Xiangjun Meng,Zhifeng Zhao,Rongpeng Li,Honggang Zhang

DOI: https://doi.org/10.1109/wcsp.2017.8171066

2017-01-01

Abstract:Honeynet is deployed to trap attackers and learn their behavior patterns and motivations. Conventional honeynet is implemented by dedicated hardware and software. It suffers from inflexibility, high CAPEX and OPEX. There have been several virtualized honeynet architectures to solve those problems. But they lack a standard operating environment and common architecture for dynamic scheduling and adaptive resource allocation. Software Defined Security (SDS) framework has a centralized control mechanism and intelligent decision making ability for different security functions. In this paper, we present a new intelligent honeynet architecture based on SDS framework. It implements security functions over Network Function Virtualization Infrastructure (NFVI). Under uniform and intelligent control, security functional modules can be dynamically deployed and collaborated to complete different tasks. It migrates resources according to the workloads of each honeypot and power off unused modules. Simulation results show that intelligent honeynet has a better performance in conserving resources and reducing energy consumption. The new architecture can fit the needs of future honeynet development and deployment.

Zheng Minjiao,Ma Yufeng,Wu Bo,Qian Zhang

DOI: https://doi.org/10.1109/iccbd56965.2022.10080304

2022-01-01

Abstract:Honeynet, as a representative network deception technology, can protect the network while attracting attackers to understand their patterns, strategies and behaviors. The new honeynet based on the latest bility, but the ability to construct honeynet scene dynamically is still a little bit insufficient at the moment. We propose a dynamic deception honeynet architecture combining virtual and real honeypot, which is used to dynamically generate a real network according to the cyber situation and the attack behavior to attract attackers. It redirects the advanced attacker to the environment that he is more interested, in order to capture the attacker and conduct further analysis. This improves the lack of dynamic and inductivity in the existing honeynet. Finally, we de-veloped the prototype system and set up the experimental environment. The result shows that the system has a high degree of intelligence and strong in-ductivity.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Ruidong Li,Minjiao Zheng,Donglin Bai,Zhengduo Chen

DOI: https://doi.org/10.1109/MLISE54096.2021.00019

2021-01-01

Abstract:To solve the problems of high cost and inflexibility of traditional honeynet, next-generation honeynet based on SDN attracts the attention of researchers. This paper proposes a three layers' network model of next-generation intelligent honeynet via SDN. Based on this model, the intelligent honeynet includes “two mechanisms and three modules”. The “two mechanisms” are attack migration mechanism and...

Xingyuan Yang,Jie Yuan,Hao Yang,Ya Kong,Hao Zhang,Jinyu Zhao

DOI: https://doi.org/10.3390/fi15040127

2023-03-29

Future Internet

Abstract:In this paper, considering the problem that the common defensive means in the current cyber confrontation often fall into disadvantage, honeypot technology is adopted to turn reactive into proactive to deal with the increasingly serious cyberspace security problem. We address the issue of common defensive measures in current cyber confrontations that frequently lead to disadvantages. To tackle the progressively severe cyberspace security problem, we propose the adoption of honeypot technology to shift from a reactive to a proactive approach. This system uses honeypot technology for active defense, tempting attackers into a predetermined sandbox to observe the attacker's behavior and attack methods to better protect equipment and information security. During the research, it was found that due to the singularity of traditional honeypots and the limitations of low-interactivity honeypots, the application of honeypot technology has difficulty in achieving the desired protective effect. Therefore, the system adopts a highly interactive honeypot and a modular design idea to distinguish the honeypot environment from the central node of data processing, so that the honeypot can obtain more sufficient information and the honeypot technology can be used more easily. By managing honeypots at the central node, i.e., adding, deleting, and modifying honeypots and other operations, it is easy to maintain and upgrade the system, while reducing the difficulty of using honeypots. The high-interactivity honeypot technology not only attracts attackers into pre-set sandboxes to observe their behavior and attack methods, but also performs a variety of advanced functions, such as network threat analysis, virtualization, vulnerability perception, tracing reinforcement, and camouflage detection. We have conducted a large number of experimental comparisons and proven that our method has significant advantages compared to traditional honeypot technology and provides detailed data support. Our research provides new ideas and effective methods for network security protection.

Tianxiang Yu,Yang Xin,Chunyong Zhang

DOI: https://doi.org/10.3390/electronics13020361

IF: 2.9

2024-01-16

Electronics

Abstract:Honeynet and honeypot originate as network security tools to collect attack information during the network being compromised. With the development of virtualization and software defined networks, honeynet has recently achieved many breakthroughs. However, existing honeynet architectures treat network attacks as interactions with a single honeypot which is supported by multiple honeypots to make this single one more realistic and efficient. The scale and depth of existing honeynets are limited, making it hard to capture complicated attack information. Existing honeynet frameworks also have low-level simulation of protected network and lacks test metrics. To address these issues, we design and implement a novel container-based comprehensive cyber deception honeynet architecture that consists of five modules, called HoneyFactory. Just like factory producing products according to customer preferences, HoneyFactory generates honeynet using containers based on business networks under protection. In HoneyFactory architecture, we propose a novel honeynet deception model based on hmm model to evaluate deception stage. We also design other modules to make this architecture comprehensive and efficient. Experiments show that HoneyFactory performs better than existing research in communication latency and connections per second. Experiments also show that HoneyFactory can effectively evaluate deception stage and perform deep cyber deception.

engineering, electrical & electronic,computer science, information systems,physics, applied

P. Barford,Y. Chen,A. Goyal,Z. Li,V. Paxson,V. Yegneswaran

DOI: https://doi.org/10.1007/978-1-4419-0140-8_5

2010-01-01

Abstract:Effective network security administration depends to a great extent on having accurate, concise, high-quality information about malicious activity in one's network. Honeynets can potentially provide such detailed information, but the volume and diversity of this data can prove overwhelming. We explore ways to integrate honeypot data into daily network security monitoring with a goal of sufficiently classifying and summarizing the data to provide ongoing "situational awareness." We present such a system, built using the Bro network intrusion detection system coupled with statistical analysis of numerous honeynet "events", and discuss experiences drawn from many months of operation. In particular, we develop methodologies by which sites receiving such probes can infer-using purely local observation-in format ion about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? One key aspect of this environment is its ability to provide insight into large-scale events. We look at the problem of accurately classifying botnet sweeps and worm outbreaks, which turns out to be difficult to grapple with due to the high dimensionality of such incidents. Using datasets collected during a number of these events, we explore the utility of several analysis methods, finding that when used together they show good potential for contributing towards effective Situational awareness. Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties, such as trend, uniformity, coordination, and darknet-avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that such inferences exhibit promising accuracy.

Weizhe Zhang,Bin Zhang,Ying Zhou,Hui He,Zeyu Ding

DOI: https://doi.org/10.1109/jiot.2019.2956173

IF: 10.6

2020-05-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) devices are vulnerable against attacks because of their limited network resources and complex operating systems. Thus, a honeypot is a good method of capturing malicious requests and collecting malicious samples but is rarely used on the IoT. Accordingly, this article implements three kinds of honeypots to capture malicious behaviors. First, on the basis of the CVE-2017–17215 vulnerability, we implement a medium-high interaction honeypot that can simulate a specific series of router UPnP services. It has functions, such as service simulation, log recording, malicious sample download, and service self-check. Second, given the limited details available for the simulated UPnP service and to help the honeypot respond to unrecognizable malicious requests, we use the actual IoT device firmware that matches the vulnerability to build a high-interaction honeypot. In addition, we investigate the most exposed SOAP service ports and design corresponding multiport honeypot to improve the capacity of the honeynet, providing a hybrid service from a real device and simulating honeypots. The Docker in the honeynet, which reduces the volume of the honeypot and realizes the rapid deployment of the honeynet, encapsulates all these honeypots. Moreover, the honeynet control center is simultaneously designed to distribute commands and transfer files to each physical node in the honeynet. We implemented the proposed honeynet system and deployed it in practice. We have successfully caught many unknown malicious attacks excluded in the VT, which proved the effectiveness of the proposed framework.

computer science, information systems,telecommunications,engineering, electrical & electronic

Liu B. Songsong,Pengbin Feng,Jiahao Cao,Xu He,Tommy Chin,Kun Sun,Qi Li

DOI: https://doi.org/10.1007/978-3-031-09484-2_11

2022-01-01

Abstract:The honeypot technique has proved its value in system protection and attack analysis over the past 20 years. Distributed honeypot solutions emerge to solve the high cost and risk of maintaining a functional honeypot system. In this paper, we uncover that all existing distributed honeypot systems suffer from one type of anti-honeypot technique called network context cross-checking (NC3) which enables attackers to detect network context inconsistencies before and after breaking into a targeted system. We perform a systematic study of NC3 and identify nine types of network context artifacts that may be leveraged by attackers to identify distributed honeypot systems. As a countermeasure, we propose HoneyPortal, a stealthy traffic redirection framework to defend against the NC3 attack. The basic idea is to project a remote honeypot into the protected local network as a believable host machine. We conduct experiments in a real testbed, and the experimental results show that HoneyPortal can effectively defeat NC3 attacks with a low performance overhead.

Weizhe Zhang,Hui He,Tai-hoon Kim

DOI: https://doi.org/10.1007/s11042-013-1499-4

IF: 2.577

2013-01-01

Multimedia Tools and Applications

Abstract:Honeynet is a framework containing more than one honeypot to provide data control, data capture, and data analysis. This framework aims to simulate a highly controllable attack or decoy for the security analysis of a network. In this paper, the Xen-based virtual machine solution is proposed to build the virtual honeynet. A virtual honeynet deploys a honeynet on a physical machine based on virtual machine technology with the advantages of low cost as well as convenient management, and maintenance features. The virtual honeynet system includes dynamic resource allocation, data control, data capture, data presentation, and analysis. It is lightweight but has high performance, which is verified with extensive experiments.

Yue Shi,Yingying Zhang

DOI: https://doi.org/10.1145/3617184.3618056

2023-09-22

Abstract:Honeypot is an active security defense technology that uses false information to lure attackers into attacking and record their behavior. Traditional honeypots are usually static, and inherent features and services can accelerate attackers' recognition of honeypots, causing them to lose value. We designs a dynamic honeypot based on machine learning, which can adapt to dynamic and constantly changing network environments while improving the authenticity of the honeypot. It automatically generates configuration files, simulates the characteristics and behavior of devices in the network. The method proposed is to achieve active monitoring and defense of network attacks by actively scanning Nmap and obtaining network device information through P0f, and combining feature clustering methods to classify devices and generate honeypot configuration files, active monitoring and defense of network attacks can be achieved. The results shows that this methods can effectively enhance the attack capture ability and camouflage ability of honeypots.

Computer Science

Zain Shamsi,Daniel Zhang,Daehyun Kyoung,Alex Liu

DOI: https://doi.org/10.48550/arXiv.2206.13614

2022-06-28

Abstract:Network honeypots are often used by information security teams to measure the threat landscape in order to secure their networks. With the advancement of honeypot development, today's medium-interaction honeypots provide a way for security teams and researchers to deploy these active defense tools that require little maintenance on a variety of protocols. In this work, we deploy such honeypots on five different protocols on the public Internet and study the intent and sophistication of the attacks we observe. We then use the information gained to develop a clustering approach that identifies correlations in attacker behavior to discover IPs that are highly likely to be controlled by a single operator, illustrating the advantage of using these honeypots for data collection.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Upendra Bartwal,Subhasis Mukhopadhyay,Rohit Negi,Sandeep Shukla

DOI: https://doi.org/10.1109/DSC54232.2022.9888808

2022-01-14

Abstract:Cyber Security is a critical topic for organizations with IT/OT networks as they are always susceptible to attack, whether insider or outsider. Since the cyber landscape is an ever-evolving scenario, one must keep upgrading its security systems to enhance the security of the infrastructure. Tools like Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), Threat Intelligence Platform (TIP), Information Technology Service Management (ITSM), along with other defensive techniques like Intrusion Detection System (IDS), Intrusion Protection System (IPS), and many others enhance the cyber security posture of the infrastructure. However, the proposed protection mechanisms have their limitations, they are insufficient to ensure security, and the attacker penetrates the network. Deception technology, along with Honeypots, provides a false sense of vulnerability in the target systems to the attackers. The attacker deceived reveals threat intel about their modus operandi. We have developed a Security Orchestration, Automation, and Response (SOAR) Engine that dynamically deploys custom honeypots inside the internal network infrastructure based on the attacker's behavior. The architecture is robust enough to support multiple VLANs connected to the system and used for orchestration. The presence of botnet traffic and DDOS attacks on the honeypots in the network is detected, along with a malware collection system. After being exposed to live traffic for four days, our engine dynamically orchestrated the honeypots 40 times, detected 7823 attacks, 965 DDOS attack packets, and three malicious samples. While our experiments with static honeypots show an average attacker engagement time of 102 seconds per instance, our SOAR Engine-based dynamic honeypots engage attackers on average 3148 seconds.

Cryptography and Security,Machine Learning

Jianxun Tang,Mingsong Chen,Haoyu Chen,Shenqi Zhao,Yu Huang

DOI: https://doi.org/10.1186/s13677-022-00379-2

2023-01-01

Journal of Cloud Computing Advances Systems and Applications

Abstract:Honeypot is an active defense mechanism, which attracts attackers to interact with virtual resources in the honeypot mainly by simulating real working scenarios and deploying decoy targets, so as to prevent real resources from being damaged and collect attackers' attack processes and analyze potential system vulnerabilities to proactively respond to similar attacks. Because of the existing honeypot system has defects such as the inability to deploy specific honeypots to induce attacks based on complex attacks, the inability to select the best honeypot for dynamic response based on honeypot deployment and maintenance costs during attack interactions, and insufficient ability to identify variants of known attack methods. Although hybrid honeypots can solve some of these problems by deploying low-interaction honeypots and high-interaction honeypots, they cannot really be applied to real production scenarios because of their slow TCP connection switching speed and inability to efficiently identify encrypted malicious traffic. In this paper, we propose a new dynamic security defense system based on the combination of TCP_REPAIR-based dynamic honeypot selection architecture and a deep learning-based intelligent firewall. The system accurately distributes encrypted or non-encrypted attack traffic and its variants through the intelligent firewall. The normal traffic is sent to the actual system, and the marked malicious traffic dynamically selects honeypots to respond according to the attack process.The experimental result indicated that the system can select honeypots for targeted responses according to the actual network situation quickly and dynamically and covertly, effectively improving the utilization rate of honeypot clusters as well as the ability to decoy.

Yanbin Sun,Zhihong Tian,Mohan Li,Shen Su,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/tii.2020.3044576

IF: 12.3

2021-01-01

IEEE Transactions on Industrial Informatics

Abstract:In softwarized industrial networking, honeypot identification is very important for both the attacker and the defender. Existing honeypot identification relies on simple features of honeypot. There exist two challenges: The simple feature is easily simulated, which causes inaccurate results, whereas the advanced feature relies on high interactions, which lead to security risks. To cope with these challenges, in this article, we propose a secure fuzzy testing approach for honeypot identification inspired by vulnerability mining. It utilizes error handling to distinguish honeypots and real devices. Specifically, we adopt a novel identification architecture with two steps. First, a multiobject fuzzy testing is proposed. It adopts mutation rules and security rules to generate effective and secure probe packets. Then, these probe packets are used for scanning and identification. Experiments show that the fuzzy testing is effective and corresponding probe packet can acquire more features than other packets. These features are helpful for honeypot identification.

Christopher Hecker,Brian Hay

DOI: https://doi.org/10.1109/hicss.2013.110

2013-01-01

Abstract:One of the challenges facing information technology (IT) security professionals is the laborious task of sifting through numerous log files in an attempt to identify malicious traffic and conduct a forensics analysis to determine an appropriate course of action. This process is complicated significantly by the volume of traffic that can be associated with a production device environment. A honeynet can provide a mechanism to identify much of the forensically interesting traffic by creating a representative system to collect traffic data. However, it is challenging to maintain an accurate representation of a dynamic system in order to consistently collect the appropriate data of interest. This research effort addresses a current challenge identified by researchers at the Honeynet Project by describing a methodology for automatically creating and dynamically updating a honeynet in order to facilitate IDS support.

Linan Huang,Quanyan Zhu

DOI: https://doi.org/10.1007/978-3-030-32430-8_13

2019-11-07

Abstract:A honeynet is a promising active cyber defense mechanism. It reveals the fundamental Indicators of Compromise (IoCs) by luring attackers to conduct adversarial behaviors in a controlled and monitored environment. The active interaction at the honeynet brings a high reward but also introduces high implementation costs and risks of adversarial honeynet exploitation. In this work, we apply infinite-horizon Semi-Markov Decision Process (SMDP) to characterize a stochastic transition and sojourn time of attackers in the honeynet and quantify the reward-risk trade-off. In particular, we design adaptive long-term engagement policies shown to be risk-averse, cost-effective, and time-efficient. Numerical results have demonstrated that our adaptive engagement policies can quickly attract attackers to the target honeypot and engage them for a sufficiently long period to obtain worthy threat information. Meanwhile, the penetration probability is kept at a low level. The results show that the expected utility is robust against attackers of a large range of persistence and intelligence. Finally, we apply reinforcement learning to the SMDP to solve the curse of modeling. Under a prudent choice of the learning rate and exploration policy, we achieve a quick and robust convergence of the optimal policy and value.

Cryptography and Security,Artificial Intelligence,Computer Science and Game Theory,Machine Learning

WU Xin,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2006.04.027

2006-01-01

Computer Science

Abstract:Honeypot is a new tool for network defence.The difficulty of designing a Honeypot lies in the success dis- guise and deception.Many Honeypots use scripts to simulate services,and put static deception into practice to protect network.But they could expose themselves easily.This paper designs and implements a low-interaction Honeypot based on the Apache server,named Honeyweb.It has four functions:http protocol detection,dynamic deception, working with other network security devices and log.It can dynamicly response to different http requests.The expri- ment indicates that depolying the Honeyweb will influence hackers' judgement,consume their resources,even stop at- tack.So Honeyweb can reach its purpose of active defence and preventing Web servers from attack.

Chongqi Guan,Heting Liu,Guohong Cao,Sencun Zhu,Thomas La Porta

DOI: https://doi.org/10.48550/arXiv.2305.06430

2023-05-10

Cryptography and Security

Abstract:As IoT devices are becoming widely deployed, there exist many threats to IoT-based systems due to their inherent vulnerabilities. One effective approach to improving IoT security is to deploy IoT honeypot systems, which can collect attack information and reveal the methods and strategies used by attackers. However, building high-interaction IoT honeypots is challenging due to the heterogeneity of IoT devices. Vulnerabilities in IoT devices typically depend on specific device types or firmware versions, which encourages attackers to perform pre-attack checks to gather device information before launching attacks. Moreover, conventional honeypots are easily detected because their replying logic differs from that of the IoT devices they try to mimic. To address these problems, we develop an adaptive high-interaction honeypot for IoT devices, called HoneyIoT. We first build a real device based attack trace collection system to learn how attackers interact with IoT devices. We then model the attack behavior through markov decision process and leverage reinforcement learning techniques to learn the best responses to engage attackers based on the attack trace. We also use differential analysis techniques to mutate response values in some fields to generate high-fidelity responses. HoneyIoT has been deployed on the public Internet. Experimental results show that HoneyIoT can effectively bypass the pre-attack checks and mislead the attackers into uploading malware. Furthermore, HoneyIoT is covert against widely used reconnaissance and honeypot detection tools.

Thorsten Holz,Xinhui Han,Chengyu Song,Wei Zou

2012-01-01

Abstract:WMN has been a field of active research in the recent years. Lot of research has focused various routing mechanism but very little effort has been made towards attack detection or intrusion detection. In this paper, we propose an attack detection approach for wireless mesh network using Honeypot technique. A Honeypot is a security resource whose value lies in being probed, attacked or compromised. A honeypot is designed to interact with attackers to collect attack techniques and behaviors. A collection of such Honeypots laid to effectively trap the attacker is called a Honeynet. In our paper, we propose a honeynet, that is able to trap the attackers by analyzing their attacking techniques and thereby sending the logs to a centralized repository to analyze those logs so as to better understand the technique used for attacking.