Jiao Ma,Kun Chai,Yao Xiao,Tian Lan,Wei Huang

DOI: https://doi.org/10.1109/icm.2011.287

2011-09-01

Abstract:In order to solve the problems that IDSs and firewalls cannot efficiently detect new SQL injection and too much time is wasted when the security personnel reads log files to analyze attacks, we proposed and implemented a high-interaction web honeypot system for SQL injection analysis. By (i)modifying PHP extension for MySQL to intercept database requests and (ii)adopting exception based and signature based detection techniques, the system can generate the corresponding attack graphs to solve problems above. For illustration, SQL injection attack examples are utilized to show the performance of the honeypot system. The results show that the honeypot system can intercept all database requests and increase the efficiency of SQL injection analysis with the attack graphs. This system provides an efficient and timely detection on the new SQL injection and helps security personnel quickly analyzing the new SQL injection with the attack graph.

Xingyuan Yang,Jie Yuan,Hao Yang,Ya Kong,Hao Zhang,Jinyu Zhao

DOI: https://doi.org/10.3390/fi15040127

2023-03-29

Future Internet

Abstract:In this paper, considering the problem that the common defensive means in the current cyber confrontation often fall into disadvantage, honeypot technology is adopted to turn reactive into proactive to deal with the increasingly serious cyberspace security problem. We address the issue of common defensive measures in current cyber confrontations that frequently lead to disadvantages. To tackle the progressively severe cyberspace security problem, we propose the adoption of honeypot technology to shift from a reactive to a proactive approach. This system uses honeypot technology for active defense, tempting attackers into a predetermined sandbox to observe the attacker's behavior and attack methods to better protect equipment and information security. During the research, it was found that due to the singularity of traditional honeypots and the limitations of low-interactivity honeypots, the application of honeypot technology has difficulty in achieving the desired protective effect. Therefore, the system adopts a highly interactive honeypot and a modular design idea to distinguish the honeypot environment from the central node of data processing, so that the honeypot can obtain more sufficient information and the honeypot technology can be used more easily. By managing honeypots at the central node, i.e., adding, deleting, and modifying honeypots and other operations, it is easy to maintain and upgrade the system, while reducing the difficulty of using honeypots. The high-interactivity honeypot technology not only attracts attackers into pre-set sandboxes to observe their behavior and attack methods, but also performs a variety of advanced functions, such as network threat analysis, virtualization, vulnerability perception, tracing reinforcement, and camouflage detection. We have conducted a large number of experimental comparisons and proven that our method has significant advantages compared to traditional honeypot technology and provides detailed data support. Our research provides new ideas and effective methods for network security protection.

WU Xin,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2006.04.027

2006-01-01

Computer Science

Abstract:Honeypot is a new tool for network defence.The difficulty of designing a Honeypot lies in the success dis- guise and deception.Many Honeypots use scripts to simulate services,and put static deception into practice to protect network.But they could expose themselves easily.This paper designs and implements a low-interaction Honeypot based on the Apache server,named Honeyweb.It has four functions:http protocol detection,dynamic deception, working with other network security devices and log.It can dynamicly response to different http requests.The expri- ment indicates that depolying the Honeyweb will influence hackers' judgement,consume their resources,even stop at- tack.So Honeyweb can reach its purpose of active defence and preventing Web servers from attack.

Yue Shi,Yingying Zhang

DOI: https://doi.org/10.1145/3617184.3618056

2023-09-22

Abstract:Honeypot is an active security defense technology that uses false information to lure attackers into attacking and record their behavior. Traditional honeypots are usually static, and inherent features and services can accelerate attackers' recognition of honeypots, causing them to lose value. We designs a dynamic honeypot based on machine learning, which can adapt to dynamic and constantly changing network environments while improving the authenticity of the honeypot. It automatically generates configuration files, simulates the characteristics and behavior of devices in the network. The method proposed is to achieve active monitoring and defense of network attacks by actively scanning Nmap and obtaining network device information through P0f, and combining feature clustering methods to classify devices and generate honeypot configuration files, active monitoring and defense of network attacks can be achieved. The results shows that this methods can effectively enhance the attack capture ability and camouflage ability of honeypots.

Computer Science

Hou Xinrui,Cheng Zhen,Zhou Yajin,Li Jinku

2020-01-01

Abstract:The invention discloses a system and method for detecting Ethereum digital currency stealing attacks. The method comprises the steps: deploying an Ethereum honeypot, inducing a network attacker to quickly find a honeypot host, transmitting a detection request, and capturing a malicious request from the attacker; storing the malicious request from the attacker in a database; and analyzing the attack data, associating the malicious request, detecting an attack behavior, identifying an attack method used by an attacker, tracking the attacker, and generating a detection result. According to the method, the malicious request sent by the attacker is attracted and captured, and the attack technique used by the attacker is further recognized, and weak points of an existing system are effectively found, so that the Ethereum system is better protected.

Hakan T. Otal,M. Abdullah Canbaz

2024-09-15

Abstract:The rapid evolution of cyber threats necessitates innovative solutions for detecting and analyzing malicious activity. Honeypots, which are decoy systems designed to lure and interact with attackers, have emerged as a critical component in cybersecurity. In this paper, we present a novel approach to creating realistic and interactive honeypot systems using Large Language Models (LLMs). By fine-tuning a pre-trained open-source language model on a diverse dataset of attacker-generated commands and responses, we developed a honeypot capable of sophisticated engagement with attackers. Our methodology involved several key steps: data collection and processing, prompt engineering, model selection, and supervised fine-tuning to optimize the model's performance. Evaluation through similarity metrics and live deployment demonstrated that our approach effectively generates accurate and informative responses. The results highlight the potential of LLMs to revolutionize honeypot technology, providing cybersecurity professionals with a powerful tool to detect and analyze malicious activity, thereby enhancing overall security infrastructure.

Cryptography and Security,Artificial Intelligence,Computation and Language,Machine Learning,Networking and Internet Architecture

SHEN Ming,XUE Zhi,WANG Yi-jun

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.05.043

2011-01-01

Abstract:Honeypot technology is employed to trap attacks,thus to collect the attack information and protect the real host.The core value of the honeypot lies in being detected,attacked and threatened,with this,the people could analyze the attack,know its attack purpose,means and strategies,and finally learn in-depth information protection methods.In the application of honeypot technology,the most important point is the misleading of the attackers.This paper analyzes the identifiable points of the honeypot and virtual machine systems through several specific characteristics of the system hardware and the network.Then it proposes some solutions to the identification with experimental statistics.It is hoped that the information security industry could attach the importance to and promote the development of honeypot technology.

Liu B. Songsong,Pengbin Feng,Jiahao Cao,Xu He,Tommy Chin,Kun Sun,Qi Li

DOI: https://doi.org/10.1007/978-3-031-09484-2_11

2022-01-01

Abstract:The honeypot technique has proved its value in system protection and attack analysis over the past 20 years. Distributed honeypot solutions emerge to solve the high cost and risk of maintaining a functional honeypot system. In this paper, we uncover that all existing distributed honeypot systems suffer from one type of anti-honeypot technique called network context cross-checking (NC3) which enables attackers to detect network context inconsistencies before and after breaking into a targeted system. We perform a systematic study of NC3 and identify nine types of network context artifacts that may be leveraged by attackers to identify distributed honeypot systems. As a countermeasure, we propose HoneyPortal, a stealthy traffic redirection framework to defend against the NC3 attack. The basic idea is to project a remote honeypot into the protected local network as a believable host machine. We conduct experiments in a real testbed, and the experimental results show that HoneyPortal can effectively defeat NC3 attacks with a low performance overhead.

Simon B. Weber,Marc Feger,Michael Pilgermann

DOI: https://doi.org/10.1109/access.2024.3472460

IF: 3.9

2024-10-12

IEEE Access

Abstract:The research area of honeypots is gaining new momentum, driven by advancements in large language models (LLMs). The chat-based applications of generative pretrained transformer (GPT) models seem ideal for the use as honeypot backends, especially in request-response protocols like Secure Shell (SSH). By leveraging LLMs, many challenges associated with traditional honeypots – such as high development costs, ease of exposure, and breakout risks – appear to be solved. While early studies have primarily focused on the potential of these models, our research investigates the current limitations of GPT-3.5 by analyzing three datasets of varying complexity. We conducted an expert annotation of over 1,400 request-response pairs, encompassing 230 different base commands. Our findings reveal that while GPT-3.5 struggles to maintain context, incorporating session context into response generation improves the quality of SSH responses. Additionally, we explored whether distinguishing between convincing and non-convincing responses is a metrics issue. We propose a paraphrase-mining approach to address this challenge, which achieved a macro F1 score of 77.85% using cosine distance in our evaluation. This method has the potential to reduce annotation efforts, converge LLM-based honeypot performance evaluation, and facilitate comparisons between new and previous approaches in future research.

computer science, information systems,telecommunications,engineering, electrical & electronic

Thorsten Holz,Xinhui Han,Chengyu Song,Wei Zou

2012-01-01

Abstract:WMN has been a field of active research in the recent years. Lot of research has focused various routing mechanism but very little effort has been made towards attack detection or intrusion detection. In this paper, we propose an attack detection approach for wireless mesh network using Honeypot technique. A Honeypot is a security resource whose value lies in being probed, attacked or compromised. A honeypot is designed to interact with attackers to collect attack techniques and behaviors. A collection of such Honeypots laid to effectively trap the attacker is called a Honeynet. In our paper, we propose a honeynet, that is able to trap the attackers by analyzing their attacking techniques and thereby sending the logs to a centralized repository to analyze those logs so as to better understand the technique used for attacking.

Ahmed Abdou,Ryan Sheatsley,Yohan Beugin,Tyler Shipp,Patrick McDaniel

DOI: https://doi.org/10.1109/MILCOM52596.2021.9652947

2022-02-21

Abstract:Machine Learning is becoming a pivotal aspect of many systems today, offering newfound performance on classification and prediction tasks, but this rapid integration also comes with new unforeseen vulnerabilities. To harden these systems the ever-growing field of Adversarial Machine Learning has proposed new attack and defense mechanisms. However, a great asymmetry exists as these defensive methods can only provide security to certain models and lack scalability, computational efficiency, and practicality due to overly restrictive constraints. Moreover, newly introduced attacks can easily bypass defensive strategies by making subtle alterations. In this paper, we study an alternate approach inspired by honeypots to detect adversaries. Our approach yields learned models with an embedded watermark. When an adversary initiates an interaction with our model, attacks are encouraged to add this predetermined watermark stimulating detection of adversarial examples. We show that HoneyModels can reveal 69.5% of adversaries attempting to attack a Neural Network while preserving the original functionality of the model. HoneyModels offer an alternate direction to secure Machine Learning that slightly affects the accuracy while encouraging the creation of watermarked adversarial samples detectable by the HoneyModel but indistinguishable from others for the adversary.

Cryptography and Security,Artificial Intelligence

Muris Sladić,Veronica Valeros,Carlos Catania,Sebastian Garcia

DOI: https://doi.org/10.1109/EuroSPW61312.2024.00054

2024-09-23

Abstract:Honeypots are essential tools in cybersecurity for early detection, threat intelligence gathering, and analysis of attacker's behavior. However, most of them lack the required realism to engage and fool human attackers long-term. Being easy to distinguish honeypots strongly hinders their effectiveness. This can happen because they are too deterministic, lack adaptability, or lack deepness. This work introduces shelLM, a dynamic and realistic software honeypot based on Large Language Models that generates Linux-like shell output. We designed and implemented shelLM using cloud-based LLMs. We evaluated if shelLM can generate output as expected from a real Linux shell. The evaluation was done by asking cybersecurity researchers to use the honeypot and give feedback if each answer from the honeypot was the expected one from a Linux shell. Results indicate that shelLM can create credible and dynamic answers capable of addressing the limitations of current honeypots. ShelLM reached a TNR of 0.90, convincing humans it was consistent with a real Linux shell. The source code and prompts for replicating the experiments have been publicly available.

Cryptography and Security,Artificial Intelligence,Computation and Language

Xy He,Ky Lam,Sl Chung,Ch Chi,Jg Sun

DOI: https://doi.org/10.1007/978-3-540-30483-8_18

2004-01-01

Abstract:Security becomes increasingly important. However, existing security tools, almost all defensive, have many vulnerabilities which are hard to overcome because of the lack of information about hackers techniques or powerful tools to distinguish malicious traffic from the huge volume of production traffic. Although honeypots mainly aim at collecting information about hackers' behaviors, they axe not very effective in that honeypot implementers tend to block or limit hackers' outbound connections to avoid harming non-honeypot systems, thus making honeypots easy to be fingerprinted. Additionally, the main concern is that if hackers were allowed outbound connections, they may attack the actual servers thus the honeypot could become a facilitator of the hacking crime. In this paper we present a new method to real-time emulate intrusion victims in a honeyfarm. When hackers request outbound connections, they are redirected to the intrusion victims which emulate the real targets. This method provides hackers with a less suspicious environment and reduces the risk of harming; other systems.

Yan Zhang,Chong Di,Zhuoran Han,Yichen Li,Shenghong Li

DOI: https://doi.org/10.1109/dsc.2017.52

2017-01-01

Abstract:The honeypot is a kind of proactive defense technology against malicious attacks in the field of information security. Successful and timely detection of network attacks highly depends on efficient honeypot deployment. This paper proposes an adaptive honeypot deployment algorithm based on learning automata (LA) called LA-AHD for improving the network security. The whole network suffers from external attacks in an attack-defense scenario based on a mathematical model. The proposed algorithm considers the entirety of candidate nodes in the network as a LA and models each candidate node as an action of the LA. Through the interactions with attacks and the evolutions of the LA, a certain number of honeypots can be adaptively deployed at the proper place in the network. The computational experiments verify the effectiveness and efficiency of the proposed LA-AHD algorithm. The results show the algorithm can improve the speed of selecting the honeypots and increase the honeypot capture rate substantially.

Stefan Machmeier

2024-07-17

Abstract:In this age of digitalization, Internet services face more attacks than ever. An attacker's objective is to exploit systems and use them for malicious purposes. Such efforts are rising as vulnerable systems can be discovered and compromised through Internet-wide scanning. One known methodology besides traditional security leverages is to learn from those who attack it. A honeypot helps to collect information about an attacker by pretending to be a vulnerable target. Thus, how honeypots can contribute to a more secure infrastructure makes an interesting topic of research. This thesis will present a honeypot solution to investigate malicious activities in heiCLOUD and show that attacks have increased significantly. To detect attackers in restricted network zones at Heidelberg University, a new concept to discover leaks in the firewall will be created. Furthermore, to consider an attacker's point of view, a method for detecting honeypots at the transport level will be introduced. Lastly, a customized OpenSSH server that works as an intermediary instance will be presented to mitigate these efforts.

Cryptography and Security

CHEN Ji-jun,ZHANG Xin-xin,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.07.042

2007-01-01

Abstract:The methods and techniques to detect and compromise Honeypot are deployed more and more widely. To improve Honeypot system,this paper proposes build the Honeypot based on Xen virtual machine technology to make Honeypot more effective in performance,more difficult to detect and easier to manage and use.

Wei Yang,Yu Yao,Tong Zhao,Yao Shan

DOI: https://doi.org/10.1109/TII.2023.3240739

IF: 12.3

2023-10-01

IEEE Transactions on Industrial Informatics

Abstract:Honeypots have proven to be an effective defense method for industrial control systems (ICSs). However, as attacker skills become more sophisticated, it becomes increasingly difficult to develop honeypots that can effectively recognize and respond to such attacks. In this article, we propose a neural network-based ICS honeypot scheme named NeuPot that improves security from two aspects: 1) honeypot interaction; and 2) cyber threats detection capability. NeuPot can respond to attacker requests depending on a specific industrial scenario without constant communication with the ICS and detect malicious traffic. To create this honeypot scheme, a new seq2seq time-series forecast model guided by Huber loss is designed to simulate the long-term changes in actual ICS physical processes. Second, a Modbus honeypot framework is created to react to changes in these ICS physical processes in their interactions with attackers and to capture various cyber threats against the ICS. Further, a novel loss function for industrial protocol-level malicious traffic detection is devised to identify known and unknown threats. According to our experiments, the proposed honeypot scheme is highly effective and outperforms state-of-the-art schemes in terms of interactivity and in detecting cyber threats.

Computer Science,Engineering

Chongqi Guan,Heting Liu,Guohong Cao,Sencun Zhu,Thomas La Porta

DOI: https://doi.org/10.48550/arXiv.2305.06430

2023-05-10

Cryptography and Security

Abstract:As IoT devices are becoming widely deployed, there exist many threats to IoT-based systems due to their inherent vulnerabilities. One effective approach to improving IoT security is to deploy IoT honeypot systems, which can collect attack information and reveal the methods and strategies used by attackers. However, building high-interaction IoT honeypots is challenging due to the heterogeneity of IoT devices. Vulnerabilities in IoT devices typically depend on specific device types or firmware versions, which encourages attackers to perform pre-attack checks to gather device information before launching attacks. Moreover, conventional honeypots are easily detected because their replying logic differs from that of the IoT devices they try to mimic. To address these problems, we develop an adaptive high-interaction honeypot for IoT devices, called HoneyIoT. We first build a real device based attack trace collection system to learn how attackers interact with IoT devices. We then model the attack behavior through markov decision process and leverage reinforcement learning techniques to learn the best responses to engage attackers based on the attack trace. We also use differential analysis techniques to mutate response values in some fields to generate high-fidelity responses. HoneyIoT has been deployed on the public Internet. Experimental results show that HoneyIoT can effectively bypass the pre-attack checks and mislead the attackers into uploading malware. Furthermore, HoneyIoT is covert against widely used reconnaissance and honeypot detection tools.

Weizhe Zhang,Bin Zhang,Ying Zhou,Hui He,Zeyu Ding

DOI: https://doi.org/10.1109/jiot.2019.2956173

IF: 10.6

2020-05-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) devices are vulnerable against attacks because of their limited network resources and complex operating systems. Thus, a honeypot is a good method of capturing malicious requests and collecting malicious samples but is rarely used on the IoT. Accordingly, this article implements three kinds of honeypots to capture malicious behaviors. First, on the basis of the CVE-2017–17215 vulnerability, we implement a medium-high interaction honeypot that can simulate a specific series of router UPnP services. It has functions, such as service simulation, log recording, malicious sample download, and service self-check. Second, given the limited details available for the simulated UPnP service and to help the honeypot respond to unrecognizable malicious requests, we use the actual IoT device firmware that matches the vulnerability to build a high-interaction honeypot. In addition, we investigate the most exposed SOAP service ports and design corresponding multiport honeypot to improve the capacity of the honeynet, providing a hybrid service from a real device and simulating honeypots. The Docker in the honeynet, which reduces the volume of the honeypot and realizes the rapid deployment of the honeynet, encapsulates all these honeypots. Moreover, the honeynet control center is simultaneously designed to distribute commands and transfer files to each physical node in the honeynet. We implemented the proposed honeynet system and deployed it in practice. We have successfully caught many unknown malicious attacks excluded in the VT, which proved the effectiveness of the proposed framework.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ziyang Wang,Jianzhou You,Haining Wang,Tianwei Yuan,Shichao Lv,Yang Wang,Limin Sun

2024-06-04

Abstract:Honeypots, as a strategic cyber-deception mechanism designed to emulate authentic interactions and bait unauthorized entities, continue to struggle with balancing flexibility, interaction depth, and deceptive capability despite their evolution over decades. Often they also lack the capability of proactively adapting to an attacker's evolving tactics, which restricts the depth of engagement and subsequent information gathering. Under this context, the emergent capabilities of large language models, in tandem with pioneering prompt-based engineering techniques, offer a transformative shift in the design and deployment of honeypot technologies. In this paper, we introduce HoneyGPT, a pioneering honeypot architecture based on ChatGPT, heralding a new era of intelligent honeypot solutions characterized by their cost-effectiveness, high adaptability, and enhanced interactivity, coupled with a predisposition for proactive attacker engagement. Furthermore, we present a structured prompt engineering framework that augments long-term interaction memory and robust security analytics. This framework, integrating thought of chain tactics attuned to honeypot contexts, enhances interactivity and deception, deepens security analytics, and ensures sustained engagement. The evaluation of HoneyGPT includes two parts: a baseline comparison based on a collected dataset and a field evaluation in real scenarios for four weeks. The baseline comparison demonstrates HoneyGPT's remarkable ability to strike a balance among flexibility, interaction depth, and deceptive capability. The field evaluation further validates HoneyGPT's efficacy, showing its marked superiority in enticing attackers into more profound interactive engagements and capturing a wider array of novel attack vectors in comparison to existing honeypot technologies.

Cryptography and Security,Artificial Intelligence,Emerging Technologies,Software Engineering