151 research outputs found
To What Extent Are Honeypots and Honeynets Autonomic Computing Systems?
Cyber threats, such as advanced persistent threats (APTs), ransomware, and
zero-day exploits, are rapidly evolving and demand improved security measures.
Honeypots and honeynets, as deceptive systems, offer valuable insights into
attacker behavior, helping researchers and practitioners develop innovative
defense strategies and enhance detection mechanisms. However, their deployment
involves significant maintenance and overhead expenses. At the same time, the
complexity of modern computing has prompted the rise of autonomic computing,
aiming for systems that can operate without human intervention. Recent honeypot
and honeynet research claims to incorporate autonomic computing principles,
often using terms like adaptive, dynamic, intelligent, and learning. This study
investigates such claims by measuring the extent to which autonomic principles
principles are expressed in honeypot and honeynet literature. The findings
reveal that autonomic computing keywords are present in the literature sample,
suggesting an evolution from self-adaptation to autonomic computing
implementations. Yet, despite these findings, the analysis also shows low
frequencies of self-configuration, self-healing, and self-protection keywords.
Interestingly, self-optimization appeared prominently in the literature. While
this study presents a foundation for the convergence of autonomic computing and
deceptive systems, future research could explore technical implementations in
sample articles and test them for autonomic behavior. Additionally,
investigations into the design and implementation of individual autonomic
computing principles in honeypots and determining the necessary ratio of these
principles for a system to exhibit autonomic behavior could provide valuable
insights for both researchers and practitioners.Comment: 18 pages, 3 figures, 5 table
Wide spectrum attribution: Using deception for attribution intelligence in cyber attacks
Modern cyber attacks have evolved considerably. The skill level required to conduct
a cyber attack is low. Computing power is cheap, targets are diverse and plentiful.
Point-and-click crimeware kits are widely circulated in the underground economy, while
source code for sophisticated malware such as Stuxnet is available for all to download
and repurpose. Despite decades of research into defensive techniques, such as firewalls,
intrusion detection systems, anti-virus, code auditing, etc, the quantity of successful
cyber attacks continues to increase, as does the number of vulnerabilities identified.
Measures to identify perpetrators, known as attribution, have existed for as long as there
have been cyber attacks. The most actively researched technical attribution techniques
involve the marking and logging of network packets. These techniques are performed
by network devices along the packet journey, which most often requires modification of
existing router hardware and/or software, or the inclusion of additional devices. These
modifications require wide-scale infrastructure changes that are not only complex and
costly, but invoke legal, ethical and governance issues. The usefulness of these techniques
is also often questioned, as attack actors use multiple stepping stones, often innocent
systems that have been compromised, to mask the true source. As such, this thesis
identifies that no publicly known previous work has been deployed on a wide-scale basis
in the Internet infrastructure.
This research investigates the use of an often overlooked tool for attribution: cyber de-
ception. The main contribution of this work is a significant advancement in the field of
deception and honeypots as technical attribution techniques. Specifically, the design and
implementation of two novel honeypot approaches; i) Deception Inside Credential Engine
(DICE), that uses policy and honeytokens to identify adversaries returning from different
origins and ii) Adaptive Honeynet Framework (AHFW), an introspection and adaptive
honeynet framework that uses actor-dependent triggers to modify the honeynet envi-
ronment, to engage the adversary, increasing the quantity and diversity of interactions.
The two approaches are based on a systematic review of the technical attribution litera-
ture that was used to derive a set of requirements for honeypots as technical attribution
techniques. Both approaches lead the way for further research in this field
EVHS - Elastic Virtual Honeypot System for SDNFV-Based Networks
The SDNFV-based network has leveraged the advantages of software-defined networking (SDN) and network-function virtualization (NFV) to become the most prominent network architecture. However, with the advancement of the SDNFV-based network, more attack types have emerged. This research focuses on one of the methods (use of the honeypot system) of preventing these attacks on the SDNFV-based network. We introduce an SDNFV-based elastic virtual honeypot system (EVHS), which not only resolves problems of other current honeypot systems but also employs a new approach to efficiently manage and control honeypots. It uses a network-intrusion-detection system (NIDS) at the border of the network to detect attacks, leverages the advantages of SDN and NFV to flexibly generate honeypots, and connects attackers to these honeypots by using a moving-target defense mechanism. Furthermore, we optimize the system to efficiently reuse the available honeypots after the attacks are handled. Experimental results validate that the proposed system is a flexible and efficient approach to manage and provide virtual honeypots in the SDNFV-based network; the system can also resolve the problems encountered by current honeypot systems
Dynamic Honeypot Configuration for Programmable Logic Controller Emulation
Attacks on industrial control systems and critical infrastructure are on the rise. Important systems and devices like programmable logic controllers are at risk due to outdated technology and ad hoc security measures. To mitigate the threat, honeypots are deployed to gather data on malicious intrusions and exploitation techniques. While virtual honeypots mitigate the unreasonable cost of hardware-replicated honeypots, these systems often suffer from a lack of authenticity due to proprietary hardware and network protocols. In addition, virtual honeynets utilizing a proxy to a live device suffer from performance bottlenecks and limited scalability. This research develops an enhanced, application layer emulator capable of alleviating honeynet scalability and honeypot inauthenticity limitations. The proposed emulator combines protocol-agnostic replay with dynamic updating via a proxy. The result is a software tool which can be readily integrated into existing honeypot frameworks for improved performance. The proposed emulator is evaluated on traffic reduction on the back-end proxy device, application layer task accuracy, and byte-level traffic accuracy. Experiments show the emulator is able to successfully reduce the load on the proxy device by up to 98% for some protocols. The emulator also provides equal or greater accuracy over a design which does not use a proxy. At the byte level, traffic variation is statistically equivalent while task success rates increase by 14% to 90% depending on the protocol. Finally, of the proposed proxy synchronization algorithms, templock and its minimal variant are found to provide the best overall performance
Recommended from our members
Reactive Security for SDN/NFV-enabled Industrial Networks leveraging Service Function Chaining
The innovative application of 5G core technologies, namely Software Defined Networking (SDN) and Network Function Virtualization (NFV), can help reduce capital and operational expenditures in industrial networks. Nevertheless, SDN expands the attack surface of the communication infrastructure, thus necessitating the introduction of additional security mechanisms. These major changes could not leave the industrial environment unaffected, with smart industrial deployments gradually becoming a reality; a trend that is often referred to as the 4th industrial revolution or Industry 4.0. A wind park is a good example of an industrial application relying on a network with strict performance, security, and reliability requirements, and was chosen as a representative example of industrial systems. This work highlights the benefit of leveraging the flexibility of SDN/NFV-enabled networks to deploy enhanced, reactive security mechanisms for the protection of the industrial network, via the use of Service Function Chaining. Moreover, the implementation of a proof-of-concept reactive security framework for an industrial-grade wind park network is presented, along with a performance evaluation of the proposed approach. The framework is equipped with SDN and Supervisory Control and Data Acquisition (SCADA) honeypots, modelled on and deployable to the wind park, allowing continuous monitoring of the industrial network and detailed analysis of potential attacks, thus isolating attackers and enabling the assessment of their level of sophistication. Moreover, the applicability of the proposed solutions is assessed in the context of the specific industrial application, based on the analysis of the network characteristics and requirements of an actual, operating wind park
A Survey of Network Requirements for Enabling Effective Cyber Deception
In the evolving landscape of cybersecurity, the utilization of cyber
deception has gained prominence as a proactive defense strategy against
sophisticated attacks. This paper presents a comprehensive survey that
investigates the crucial network requirements essential for the successful
implementation of effective cyber deception techniques. With a focus on diverse
network architectures and topologies, we delve into the intricate relationship
between network characteristics and the deployment of deception mechanisms.
This survey provides an in-depth analysis of prevailing cyber deception
frameworks, highlighting their strengths and limitations in meeting the
requirements for optimal efficacy. By synthesizing insights from both
theoretical and practical perspectives, we contribute to a comprehensive
understanding of the network prerequisites crucial for enabling robust and
adaptable cyber deception strategies
Securing Distributed Computer Systems Using an Advanced Sophisticated Hybrid Honeypot Technology
Computer system security is the fastest developing segment in information technology. The conventional approach to system security is mostly aimed at protecting the system, while current trends are focusing on more aggressive forms of protection against potential attackers and intruders. One of the forms of protection is also the application of advanced technology based on the principle of baits - honeypots. Honeypots are specialized devices aimed at slowing down or diverting the attention of attackers from the critical system resources to allow future examination of the methods and tools used by the attackers. Currently, most honeypots are being configured and managed statically. This paper deals with the design of a sophisticated hybrid honeypot and its properties having in mind enhancing computer system security. The architecture of a sophisticated hybrid honeypot is represented by a single device capable of adapting to a constantly changing environment by using active and passive scanning techniques, which mitigate the disadvantages of low-interaction and high-interaction honeypots. The low-interaction honeypot serves as a proxy for multiple IP addresses and filters out traffic beyond concern, while the high-interaction honeypot provides an optimum level of interaction. The proposed architecture employing the prototype of a hybrid honeypot featuring autonomous operation should represent a security mechanism minimizing the disadvantages of intrusion detection systems and can be used as a solution to increase the security of a distributed computer system rapidly, both autonomously and in real-time
Classifying resilience approaches for protecting smart grids against cyber threats
Smart grids (SG) draw the attention of cyber attackers due to their vulnerabilities, which are caused by the usage of heterogeneous communication technologies and their distributed nature. While preventing or detecting cyber attacks is a well-studied field of research, making SG more resilient against such threats is a challenging task. This paper provides a classification of the proposed cyber resilience methods against cyber attacks for SG. This classification includes a set of studies that propose cyber-resilient approaches to protect SG and related cyber-physical systems against unforeseen anomalies or deliberate attacks. Each study is briefly analyzed and is associated with the proper cyber resilience technique which is given by the National Institute of Standards and Technology in the Special Publication 800-160. These techniques are also linked to the different states of the typical resilience curve. Consequently, this paper highlights the most critical challenges for achieving cyber resilience, reveals significant cyber resilience aspects that have not been sufficiently considered yet and, finally, proposes scientific areas that should be further researched in order to enhance the cyber resilience of SG.Open Access funding provided thanks to the CRUE-CSIC agreement with Springer Nature. Funding for open access charge: Universidad de Málaga / CBUA
- …