeypot architectures consisting of frontends and backends are widely used in the research area, specially due to the benefits of their high scalability and fidelity for detailed attacking data collection. A hybrid honeypot system often needs a facility aimed to tightly control the network traffic, for purposes such as redirecting the traffic from the frontends to the backends for in-depth attack analysis. However, the current traffic redirection approaches, particularly the TCP connection handover mechanisms, are not stealthy and they can be easily detected by attackers. This paper proposes an SDN based network data controller for hybrid honeypot systems that uses a transparent TCP connection handover mechanism and provides a traffic filtering approach based on the Snort alert functionality. The controller is implemented as an application based on the open-source Ryu SDN framework. It allows the users to configure their own network data control rules, which based on the Snort alert messages will forward or redirect the traffic to the corresponding honeypots. The experiments validate the proposed mechanism and the testing results show that the controller can efficiently perform the stealthy TCP connection handover as well.
View
Enabling an Anatomic View to Investigate Honeypot Systems: A Survey
Article
Full-text available
  • Nov 2017
A honeypot is a type of security facility deliberately created to be probed, attacked, and compromised. It is often used for protecting production systems by detecting and deflecting unauthorized accesses. It is also useful for investigating the behavior of attackers, and in particular, unknown attacks. For the past 17 years plenty of effort has been invested in the research and development of honeypot techniques, and they have evolved to be an increasingly powerful means of defending against the creations of the blackhat community. In this paper, by studying a wide set of honeypots, the two essential elements of honeypots—the decoy and the captor— are captured and presented, together with two abstract organizational forms—independent and cooperative—where these two elements can be integrated. A novel decoy and captor (D-C) based taxonomy is proposed for the purpose of studying and classifying the various honeypot techniques. An extensive set of independent and cooperative honeypot projects and research that cover these techniques is surveyed under the taxonomy framework. Furthermore, two subsets of features from the taxonomy are identified, which can greatly influence the honeypot performances. These two subsets of features are applied to a number of typical independent and cooperative honeypots separately in order to validate the taxonomy and predict the honeypot development trends.
View
View
A Survey on Honeypot Software and Data Analysis
Article
Full-text available
  • Aug 2016
In this survey, we give an extensive overview on honeypots. This includes not only honeypot software but also methodologies to analyse honeypot data.
View
Evaluating the monolithic and the microservice architecture pattern to deploy web applications in the cloud
Conference Paper
Full-text available
  • Oct 2015
Cloud computing provides new opportunities to deploy scalable application in an efficient way, allowing enterprise applications to dynamically adjust their computing resources on demand. In this paper we analyze and test the microservice architecture pattern, used during the last years by large Internet companies like Amazon, Netflix and LinkedIn to deploy large applications in the cloud as a set of small services that can be developed, tested, deployed, scaled, operated and upgraded independently, allowing these companies to gain agility, reduce complexity and scale their applications in the cloud in a more efficient way. We present a case study where an enterprise application was developed and deployed in the cloud using a monolithic approach and a microservice architecture using the Play web framework. We show the results of performance tests executed on both applications, and we describe the benefits and challenges that existing enterprises can get and face when they implement microservices in their applications.
View
Avoiding honeypot detection in peer-to-peer botnets
Conference Paper
  • Mar 2015
A botnet is group of compromised computers that are controlled by a botmaster, who uses them to perform illegal activities. Centralized and P2P (Peer-to-Peer) botnets are the most commonly used botnet types. Honeypots have been used in many systems as computer defense. They are used to attract botmasters to add them in their botnets; to become spies in exposing botnet attacker behaviors. In recent research works, improved mechanisms for honeypot detection have been proposed. Such mechanisms would enable bot masters to distinguish honeypots from real bots, making it more difficult for honeypots to join botnets. This paper presents a new method that can be used by security defenders to overcome the authentication procedure used by the advanced two-stage reconnaissance worm (ATSRW). The presented method utilizes the peer list information sent by an infected host during the ATSRW authentication process and uses a combination of IP address spoofing and fake TCP three-way handshake. The paper provides an analytical study on the performance and the success probability of the presented method. We show that the presented method provide a higher chance for honeypots to join botnets despite security measures taken by botmasters.
View
The Practice of Applied Network Security Monitoring
Chapter
  • Dec 2014
The first chapter is devoted to defining network security monitoring and its relevance in the modern security landscape. It begins by discussing the four domains of security and then describes how network security monitoring fits into them. Key security terms are defined in route to comparing and contrasting traditional intrusion detection and modern network security monitoring. The NSM Cycle and its components (collection, detection, and analysis) are introduced. Next, the role of the analyst is introduced, along with critical analyst skills and potential specializations. Next, techniques for promoting analyst success are described. Finally, the Security Onion distribution is introduced, along with step-by-step instructions on the installation, initial configuration, and testing of Security Onion.
View
Honeypots: Sticking it to hackers
Article
  • Apr 2003
Various aspects of honeypots, a security resource whose value lies in being probed, attacked or compromised, are discussed. It is found that production honeypots are used to secure the organization by either preventing, detecting or assisting in the response to an attack. The analysis showed that research honeypots are more complex and more risky than production honeypots.
View
Dynamic Deploying Distributed Low-interaction Honeynet
Article
  • Mar 2012
Distributed virtual honeynet is an important security detection system to Worms, Botnet detection, Spam and Distributed Denial-Of-Service. The honeynet value significantly relies on the disguise capacity. The traditional deploying method is a static scheme that the configuration of honeynet is determined by security experts beforehand and unable to change after the deployment. The hackers or Botnet controllers identify the honeynet and may not trap into the same honeynet again. Therefore, the static deploying honeynet has relatively poor disguise capacity. To improve the disguise capacity, a novel dynamic deploying method is proposed that is capable of redeploying the honeynet in real time. The inducing degree is introduced to measure the disguise capacity by analyzing the inbound and outbound packets of the honeynet. When the inducing degree is less than a specific threshold, the dynamic deploying manager will be activated and to execuate the dynamic deploying algorithms. We have developed three novel dynamic deploying algorithms to solve the problem how to redeploy the honeynet and implemented a prototype for distributed virtual honeynet based on Honeyd. The experimental results of the simulation and real networks datasets demonstrate that the dynamic deploying approach is effective to enhance the disguise capacity of honeynet.
View
Adversarial machine learning
Conference Paper
  • Oct 2011
In this paper (expanded from an invited talk at AISEC 2010), we discuss an emerging field of study: adversarial machine learning---the study of effective machine learning techniques against an adversarial opponent. In this paper, we: give a taxonomy for classifying attacks against online machine learning algorithms; discuss application-specific factors that limit an adversary's capabilities; introduce two models for modeling an adversary's capabilities; explore the limits of an adversary's knowledge about the algorithm, feature space, training, and input data; explore vulnerabilities in machine learning algorithms; discuss countermeasures against attacks; introduce the evasion challenge; and discuss privacy-preserving learning techniques.
View