Yue Shi,Yingying Zhang

DOI: https://doi.org/10.1145/3617184.3618056

2023-09-22

Abstract:Honeypot is an active security defense technology that uses false information to lure attackers into attacking and record their behavior. Traditional honeypots are usually static, and inherent features and services can accelerate attackers' recognition of honeypots, causing them to lose value. We designs a dynamic honeypot based on machine learning, which can adapt to dynamic and constantly changing network environments while improving the authenticity of the honeypot. It automatically generates configuration files, simulates the characteristics and behavior of devices in the network. The method proposed is to achieve active monitoring and defense of network attacks by actively scanning Nmap and obtaining network device information through P0f, and combining feature clustering methods to classify devices and generate honeypot configuration files, active monitoring and defense of network attacks can be achieved. The results shows that this methods can effectively enhance the attack capture ability and camouflage ability of honeypots.

Computer Science

MA Li-bo,DUAN Hai-xin,LI Xing

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.037

2005-01-01

Abstract:Using honeypots to detect and monitor malware behaviors for network security trend analysis and early warning has become a new research direction.Honeypot deployment is the basic and all-important problem facing effectively collecting information of attackers.In this paper,research layers of honeypot deployment are firstly given and then some factors such as the interactive grade,the position,the number and the deploying model,etc.which are related to honeypot deployment are detailedly described.Especially under the condition of uniform distribution,the proper ratio of the number of honeypots to network total resources is deferred from theory and limited numbers of honeypots in IPv4 and IPv6 network are given according to the ratio.Practical low interactive honeypots data statistical analysis is performed at last to give practical evidence for honeypot deployment research.

Xingyuan Yang,Jie Yuan,Hao Yang,Ya Kong,Hao Zhang,Jinyu Zhao

DOI: https://doi.org/10.3390/fi15040127

2023-03-29

Future Internet

Abstract:In this paper, considering the problem that the common defensive means in the current cyber confrontation often fall into disadvantage, honeypot technology is adopted to turn reactive into proactive to deal with the increasingly serious cyberspace security problem. We address the issue of common defensive measures in current cyber confrontations that frequently lead to disadvantages. To tackle the progressively severe cyberspace security problem, we propose the adoption of honeypot technology to shift from a reactive to a proactive approach. This system uses honeypot technology for active defense, tempting attackers into a predetermined sandbox to observe the attacker's behavior and attack methods to better protect equipment and information security. During the research, it was found that due to the singularity of traditional honeypots and the limitations of low-interactivity honeypots, the application of honeypot technology has difficulty in achieving the desired protective effect. Therefore, the system adopts a highly interactive honeypot and a modular design idea to distinguish the honeypot environment from the central node of data processing, so that the honeypot can obtain more sufficient information and the honeypot technology can be used more easily. By managing honeypots at the central node, i.e., adding, deleting, and modifying honeypots and other operations, it is easy to maintain and upgrade the system, while reducing the difficulty of using honeypots. The high-interactivity honeypot technology not only attracts attackers into pre-set sandboxes to observe their behavior and attack methods, but also performs a variety of advanced functions, such as network threat analysis, virtualization, vulnerability perception, tracing reinforcement, and camouflage detection. We have conducted a large number of experimental comparisons and proven that our method has significant advantages compared to traditional honeypot technology and provides detailed data support. Our research provides new ideas and effective methods for network security protection.

Zheng Minjiao,Ma Yufeng,Wu Bo,Qian Zhang

DOI: https://doi.org/10.1109/iccbd56965.2022.10080304

2022-01-01

Abstract:Honeynet, as a representative network deception technology, can protect the network while attracting attackers to understand their patterns, strategies and behaviors. The new honeynet based on the latest bility, but the ability to construct honeynet scene dynamically is still a little bit insufficient at the moment. We propose a dynamic deception honeynet architecture combining virtual and real honeypot, which is used to dynamically generate a real network according to the cyber situation and the attack behavior to attract attackers. It redirects the advanced attacker to the environment that he is more interested, in order to capture the attacker and conduct further analysis. This improves the lack of dynamic and inductivity in the existing honeynet. Finally, we de-veloped the prototype system and set up the experimental environment. The result shows that the system has a high degree of intelligence and strong in-ductivity.

WU Xin,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2006.04.027

2006-01-01

Computer Science

Abstract:Honeypot is a new tool for network defence.The difficulty of designing a Honeypot lies in the success dis- guise and deception.Many Honeypots use scripts to simulate services,and put static deception into practice to protect network.But they could expose themselves easily.This paper designs and implements a low-interaction Honeypot based on the Apache server,named Honeyweb.It has four functions:http protocol detection,dynamic deception, working with other network security devices and log.It can dynamicly response to different http requests.The expri- ment indicates that depolying the Honeyweb will influence hackers' judgement,consume their resources,even stop at- tack.So Honeyweb can reach its purpose of active defence and preventing Web servers from attack.

CHEN Ji-jun,ZHANG Xin-xin,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.07.042

2007-01-01

Abstract:The methods and techniques to detect and compromise Honeypot are deployed more and more widely. To improve Honeypot system,this paper proposes build the Honeypot based on Xen virtual machine technology to make Honeypot more effective in performance,more difficult to detect and easier to manage and use.

Daniel Fraunholz,Marc Zimmermann,Hans D. Schotten

DOI: https://doi.org/10.48550/arXiv.2111.03884

2021-11-06

Cryptography and Security

Abstract:Since honeypots first appeared as an advanced network security concept they suffer from poor deployment and maintenance strategies. State-of-the-Art deployment is a manual process in which the honeypot needs to be configured and maintained by a network administrator. In this paper we present a method for a dynamic honeypot configuration, deployment and maintenance strategy based on machine learning techniques. Our method features an identification mechanism for machines and devices in a network. These entities are analysed and clustered. Based on the clusters, honeypots are intelligently deployed in the network. The proposed method needs no configuration and maintenance and is therefore a major advantage for the honeypot technology in modern network security.

SHEN Ming,XUE Zhi,WANG Yi-jun

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.05.043

2011-01-01

Abstract:Honeypot technology is employed to trap attacks,thus to collect the attack information and protect the real host.The core value of the honeypot lies in being detected,attacked and threatened,with this,the people could analyze the attack,know its attack purpose,means and strategies,and finally learn in-depth information protection methods.In the application of honeypot technology,the most important point is the misleading of the attackers.This paper analyzes the identifiable points of the honeypot and virtual machine systems through several specific characteristics of the system hardware and the network.Then it proposes some solutions to the identification with experimental statistics.It is hoped that the information security industry could attach the importance to and promote the development of honeypot technology.

Weizhe Zhang,Hui He,Tai-hoon Kim

DOI: https://doi.org/10.1007/s11042-013-1499-4

IF: 2.577

2013-01-01

Multimedia Tools and Applications

Abstract:Honeynet is a framework containing more than one honeypot to provide data control, data capture, and data analysis. This framework aims to simulate a highly controllable attack or decoy for the security analysis of a network. In this paper, the Xen-based virtual machine solution is proposed to build the virtual honeynet. A virtual honeynet deploys a honeynet on a physical machine based on virtual machine technology with the advantages of low cost as well as convenient management, and maintenance features. The virtual honeynet system includes dynamic resource allocation, data control, data capture, data presentation, and analysis. It is lightweight but has high performance, which is verified with extensive experiments.

Shengli Liu

2007-01-01

Abstract:A traffic-analysis-based honeypot for Windows system is designed and implemented.Based on the library of IDS rules,the network driver of Windows DDK and NDIS middle-ware technology are used to realize filtering and diversion of network flow.This mechanism diverts the unauthorized flow from reaching the real server.In the meantime,it collects a vast amount of “hacking techniques” from the unauthorized flow to continuously adapt the system to the various “hacking techniques”.It improves the efficiency of Honeypot and protects the real servers.

Dong Ma,Yongjun Wang,Haiyan Yu,Feng Huang

2010-01-01

Abstract:As a kind of active technique for security in the field of internet security research, honeypot is attached more and more importance by researchers. However, with the flooding network threats becoming much more covert, installing honeypots locally can hardly deal with this situation. In face of botnet, DDoS, spams, etc, we must take the technique for deployment in large scale so that we can monitor and track these threats; also, users of enterprises would like to deploy honeypots for the reason of security. In order to solve the problem of deploying honeypots in large scale, the paper proposed a parallel algorithm HPDA. HPDA can deploy honeypots in large scale and on demand, and make these honeypots a network. Based on HPDA, in order to deal with the management problem for large scale net of honeypots, a prototype called HoneyPool is implemented. HoneyPool not only can create honeypots on demand swiftly and transparently, but also provides a visual web interface for integrated management. The paper also made some simulations to test the performance of HPDA and system of HoneyPool. Also realised a prototype system called HoneyPool. According to the result of simulations, HPDA has an enhanced performance compared with serialized methods; also, HoneyPool can deploy honeypots according to the workload of hosts, which improved the load balance and performance.

Jianxun Tang,Mingsong Chen,Haoyu Chen,Shenqi Zhao,Yu Huang

DOI: https://doi.org/10.1186/s13677-022-00379-2

2023-01-01

Journal of Cloud Computing Advances Systems and Applications

Abstract:Honeypot is an active defense mechanism, which attracts attackers to interact with virtual resources in the honeypot mainly by simulating real working scenarios and deploying decoy targets, so as to prevent real resources from being damaged and collect attackers' attack processes and analyze potential system vulnerabilities to proactively respond to similar attacks. Because of the existing honeypot system has defects such as the inability to deploy specific honeypots to induce attacks based on complex attacks, the inability to select the best honeypot for dynamic response based on honeypot deployment and maintenance costs during attack interactions, and insufficient ability to identify variants of known attack methods. Although hybrid honeypots can solve some of these problems by deploying low-interaction honeypots and high-interaction honeypots, they cannot really be applied to real production scenarios because of their slow TCP connection switching speed and inability to efficiently identify encrypted malicious traffic. In this paper, we propose a new dynamic security defense system based on the combination of TCP_REPAIR-based dynamic honeypot selection architecture and a deep learning-based intelligent firewall. The system accurately distributes encrypted or non-encrypted attack traffic and its variants through the intelligent firewall. The normal traffic is sent to the actual system, and the marked malicious traffic dynamically selects honeypots to respond according to the attack process.The experimental result indicated that the system can select honeypots for targeted responses according to the actual network situation quickly and dynamically and covertly, effectively improving the utilization rate of honeypot clusters as well as the ability to decoy.

Christopher Hecker,Brian Hay

DOI: https://doi.org/10.1109/hicss.2013.110

2013-01-01

Abstract:One of the challenges facing information technology (IT) security professionals is the laborious task of sifting through numerous log files in an attempt to identify malicious traffic and conduct a forensics analysis to determine an appropriate course of action. This process is complicated significantly by the volume of traffic that can be associated with a production device environment. A honeynet can provide a mechanism to identify much of the forensically interesting traffic by creating a representative system to collect traffic data. However, it is challenging to maintain an accurate representation of a dynamic system in order to consistently collect the appropriate data of interest. This research effort addresses a current challenge identified by researchers at the Honeynet Project by describing a methodology for automatically creating and dynamically updating a honeynet in order to facilitate IDS support.

Yan Zhang,Chong Di,Zhuoran Han,Yichen Li,Shenghong Li

DOI: https://doi.org/10.1109/dsc.2017.52

2017-01-01

Abstract:The honeypot is a kind of proactive defense technology against malicious attacks in the field of information security. Successful and timely detection of network attacks highly depends on efficient honeypot deployment. This paper proposes an adaptive honeypot deployment algorithm based on learning automata (LA) called LA-AHD for improving the network security. The whole network suffers from external attacks in an attack-defense scenario based on a mathematical model. The proposed algorithm considers the entirety of candidate nodes in the network as a LA and models each candidate node as an action of the LA. Through the interactions with attacks and the evolutions of the LA, a certain number of honeypots can be adaptively deployed at the proper place in the network. The computational experiments verify the effectiveness and efficiency of the proposed LA-AHD algorithm. The results show the algorithm can improve the speed of selecting the honeypots and increase the honeypot capture rate substantially.

Zhuoshi Li,Ranshi Jiang,Jian Li

DOI: https://doi.org/10.4028/www.scientific.net/amm.519-520.189

2014-01-01

Applied Mechanics and Materials

Abstract:Honeypot is a new type of active defense security technologies. This paper attempts to use of data mining methods to be mining and analysis of information collected on the honeypot system. Build a Windows system based on virtual machine technology research honeynet. Data collection be standardized and sequential pattern mining. Finding out the correlation between different data records and frequent with time-based sequence of audit data, which found that, select the law of value of the attack.

Liu B. Songsong,Pengbin Feng,Jiahao Cao,Xu He,Tommy Chin,Kun Sun,Qi Li

DOI: https://doi.org/10.1007/978-3-031-09484-2_11

2022-01-01

Abstract:The honeypot technique has proved its value in system protection and attack analysis over the past 20 years. Distributed honeypot solutions emerge to solve the high cost and risk of maintaining a functional honeypot system. In this paper, we uncover that all existing distributed honeypot systems suffer from one type of anti-honeypot technique called network context cross-checking (NC3) which enables attackers to detect network context inconsistencies before and after breaking into a targeted system. We perform a systematic study of NC3 and identify nine types of network context artifacts that may be leveraged by attackers to identify distributed honeypot systems. As a countermeasure, we propose HoneyPortal, a stealthy traffic redirection framework to defend against the NC3 attack. The basic idea is to project a remote honeypot into the protected local network as a believable host machine. We conduct experiments in a real testbed, and the experimental results show that HoneyPortal can effectively defeat NC3 attacks with a low performance overhead.

Nitin Naik,Changjing Shang,Paul Jenkins,Qiang Shen

DOI: https://doi.org/10.1109/tetci.2020.3023447

2020-01-01

IEEE Transactions on Emerging Topics in Computational Intelligence

Abstract:As active network defence systems, honeypots are commonly used as a decoy to inspect attackers and their attack tactics in order to improve the cybersecurity infrastructure of an organisation. A honeypot may be successful provided that it disguises its identity. However, cyberattackers continuously endeavour to discover honeypots for evading any deception and bolstering their attacks. Active fingerprinting attack is one such technique that may be used to discover honeypots by sending specially designed traffic. Preventing a fingerprinting attack is possible but doing that may hinder the process of dealing with the attackers, counteracting the purpose of a honeypot. Instead, detecting an attempted fingerprinting attack in real-time can enhance a honeypots capability, uninterruptedly managing any immediate consequences and preventing the honeypot being identified. Nevertheless, it is difficult to detect and predict an attempted fingerprinting attack due to the challenge of isolating it from other similar attacks, particularly when imprecise observations are involved in the monitoring of the traffic. Dynamic fuzzy rule interpolation (D-FRI) enables an adaptive approach for effective reasoning with such situations by exploiting the best of both inference and interpolation. The dynamic rules produced by D-FRI facilitate approximate reasoning with perpetual changes that often occur in this type of application, where dynamic rules are required to cover new network conditions. This paper proposes a D-FRI-Honeypot, an enhanced honeypot running D-FRI framework in conjunction with Principal Component Analysis, to detect and predict an attempted fingerprinting attack on honeypots. This D-FRI-Honeypot works with a sparse rule base but is able to detect active fingerprinting attacks when it does not find any matching rules. Also, it learns from current network conditions and offers a dynamically enriched rule base to support more precise detection. This D-FRI-Honeypot is tested against five popular fingerprinting tools (namely, Nmap, Xprobe2, NetScanTools Pro, SinFP3 and Nessus), to demonstrate its successful applications.

TANG Yong,LU Xi-cheng,HU Hua-ping,ZHU Pei-dong

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.08.001

2007-01-01

Abstract:Honeypot is an active defense technique using a deception idea. With the recent advances in implementation techniques, the researches on Honeypot have attracted a lot of attention. This paper provides a review on current key techniques in Honeypot together with a survey of applications of honeypots. We introduce the three main implementation methods of a honeypot, and then propose that honeypots can be classified into real-honeypots and simulative-honeypots by how to provide services. At last, the challenges of Honeypot are outlined and some research trends in Honeypot are discussed.

AlFraih AbdulAziz Nasser A,Wenbo Chen

DOI: https://doi.org/10.2991/lemcs-14.2014.150

2014-01-01

Abstract:It has been proved being cumbersome and ineffective to prevent attacks in computer networks. However, the detection strategies have been found to be effective and less costly. The use of Intrusion Detection Systems (IDS) as a detection technique has been widely implemented in computer networks. Meanwhile, there is another strategy can reduce the occurrence of network intrusion, namely Honeypot. Honeypot is a proactive defense technology, introduced by the defense side to change the asymmetric situation of a network attack and defensive game. Through the deployment of the honeypots, i.e. security resources without any production purpose, the defenders can deceive intruders to attack the honeypots, then capture and analyze the attack behaviors in order to understand the attack tools and methods, and to learn the intentions and motivations. The paper analyzed the characteristics and the harms of worm virus, put forward a kind of custom honeypot system. Which according to the intrusion detection, virtual honeypot and data mining technology, using guile address space technology for the purpose of capturing known worms, isolating and delaying the unknown worms scanning speed, and analyzes the log by data mining, update the intrusion detection system rules set, and make timely response and take defense.

gangfu feng,chen zhang,quan zhang

DOI: https://doi.org/10.1007/978-3-662-43908-1_9

2014-01-01

Abstract:Network security is a growing concern today for organizations. Our network faces many new threats and unknown attacks. The traditional defense system can not response to the 0-day attacks. This paper is to design a linkage security defense system based on honeypot technique. The honeypot is a security resource whose value lies in being probed, attacked or compromised. We collect information of attacker and other threats actively with honeypot centered in linkage security defense system. With the information collected, the linkage system will update security system policies and rules in time. Therefore, we are able to improve our network security by the linkage security defense system in real time.