P. Barford,Y. Chen,A. Goyal,Z. Li,V. Paxson,V. Yegneswaran

DOI: https://doi.org/10.1007/978-1-4419-0140-8_5

2010-01-01

Abstract:Effective network security administration depends to a great extent on having accurate, concise, high-quality information about malicious activity in one's network. Honeynets can potentially provide such detailed information, but the volume and diversity of this data can prove overwhelming. We explore ways to integrate honeypot data into daily network security monitoring with a goal of sufficiently classifying and summarizing the data to provide ongoing "situational awareness." We present such a system, built using the Bro network intrusion detection system coupled with statistical analysis of numerous honeynet "events", and discuss experiences drawn from many months of operation. In particular, we develop methodologies by which sites receiving such probes can infer-using purely local observation-in format ion about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? One key aspect of this environment is its ability to provide insight into large-scale events. We look at the problem of accurately classifying botnet sweeps and worm outbreaks, which turns out to be difficult to grapple with due to the high dimensionality of such incidents. Using datasets collected during a number of these events, we explore the utility of several analysis methods, finding that when used together they show good potential for contributing towards effective Situational awareness. Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties, such as trend, uniformity, coordination, and darknet-avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that such inferences exhibit promising accuracy.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Wonkyu Han,Ziming Zhao,Adam Doupe,Gail-Joon Ahn

DOI: https://doi.org/10.1145/2876019.2876022

2016-01-01

Abstract:Honeynet is a collection of honeypots that are set up to attract as many attackers as possible to learn about their patterns, tactics, and behaviors. However, existing honeypots suffer from a variety of fingerprinting techniques, and the current honeynet architecture does not fully utilize features of residing honeypots due to its coarse-grained data control mechanisms. To address these challenges, we propose an SDN-based intelligent honeynet called HONEYMIX. HONEYMIx leverages the rich programmability of SDN to circumvent attackers' detection mechanisms and enables fine-grained data control for honeynet. To do this, HONEYMIX simultaneously establishes multiple connections with a set of honeypots and selects the most desirable connection to inspire attackers to remain connected. In this paper, we present the HONEYMIX architecture and a description of its core components.

Christopher Hecker,Brian Hay

DOI: https://doi.org/10.1109/hicss.2013.110

2013-01-01

Abstract:One of the challenges facing information technology (IT) security professionals is the laborious task of sifting through numerous log files in an attempt to identify malicious traffic and conduct a forensics analysis to determine an appropriate course of action. This process is complicated significantly by the volume of traffic that can be associated with a production device environment. A honeynet can provide a mechanism to identify much of the forensically interesting traffic by creating a representative system to collect traffic data. However, it is challenging to maintain an accurate representation of a dynamic system in order to consistently collect the appropriate data of interest. This research effort addresses a current challenge identified by researchers at the Honeynet Project by describing a methodology for automatically creating and dynamically updating a honeynet in order to facilitate IDS support.

Tianxiang Yu,Yang Xin,Chunyong Zhang

DOI: https://doi.org/10.3390/electronics13020361

IF: 2.9

2024-01-16

Electronics

Abstract:Honeynet and honeypot originate as network security tools to collect attack information during the network being compromised. With the development of virtualization and software defined networks, honeynet has recently achieved many breakthroughs. However, existing honeynet architectures treat network attacks as interactions with a single honeypot which is supported by multiple honeypots to make this single one more realistic and efficient. The scale and depth of existing honeynets are limited, making it hard to capture complicated attack information. Existing honeynet frameworks also have low-level simulation of protected network and lacks test metrics. To address these issues, we design and implement a novel container-based comprehensive cyber deception honeynet architecture that consists of five modules, called HoneyFactory. Just like factory producing products according to customer preferences, HoneyFactory generates honeynet using containers based on business networks under protection. In HoneyFactory architecture, we propose a novel honeynet deception model based on hmm model to evaluate deception stage. We also design other modules to make this architecture comprehensive and efficient. Experiments show that HoneyFactory performs better than existing research in communication latency and connections per second. Experiments also show that HoneyFactory can effectively evaluate deception stage and perform deep cyber deception.

engineering, electrical & electronic,computer science, information systems,physics, applied

Liu B. Songsong,Pengbin Feng,Jiahao Cao,Xu He,Tommy Chin,Kun Sun,Qi Li

DOI: https://doi.org/10.1007/978-3-031-09484-2_11

2022-01-01

Abstract:The honeypot technique has proved its value in system protection and attack analysis over the past 20 years. Distributed honeypot solutions emerge to solve the high cost and risk of maintaining a functional honeypot system. In this paper, we uncover that all existing distributed honeypot systems suffer from one type of anti-honeypot technique called network context cross-checking (NC3) which enables attackers to detect network context inconsistencies before and after breaking into a targeted system. We perform a systematic study of NC3 and identify nine types of network context artifacts that may be leveraged by attackers to identify distributed honeypot systems. As a countermeasure, we propose HoneyPortal, a stealthy traffic redirection framework to defend against the NC3 attack. The basic idea is to project a remote honeypot into the protected local network as a believable host machine. We conduct experiments in a real testbed, and the experimental results show that HoneyPortal can effectively defeat NC3 attacks with a low performance overhead.

Xiangjun Meng,Zhifeng Zhao,Rongpeng Li,Honggang Zhang

DOI: https://doi.org/10.1109/wcsp.2017.8171066

2017-01-01

Abstract:Honeynet is deployed to trap attackers and learn their behavior patterns and motivations. Conventional honeynet is implemented by dedicated hardware and software. It suffers from inflexibility, high CAPEX and OPEX. There have been several virtualized honeynet architectures to solve those problems. But they lack a standard operating environment and common architecture for dynamic scheduling and adaptive resource allocation. Software Defined Security (SDS) framework has a centralized control mechanism and intelligent decision making ability for different security functions. In this paper, we present a new intelligent honeynet architecture based on SDS framework. It implements security functions over Network Function Virtualization Infrastructure (NFVI). Under uniform and intelligent control, security functional modules can be dynamically deployed and collaborated to complete different tasks. It migrates resources according to the workloads of each honeypot and power off unused modules. Simulation results show that intelligent honeynet has a better performance in conserving resources and reducing energy consumption. The new architecture can fit the needs of future honeynet development and deployment.

Guannan Guo,Jianwei Zhuge,Mengmeng Yang,Gengqian Zhou,Yixiong Wu

DOI: https://doi.org/10.1109/IINTEC.2018.8695276

2018-01-01

Abstract:Industrial control systems (ICS) have become ubiquitous as cyber-physical systems are widely distributed in critical infrastructures. Yet as the ICS environment evolves and becomes ever more connected, an increasing number of devices are now exposed on the Internet, and the attacking surface and risk increase as well, an attacker who finds an ICS device can cause severe damage to real world easily. In this paper, we deploy high-interaction honeypots using real devices on the Internet to find who is searching the exposed ICS devices and study the discrepancies between different scanners. To gain a more accurate and bigger landscape, instead of performing our own large scale scanning world wide, we provide a survey of ICS devices on the Internet based on historical data collected from multiple data sources. By aggregating and analyzing, we are able to find an even greater number of both ICS devices and honeypots on the Internet compared with any single search engine. We hope to raise the issue of ICS security and inform work on exploring and securing ICS devices on the Internet.

Xingyuan Yang,Jie Yuan,Hao Yang,Ya Kong,Hao Zhang,Jinyu Zhao

DOI: https://doi.org/10.3390/fi15040127

2023-03-29

Future Internet

Abstract:In this paper, considering the problem that the common defensive means in the current cyber confrontation often fall into disadvantage, honeypot technology is adopted to turn reactive into proactive to deal with the increasingly serious cyberspace security problem. We address the issue of common defensive measures in current cyber confrontations that frequently lead to disadvantages. To tackle the progressively severe cyberspace security problem, we propose the adoption of honeypot technology to shift from a reactive to a proactive approach. This system uses honeypot technology for active defense, tempting attackers into a predetermined sandbox to observe the attacker's behavior and attack methods to better protect equipment and information security. During the research, it was found that due to the singularity of traditional honeypots and the limitations of low-interactivity honeypots, the application of honeypot technology has difficulty in achieving the desired protective effect. Therefore, the system adopts a highly interactive honeypot and a modular design idea to distinguish the honeypot environment from the central node of data processing, so that the honeypot can obtain more sufficient information and the honeypot technology can be used more easily. By managing honeypots at the central node, i.e., adding, deleting, and modifying honeypots and other operations, it is easy to maintain and upgrade the system, while reducing the difficulty of using honeypots. The high-interactivity honeypot technology not only attracts attackers into pre-set sandboxes to observe their behavior and attack methods, but also performs a variety of advanced functions, such as network threat analysis, virtualization, vulnerability perception, tracing reinforcement, and camouflage detection. We have conducted a large number of experimental comparisons and proven that our method has significant advantages compared to traditional honeypot technology and provides detailed data support. Our research provides new ideas and effective methods for network security protection.

Kannan Kirishikesan,Gayakantha Jayakody,Ayesh Hallawaarachchi,Chandana Gamage

DOI: https://doi.org/10.4038/icter.v16i2.7265

2023-12-08

International Journal on Advances in ICT for Emerging Regions (ICTer)

Abstract:Industrial Control Systems (ICSs) are control systems that automate and control industrial processes. ICSs have a high-security risk since most of them are connected to the Internet for remote monitoring and controlling purposes. Compromising ICS can disrupt critical infrastructure supplies, such as water supply, power supply, transportation systems, and manufacturing systems. Programmable Logic Controllers (PLCs) are special computers used in ICSs. Many PLCs do not have built-in security systems. Many ICS application layer protocols are not designed with security in mind. Therefore, external security systems are needed to protect ICSs from cyber-attacks. Identifying the vulnerabilities, malware, and attacking patterns is useful in designing defense-in-depth security systems for ICSs. Honeypots can be used for research purposes as a way of collecting data and can also be used to protect the systems from attackers. In this paper, we present a high-interaction physics-aware ICS research honeypot that has been extended to a production honeypot using Software Defined Networking.

Luís Sousa,José Cecílio,Pedro Ferreira,Alan Oliveira

2024-04-06

Abstract:Industrial Control Systems (ICS) constitute the backbone of contemporary industrial operations, ranging from modest heating, ventilation, and air conditioning systems to expansive national power grids. Given their pivotal role in critical infrastructure, there has been a concerted effort to enhance security measures and deepen our comprehension of potential cyber threats within this domain. To address these challenges, numerous implementations of Honeypots and Honeynets intended to detect and understand attacks have been employed for ICS. This approach diverges from conventional methods by focusing on making a scalable and reconfigurable honeynet for cyber-physical systems. It will also automatically generate attacks on the honeynet to test and validate it. With the development of a scalable and reconfigurable Honeynet and automatic attack generation tools, it is also expected that the system will serve as a basis for producing datasets for training algorithms for detecting and classifying attacks in cyber-physical honeynets.

Cryptography and Security

Javier Franco,Ahmet Aris,Berk Canberk,A. Selcuk Uluagac

DOI: https://doi.org/10.48550/arXiv.2108.02287

2021-08-04

Cryptography and Security

Abstract:The Internet of Things (IoT), the Industrial Internet of Things (IIoT), and Cyber-Physical Systems (CPS) have become essential for our daily lives in contexts such as our homes, buildings, cities, health, transportation, manufacturing, infrastructure, and agriculture. However, they have become popular targets of attacks, due to their inherent limitations which create vulnerabilities. Honeypots and honeynets can prove essential to understand and defend against attacks on IoT, IIoT, and CPS environments by attracting attackers and deceiving them into thinking that they have gained access to the real systems. Honeypots and honeynets can complement other security solutions (i.e., firewalls, Intrusion Detection Systems - IDS) to form a strong defense against malicious entities. This paper provides a comprehensive survey of the research that has been carried out on honeypots and honeynets for IoT, IIoT, and CPS. It provides a taxonomy and extensive analysis of the existing honeypots and honeynets, states key design factors for the state-of-the-art honeypot/honeynet research and outlines open issues for future honeypots and honeynets for IoT, IIoT, and CPS environments.

Zain Shamsi,Daniel Zhang,Daehyun Kyoung,Alex Liu

DOI: https://doi.org/10.48550/arXiv.2206.13614

2022-06-28

Abstract:Network honeypots are often used by information security teams to measure the threat landscape in order to secure their networks. With the advancement of honeypot development, today's medium-interaction honeypots provide a way for security teams and researchers to deploy these active defense tools that require little maintenance on a variety of protocols. In this work, we deploy such honeypots on five different protocols on the public Internet and study the intent and sophistication of the attacks we observe. We then use the information gained to develop a clustering approach that identifies correlations in attacker behavior to discover IPs that are highly likely to be controlled by a single operator, illustrating the advantage of using these honeypots for data collection.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Wei Yang,Yu Yao,Tong Zhao,Yao Shan

DOI: https://doi.org/10.1109/TII.2023.3240739

IF: 12.3

2023-10-01

IEEE Transactions on Industrial Informatics

Abstract:Honeypots have proven to be an effective defense method for industrial control systems (ICSs). However, as attacker skills become more sophisticated, it becomes increasingly difficult to develop honeypots that can effectively recognize and respond to such attacks. In this article, we propose a neural network-based ICS honeypot scheme named NeuPot that improves security from two aspects: 1) honeypot interaction; and 2) cyber threats detection capability. NeuPot can respond to attacker requests depending on a specific industrial scenario without constant communication with the ICS and detect malicious traffic. To create this honeypot scheme, a new seq2seq time-series forecast model guided by Huber loss is designed to simulate the long-term changes in actual ICS physical processes. Second, a Modbus honeypot framework is created to react to changes in these ICS physical processes in their interactions with attackers and to capture various cyber threats against the ICS. Further, a novel loss function for industrial protocol-level malicious traffic detection is devised to identify known and unknown threats. According to our experiments, the proposed honeypot scheme is highly effective and outperforms state-of-the-art schemes in terms of interactivity and in detecting cyber threats.

Computer Science,Engineering

Weizhe Zhang,Bin Zhang,Ying Zhou,Hui He,Zeyu Ding

DOI: https://doi.org/10.1109/jiot.2019.2956173

IF: 10.6

2020-05-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) devices are vulnerable against attacks because of their limited network resources and complex operating systems. Thus, a honeypot is a good method of capturing malicious requests and collecting malicious samples but is rarely used on the IoT. Accordingly, this article implements three kinds of honeypots to capture malicious behaviors. First, on the basis of the CVE-2017–17215 vulnerability, we implement a medium-high interaction honeypot that can simulate a specific series of router UPnP services. It has functions, such as service simulation, log recording, malicious sample download, and service self-check. Second, given the limited details available for the simulated UPnP service and to help the honeypot respond to unrecognizable malicious requests, we use the actual IoT device firmware that matches the vulnerability to build a high-interaction honeypot. In addition, we investigate the most exposed SOAP service ports and design corresponding multiport honeypot to improve the capacity of the honeynet, providing a hybrid service from a real device and simulating honeypots. The Docker in the honeynet, which reduces the volume of the honeypot and realizes the rapid deployment of the honeynet, encapsulates all these honeypots. Moreover, the honeynet control center is simultaneously designed to distribute commands and transfer files to each physical node in the honeynet. We implemented the proposed honeynet system and deployed it in practice. We have successfully caught many unknown malicious attacks excluded in the VT, which proved the effectiveness of the proposed framework.

computer science, information systems,telecommunications,engineering, electrical & electronic

WU Xin,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2006.04.027

2006-01-01

Computer Science

Abstract:Honeypot is a new tool for network defence.The difficulty of designing a Honeypot lies in the success dis- guise and deception.Many Honeypots use scripts to simulate services,and put static deception into practice to protect network.But they could expose themselves easily.This paper designs and implements a low-interaction Honeypot based on the Apache server,named Honeyweb.It has four functions:http protocol detection,dynamic deception, working with other network security devices and log.It can dynamicly response to different http requests.The expri- ment indicates that depolying the Honeyweb will influence hackers' judgement,consume their resources,even stop at- tack.So Honeyweb can reach its purpose of active defence and preventing Web servers from attack.

Sakshyam Panda,Stefan Rass,Sotiris Moschoyiannis,Kaitai Liang,George Loukas,Emmanouil Panaousis

DOI: https://doi.org/10.48550/arXiv.2111.02364

2021-11-04

Abstract:The Internet of Vehicles (IoV), whereby interconnected vehicles communicate with each other and with road infrastructure on a common network, has promising socio-economic benefits but also poses new cyber-physical threats. Data on vehicular attackers can be realistically gathered through cyber threat intelligence using systems like honeypots. Admittedly, configuring honeypots introduces a trade-off between the level of honeypot-attacker interactions and any incurred overheads and costs for implementing and monitoring these honeypots. We argue that effective deception can be achieved through strategically configuring the honeypots to represent components of the IoV and engage attackers to collect cyber threat intelligence. In this paper, we present HoneyCar, a novel decision support framework for honeypot deception in IoV. HoneyCar builds upon a repository of known vulnerabilities of the autonomous and connected vehicles found in the Common Vulnerabilities and Exposure (CVE) data within the National Vulnerability Database (NVD) to compute optimal honeypot configuration strategies. By taking a game-theoretic approach, we model the adversarial interaction as a repeated imperfect-information zero-sum game in which the IoV network administrator chooses a set of vulnerabilities to offer in a honeypot and a strategic attacker chooses a vulnerability of the IoV to exploit under uncertainty. Our investigation is substantiated by examining two different versions of the game, with and without the re-configuration cost to empower the network administrator to determine optimal honeypot configurations. We evaluate HoneyCar in a realistic use case to support decision makers with determining optimal honeypot configuration strategies for strategic deployment in IoV.

Cryptography and Security,Artificial Intelligence

MA Li-bo,DUAN Hai-xin,LI Xing

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.037

2005-01-01

Abstract:Using honeypots to detect and monitor malware behaviors for network security trend analysis and early warning has become a new research direction.Honeypot deployment is the basic and all-important problem facing effectively collecting information of attackers.In this paper,research layers of honeypot deployment are firstly given and then some factors such as the interactive grade,the position,the number and the deploying model,etc.which are related to honeypot deployment are detailedly described.Especially under the condition of uniform distribution,the proper ratio of the number of honeypots to network total resources is deferred from theory and limited numbers of honeypots in IPv4 and IPv6 network are given according to the ratio.Practical low interactive honeypots data statistical analysis is performed at last to give practical evidence for honeypot deployment research.

Xiang Pan,Vinod Yegneswaran,Yan Chen,Phillip Porras,Seungwon Shin

DOI: https://doi.org/10.1145/2876019.2876023

2016-01-01

Abstract:Cyber Threat Intelligence (CTI) sharing facilitates a comprehensive understanding of adversary activity and enables enterprise networks to prioritize their cyber defense technologies. To that end, we introduce HogMap, a novel software-defined infrastructure that simplifies and incentivizes collaborative measurement and monitoring of cyber-threat activity. HogMap proposes to transform the cyber-threat monitoring landscape by integrating several novel SDN-enabled capabilities: (i) intelligent in-place filtering of malicious traffic, (ii) dynamic migration of interesting and extraordinary traffic and (iii) a software-defined marketplace where various parties can opportunistically subscribe to and publish cyber-threat intelligence services in a flexible manner. We present the architectural vision and summarize our preliminary experience in developing and operating an SDN-based HoneyGrid, which spans three enterprises and implements several of the enabling capabilities (e.g., traffic filtering, traffic forwarding and connection migration). We find that SDN technologies greatly simplify the design and deployment of such globally distributed and elastic Honey Grids.

Chongqi Guan,Heting Liu,Guohong Cao,Sencun Zhu,Thomas La Porta

DOI: https://doi.org/10.48550/arXiv.2305.06430

2023-05-10

Cryptography and Security

Abstract:As IoT devices are becoming widely deployed, there exist many threats to IoT-based systems due to their inherent vulnerabilities. One effective approach to improving IoT security is to deploy IoT honeypot systems, which can collect attack information and reveal the methods and strategies used by attackers. However, building high-interaction IoT honeypots is challenging due to the heterogeneity of IoT devices. Vulnerabilities in IoT devices typically depend on specific device types or firmware versions, which encourages attackers to perform pre-attack checks to gather device information before launching attacks. Moreover, conventional honeypots are easily detected because their replying logic differs from that of the IoT devices they try to mimic. To address these problems, we develop an adaptive high-interaction honeypot for IoT devices, called HoneyIoT. We first build a real device based attack trace collection system to learn how attackers interact with IoT devices. We then model the attack behavior through markov decision process and leverage reinforcement learning techniques to learn the best responses to engage attackers based on the attack trace. We also use differential analysis techniques to mutate response values in some fields to generate high-fidelity responses. HoneyIoT has been deployed on the public Internet. Experimental results show that HoneyIoT can effectively bypass the pre-attack checks and mislead the attackers into uploading malware. Furthermore, HoneyIoT is covert against widely used reconnaissance and honeypot detection tools.