Sebastian Biedermann,Martin Mink,Stefan Katzenbeisser

DOI: https://doi.org/10.1145/2381913.2381916

2012-01-01

Abstract:In this paper, we describe the design, the implementation and the evaluation of a dynamic honeypot architecture which can be offered as an additional security service for cloud users in a cloud that offers Infrastructure-as-a-Service (IaaS). Honeypots can protect original systems while revealing new and unknown attacks at the same time. The proposed dynamic honeypot architecture detects potential attacks in the initial phases and delays these attacks until a new honeypot virtual machine (VM) is extracted from the original VM which is under attack. The extraction process is a modifying VM live cloning process which leaves sensible data behind and prevents internal data loss. This way, the newly created honeypot VM runs the same software in exactly the same up-to-date configuration. The honeypot controller redirects the delayed attack to the extracted honeypot VM and analyses its impact without risking the integrity of the original target VM. The proposed architecture benefits from the flexibility and adaptability of the cloud. It efficiently protects VMs of cloud users from contemporary network attacks while only few additional cloud resources are temporarily needed. The architecture deceives and misleads an attacker or an attacking source but does not influence the normal work-flow of the original VMs in the cloud. Based on a defined reporting format, cloud users can learn from attacks which have targeted their VMs and discover current misconfigurations and unknown vulnerabilities.

V. S. Devi Priya,S. Sibi Chakkaravarthy

DOI: https://doi.org/10.1038/s41598-023-28613-0

IF: 4.6

2023-01-26

Scientific Reports

Abstract:Discovering malicious packets amid a cloud of normal activity, whether you use an IDS or gather and analyze machine and device log files on company infrastructure, may be challenging and time consuming. The vulnerability landscape is rapidly evolving, and it will only become worse as more and more developing technologies, such as IoT, Industrial Automation, CPS, Digital Twins, etc are digitally connected. A honey trap aids in identifying malicious packets easily as, after a few rapid calibrations to eliminate false positives. Besides analyzing and reporting particular invasion patterns or toolkits exploited, it also assists in preventing access to actual devices by simulating the genuine systems and applications functioning in the network thus delaying as well as baffling the invader. In order to analyze and evaluate the hackers' behavior, an ensemble of research honeypot detectors has been deployed in our work. This paper delivers a robust outline of the deployment of containerized honeypot deployment, as a direct consequence, these are portable, durable, and simple to deploy and administer. The instrumented approach was monitored and generated countless data points on which significant judgments about the malevolent users' activities and purpose could be inferred.

multidisciplinary sciences

Liu B. Songsong,Pengbin Feng,Jiahao Cao,Xu He,Tommy Chin,Kun Sun,Qi Li

DOI: https://doi.org/10.1007/978-3-031-09484-2_11

2022-01-01

Abstract:The honeypot technique has proved its value in system protection and attack analysis over the past 20 years. Distributed honeypot solutions emerge to solve the high cost and risk of maintaining a functional honeypot system. In this paper, we uncover that all existing distributed honeypot systems suffer from one type of anti-honeypot technique called network context cross-checking (NC3) which enables attackers to detect network context inconsistencies before and after breaking into a targeted system. We perform a systematic study of NC3 and identify nine types of network context artifacts that may be leveraged by attackers to identify distributed honeypot systems. As a countermeasure, we propose HoneyPortal, a stealthy traffic redirection framework to defend against the NC3 attack. The basic idea is to project a remote honeypot into the protected local network as a believable host machine. We conduct experiments in a real testbed, and the experimental results show that HoneyPortal can effectively defeat NC3 attacks with a low performance overhead.

Xy He,Ky Lam,Sl Chung,Ch Chi,Jg Sun

DOI: https://doi.org/10.1007/978-3-540-30483-8_18

2004-01-01

Abstract:Security becomes increasingly important. However, existing security tools, almost all defensive, have many vulnerabilities which are hard to overcome because of the lack of information about hackers techniques or powerful tools to distinguish malicious traffic from the huge volume of production traffic. Although honeypots mainly aim at collecting information about hackers' behaviors, they axe not very effective in that honeypot implementers tend to block or limit hackers' outbound connections to avoid harming non-honeypot systems, thus making honeypots easy to be fingerprinted. Additionally, the main concern is that if hackers were allowed outbound connections, they may attack the actual servers thus the honeypot could become a facilitator of the hacking crime. In this paper we present a new method to real-time emulate intrusion victims in a honeyfarm. When hackers request outbound connections, they are redirected to the intrusion victims which emulate the real targets. This method provides hackers with a less suspicious environment and reduces the risk of harming; other systems.

Weizhe Zhang,Bin Zhang,Ying Zhou,Hui He,Zeyu Ding

DOI: https://doi.org/10.1109/jiot.2019.2956173

IF: 10.6

2020-05-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) devices are vulnerable against attacks because of their limited network resources and complex operating systems. Thus, a honeypot is a good method of capturing malicious requests and collecting malicious samples but is rarely used on the IoT. Accordingly, this article implements three kinds of honeypots to capture malicious behaviors. First, on the basis of the CVE-2017–17215 vulnerability, we implement a medium-high interaction honeypot that can simulate a specific series of router UPnP services. It has functions, such as service simulation, log recording, malicious sample download, and service self-check. Second, given the limited details available for the simulated UPnP service and to help the honeypot respond to unrecognizable malicious requests, we use the actual IoT device firmware that matches the vulnerability to build a high-interaction honeypot. In addition, we investigate the most exposed SOAP service ports and design corresponding multiport honeypot to improve the capacity of the honeynet, providing a hybrid service from a real device and simulating honeypots. The Docker in the honeynet, which reduces the volume of the honeypot and realizes the rapid deployment of the honeynet, encapsulates all these honeypots. Moreover, the honeynet control center is simultaneously designed to distribute commands and transfer files to each physical node in the honeynet. We implemented the proposed honeynet system and deployed it in practice. We have successfully caught many unknown malicious attacks excluded in the VT, which proved the effectiveness of the proposed framework.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xingyuan Yang,Jie Yuan,Hao Yang,Ya Kong,Hao Zhang,Jinyu Zhao

DOI: https://doi.org/10.3390/fi15040127

2023-03-29

Future Internet

Abstract:In this paper, considering the problem that the common defensive means in the current cyber confrontation often fall into disadvantage, honeypot technology is adopted to turn reactive into proactive to deal with the increasingly serious cyberspace security problem. We address the issue of common defensive measures in current cyber confrontations that frequently lead to disadvantages. To tackle the progressively severe cyberspace security problem, we propose the adoption of honeypot technology to shift from a reactive to a proactive approach. This system uses honeypot technology for active defense, tempting attackers into a predetermined sandbox to observe the attacker's behavior and attack methods to better protect equipment and information security. During the research, it was found that due to the singularity of traditional honeypots and the limitations of low-interactivity honeypots, the application of honeypot technology has difficulty in achieving the desired protective effect. Therefore, the system adopts a highly interactive honeypot and a modular design idea to distinguish the honeypot environment from the central node of data processing, so that the honeypot can obtain more sufficient information and the honeypot technology can be used more easily. By managing honeypots at the central node, i.e., adding, deleting, and modifying honeypots and other operations, it is easy to maintain and upgrade the system, while reducing the difficulty of using honeypots. The high-interactivity honeypot technology not only attracts attackers into pre-set sandboxes to observe their behavior and attack methods, but also performs a variety of advanced functions, such as network threat analysis, virtualization, vulnerability perception, tracing reinforcement, and camouflage detection. We have conducted a large number of experimental comparisons and proven that our method has significant advantages compared to traditional honeypot technology and provides detailed data support. Our research provides new ideas and effective methods for network security protection.

Javier Carrillo-Mondejar Javier Carrillo-Mondejar,José Roldán-Gómez Javier Carrillo-Mondejar,Juan Manuel Castelo Gómez José Roldán-Gómez,Sergio Ruiz Villafranca Juan Manuel Castelo Gómez,Guillermo Suarez-Tangil Sergio Ruiz Villafranca

DOI: https://doi.org/10.53106/160792642024012501010

2024-01-01

網際網路技術學刊

Abstract:Since the inception of the Internet of Things (IoT), the security measures implemented on its devices have been too weak to ensure the appropriate protection of the data that they handle. Appealed by this, cybercriminals continuously seek out for vulnerable units to control, leading to attacks spreading through networks and infecting a high number of devices. On top of that, while the IoT has evolved to provide a higher degree of security, the techniques used by attackers have done so as well, which has led to the need of continuously studying the way in which these attacks are performed to gather significant knowledge for the development of the pertinent security measures. In view of this, we analyze the state of IoT attacks by developing a high-interaction honeypot for SSH and Telnet services that simulates a custom device with the ARM architecture. This study is carried out in two steps. Firstly, we analyze and classify the interaction between the attacker and the devices by clustering the commands that they sent in the compromised Telnet and SSH sessions. Secondly, we study the malware samples that are downloaded and executed in each session and classify them based on the sequence of system calls that they execute at runtime. In addition, apart from studying the active data generated by the attacker, we extract the information that is left behind after a connection with the honeypot by inspecting the metadata associated with it. In total, more than 1,578 malicious samples were collected after 9,926 unique IP addresses interacted with the system, with the most downloaded malware family being Hajime, with 70.5% of samples belonging to it, and also detecting others such as Mirai, Gafgyt, Dofloo and Xorddos.  

computer science, information systems,telecommunications

Andrea Continella,Chakshu Gupta,T. V. Ede

DOI: https://doi.org/10.1109/SPW59333.2023.00005

2023-05-01

Abstract:Over the past few years, we have witnessed a radical change in the architectures and infrastructures of web applications. Traditional monolithic systems are nowadays getting replaced by microservices-based architectures, which have become the natural choice for web application development due to portability, scalability, and ease of deployment. At the same time, due to its popularity, this architecture is now the target of specific cyberattacks. In the past, honeypots have been demonstrated to be valuable tools for collecting real-world attack data and understanding the methods that attackers adopt. However, to the best of our knowledge, there are no existing honeypots based on microservices architectures, which introduce new and different characteristics in the infrastructure. In this paper, we propose HoneyKube, a novel honeypot design that employs the microservices architecture for a web application. To address the challenges introduced by the highly dynamic nature of this architecture, we design an effective and scalable monitoring system that builds on top of the well-known Kubernetes orchestrator. We deploy our honeypot and collect approximately 850 GB of network and system data through our experiments. We also evaluate the fingerprintability of HoneyKube using a state-of-the-art reconnaissance tool. We will release our data and source code to facilitate more research in this field.

Computer Science,Engineering

Armin Ziaie Tabari,Xinming Ou,Anoop Singhal

DOI: https://doi.org/10.48550/arXiv.2112.10974

2021-12-21

Abstract:The growing number of Internet of Things (IoT) devices makes it imperative to be aware of the real-world threats they face in terms of cybersecurity. While honeypots have been historically used as decoy devices to help researchers/organizations gain a better understanding of the dynamic of threats on a network and their impact, IoT devices pose a unique challenge for this purpose due to the variety of devices and their physical connections. In this work, by observing real-world attackers' behavior in a low-interaction honeypot ecosystem, we (1) presented a new approach to creating a multi-phased, multi-faceted honeypot ecosystem, which gradually increases the sophistication of honeypots' interactions with adversaries, (2) designed and developed a low-interaction honeypot for cameras that allowed researchers to gain a deeper understanding of what attackers are targeting, and (3) devised an innovative data analytics method to identify the goals of adversaries. Our honeypots have been active for over three years. We were able to collect increasingly sophisticated attack data in each phase. Furthermore, our data analytics points to the fact that the vast majority of attack activities captured in the honeypots share significant similarity, and can be clustered and grouped to better understand the goals, patterns, and trends of IoT attacks in the wild.

Cryptography and Security,Machine Learning

SHEN Ming,XUE Zhi,WANG Yi-jun

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.05.043

2011-01-01

Abstract:Honeypot technology is employed to trap attacks,thus to collect the attack information and protect the real host.The core value of the honeypot lies in being detected,attacked and threatened,with this,the people could analyze the attack,know its attack purpose,means and strategies,and finally learn in-depth information protection methods.In the application of honeypot technology,the most important point is the misleading of the attackers.This paper analyzes the identifiable points of the honeypot and virtual machine systems through several specific characteristics of the system hardware and the network.Then it proposes some solutions to the identification with experimental statistics.It is hoped that the information security industry could attach the importance to and promote the development of honeypot technology.

Amal M.R.,Venkadesh P.

DOI: https://doi.org/10.14704/web/v19i1/web19370

2022-01-20

Webology

Abstract:The number of connected devices in the network is growing day by day, and as the number of linked devices grows, so will the number of cyberattacks. All devices connected to the Internet has become a target of cyberattacks as network attack methods have developed. As a result, the security of network data cannot be neglected. To handle the future threats in this way, we employ honeypots, which are conceptual framework traps designed to block unauthorized access to both PCs and data. Every day, a large number of people access the internet throughout the world. Honeypot, also known as Intrusion Detection Technology, is a type of security technology that screens devices to prevent unwanted activities. This article will provide an overview of cyber security as well as a discussion of machine learning, cyber threats, and honeypot system-based techniques. This review paper was the result of a lot of research, and in assessing honeypots, the researchers found that they are becoming more of a concern for experts as an important security tool that can halt or limit system attacks and provide analysts with insights into the origins and behaviours of such attacks.

Wael Ahmad AlZoubi,Maen T. Alrashdan

DOI: https://doi.org/10.5267/j.ijdns.2022.5.010

2022-01-01

International Journal of Data and Network Science

Abstract:For the development of technologies and networks that have been evolving and expanding day by day. In this generation, these facilities allow users to interact more efficiently. Safety is therefore very important to consider preserving the network and database and the need to detect a potential attack before an attack occurs. Network security has become the main issue, particularly in the industries, and there are many techniques to be used to protect network systems. One of them is called Honeypot, a software that is used to detect unauthorized misuse of information systems and to evaluate the actions and behavior of the attacker. Honeypot is, in other words, a trap for any attackers to log in to the network. If the behavior of these attackers is detected, the information will be used to improve network security. Using Honeypot does not cause attackers to notice they are being detected. This research is primarily focused on Honeypot, which is a ground-breaking new technology that has the potential to provide security communities with protection and how it is important for its use to enhance the network security framework.

Shreyas Srinivasa,Jens Myrup Pedersen,Emmanouil Vasilomanolakis

DOI: https://doi.org/10.48550/arXiv.2109.10652

2021-09-22

Abstract:Honeypots are decoy systems that lure attackers by presenting them with a seemingly vulnerable system. They provide an early detection mechanism as well as a method for learning how adversaries work and think. However, over the last years, a number of researchers have shown methods for fingerprinting honeypots. This significantly decreases the value of a honeypot; if an attacker is able to recognize the existence of such a system, they can evade it. In this article, we revisit the honeypot identification field, by providing a holistic framework that includes state of the art and novel fingerprinting components. We decrease the probability of false positives by proposing a rigid multi-step approach for labeling a system as a honeypot. We perform extensive scans covering 2.9 billion addresses of the IPv4 space and identify a total of 21,855 honeypot instances. Moreover, we present a number of interesting side-findings such as the identification of more than 354,431 non-honeypot systems that represent potentially vulnerable servers (e.g. SSH servers with default password configurations and vulnerable versions). Lastly, we discuss countermeasures against honeypot fingerprinting techniques.

Cryptography and Security

Upendra Bartwal,Subhasis Mukhopadhyay,Rohit Negi,Sandeep Shukla

DOI: https://doi.org/10.1109/DSC54232.2022.9888808

2022-01-14

Abstract:Cyber Security is a critical topic for organizations with IT/OT networks as they are always susceptible to attack, whether insider or outsider. Since the cyber landscape is an ever-evolving scenario, one must keep upgrading its security systems to enhance the security of the infrastructure. Tools like Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), Threat Intelligence Platform (TIP), Information Technology Service Management (ITSM), along with other defensive techniques like Intrusion Detection System (IDS), Intrusion Protection System (IPS), and many others enhance the cyber security posture of the infrastructure. However, the proposed protection mechanisms have their limitations, they are insufficient to ensure security, and the attacker penetrates the network. Deception technology, along with Honeypots, provides a false sense of vulnerability in the target systems to the attackers. The attacker deceived reveals threat intel about their modus operandi. We have developed a Security Orchestration, Automation, and Response (SOAR) Engine that dynamically deploys custom honeypots inside the internal network infrastructure based on the attacker's behavior. The architecture is robust enough to support multiple VLANs connected to the system and used for orchestration. The presence of botnet traffic and DDOS attacks on the honeypots in the network is detected, along with a malware collection system. After being exposed to live traffic for four days, our engine dynamically orchestrated the honeypots 40 times, detected 7823 attacks, 965 DDOS attack packets, and three malicious samples. While our experiments with static honeypots show an average attacker engagement time of 102 seconds per instance, our SOAR Engine-based dynamic honeypots engage attackers on average 3148 seconds.

Cryptography and Security,Machine Learning

Tianxiang Yu,Yang Xin,Chunyong Zhang

DOI: https://doi.org/10.3390/electronics13020361

IF: 2.9

2024-01-16

Electronics

Abstract:Honeynet and honeypot originate as network security tools to collect attack information during the network being compromised. With the development of virtualization and software defined networks, honeynet has recently achieved many breakthroughs. However, existing honeynet architectures treat network attacks as interactions with a single honeypot which is supported by multiple honeypots to make this single one more realistic and efficient. The scale and depth of existing honeynets are limited, making it hard to capture complicated attack information. Existing honeynet frameworks also have low-level simulation of protected network and lacks test metrics. To address these issues, we design and implement a novel container-based comprehensive cyber deception honeynet architecture that consists of five modules, called HoneyFactory. Just like factory producing products according to customer preferences, HoneyFactory generates honeynet using containers based on business networks under protection. In HoneyFactory architecture, we propose a novel honeynet deception model based on hmm model to evaluate deception stage. We also design other modules to make this architecture comprehensive and efficient. Experiments show that HoneyFactory performs better than existing research in communication latency and connections per second. Experiments also show that HoneyFactory can effectively evaluate deception stage and perform deep cyber deception.

engineering, electrical & electronic,computer science, information systems,physics, applied

Liz Izhikevich,Manda Tran,Michalis Kallitsis,Aurore Fass,Zakir Durumeric

DOI: https://doi.org/10.1145/3618257.3624818

2023-09-29

Abstract:Cloud computing has dramatically changed service deployment patterns. In this work, we analyze how attackers identify and target cloud services in contrast to traditional enterprise networks and network telescopes. Using a diverse set of cloud honeypots in 5~providers and 23~countries as well as 2~educational networks and 1~network telescope, we analyze how IP address assignment, geography, network, and service-port selection, influence what services are targeted in the cloud. We find that scanners that target cloud compute are selective: they avoid scanning networks without legitimate services and they discriminate between geographic regions. Further, attackers mine Internet-service search engines to find exploitable services and, in some cases, they avoid targeting IANA-assigned protocols, causing researchers to misclassify at least 15\% of traffic on select ports. Based on our results, we derive recommendations for researchers and operators.

Cryptography and Security,Networking and Internet Architecture

Monica Catherine*,Ashok Kumawat,,

DOI: https://doi.org/10.35940/ijitee.f4561.059720

2020-05-30

International Journal of Innovative Technology and Exploring Engineering

Abstract:In this ever changing world, with cybercrimes and increasing threats, security is becoming constantly an concern. As security became a basic requirement and a need in the times of today with some sort of access to the data and interaction on the internet it is increasingly unstable. This is incredibly necessary to maintain our home network up-to- date. In terms of reliability, reduce vulnerability and maintain integrity and untampered. As a basic security characteristic of information security, it is our top priority that we defend and safeguard our Internet of Things devices and home network from cyber threats. Honeypot a development focused on decoction together with raspberry pi makes our small cost effective and quick to implement network defense security. The whole paper deals with implementing a Honeypot deployed in module Raspberry Pi operating Intrusion Monitoring Program and deception technology as a induce for monitoring and securing the network. This should prove successful intrusion detection systems and honeypots solutions if implemented correctly.

WU Xin,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2006.04.027

2006-01-01

Computer Science

Abstract:Honeypot is a new tool for network defence.The difficulty of designing a Honeypot lies in the success dis- guise and deception.Many Honeypots use scripts to simulate services,and put static deception into practice to protect network.But they could expose themselves easily.This paper designs and implements a low-interaction Honeypot based on the Apache server,named Honeyweb.It has four functions:http protocol detection,dynamic deception, working with other network security devices and log.It can dynamicly response to different http requests.The expri- ment indicates that depolying the Honeyweb will influence hackers' judgement,consume their resources,even stop at- tack.So Honeyweb can reach its purpose of active defence and preventing Web servers from attack.

Eric Alata,Vincent Nicomette,Mohamed Kaâniche,Marc Dacier,Matthieu Herrb

DOI: https://doi.org/10.48550/arXiv.0704.0858

2007-04-06

Abstract:This paper presents an experimental study and the lessons learned from the observation of the attackers when logged on a compromised machine. The results are based on a six months period during which a controlled experiment has been run with a high interaction honeypot. We correlate our findings with those obtained with a worldwide distributed system of lowinteraction honeypots.

Cryptography and Security

MA Li-bo,DUAN Hai-xin,LI Xing

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.037

2005-01-01

Abstract:Using honeypots to detect and monitor malware behaviors for network security trend analysis and early warning has become a new research direction.Honeypot deployment is the basic and all-important problem facing effectively collecting information of attackers.In this paper,research layers of honeypot deployment are firstly given and then some factors such as the interactive grade,the position,the number and the deploying model,etc.which are related to honeypot deployment are detailedly described.Especially under the condition of uniform distribution,the proper ratio of the number of honeypots to network total resources is deferred from theory and limited numbers of honeypots in IPv4 and IPv6 network are given according to the ratio.Practical low interactive honeypots data statistical analysis is performed at last to give practical evidence for honeypot deployment research.