133 research outputs found

    A Framework for the Design of IoT/IIoT/CPS Honeypots

    Get PDF

    To What Extent Are Honeypots and Honeynets Autonomic Computing Systems?

    Full text link
    Cyber threats, such as advanced persistent threats (APTs), ransomware, and zero-day exploits, are rapidly evolving and demand improved security measures. Honeypots and honeynets, as deceptive systems, offer valuable insights into attacker behavior, helping researchers and practitioners develop innovative defense strategies and enhance detection mechanisms. However, their deployment involves significant maintenance and overhead expenses. At the same time, the complexity of modern computing has prompted the rise of autonomic computing, aiming for systems that can operate without human intervention. Recent honeypot and honeynet research claims to incorporate autonomic computing principles, often using terms like adaptive, dynamic, intelligent, and learning. This study investigates such claims by measuring the extent to which autonomic principles principles are expressed in honeypot and honeynet literature. The findings reveal that autonomic computing keywords are present in the literature sample, suggesting an evolution from self-adaptation to autonomic computing implementations. Yet, despite these findings, the analysis also shows low frequencies of self-configuration, self-healing, and self-protection keywords. Interestingly, self-optimization appeared prominently in the literature. While this study presents a foundation for the convergence of autonomic computing and deceptive systems, future research could explore technical implementations in sample articles and test them for autonomic behavior. Additionally, investigations into the design and implementation of individual autonomic computing principles in honeypots and determining the necessary ratio of these principles for a system to exhibit autonomic behavior could provide valuable insights for both researchers and practitioners.Comment: 18 pages, 3 figures, 5 table

    An Empirical Analysis of Cyber Deception Systems

    Get PDF

    HoneyProxy Implementation in Cloud Environment with Docker HoneyFarm

    Get PDF
    Pilveteenustel põhinev infotehnoloogia süsteemide taristu on saamas tavapäraseks nii idufirmades, keskmise suurusega ettevõtetes kui ka suurtes korporatsioonides, toetades agiilsemat tarkvara arendust ning lihtsustades andmekeskuste haldamist, kontrollimist ja administreerimist. See kiirelt arenev tehnoloogiavaldkond tõstatas palju turvalisusega seotud küsimusi seoses pilves hoitavate teenuste ligipääsetavuse kontrollimisega ning sellega, kas pakutud lahenduste jõudlus ning viiteaeg (latentsus) jäävad aktsepteeritavatesse piiridesse. Käesolev teadustöö tutvustab honeypot peibutusmehhanismi pilves revolutsioonilisel viisil, mis rakendab HoneyProxy lahendust honeynet lüüsina pöördproksile, mis kontrollib sissetulevaid ja väljaminevaid päringuid back-end teenustesse. Vastav HoneyProxy on ühendatud HoneyFarm lahendusega, mida käitatakse samal masinal (pilveserveril). Iga honeypot jookseb eraldi Docker’i konteineris ning omab unikaalset IP-d, mistõttu on võimalik igat ründesessiooni isoleerida ühte konteinerisse võimalusega vahetada erinevate konteineritüüpide vahel, ajades ründaja segadusse honeypot’i kasutust paljastamata. See kaitsemehhanism suudab tuvastada ja logida ründaja tegevusi, mis võivad omakorda paljastada uusi ründetehnikaid ning isegi “nullpäeva” (zero-day) haavatavusi. Käesoleva töö fookus on tutvustada raamistikku HoneyProxy implementeerimiseks pilveteenustel Docker’i konteinereid kasutades.Cloud hosting services is a common trend nowadays for small startups, medium sized business and even for large big cooperations, that is helping the agility and scaling of resources and spare the overhead of controlling, managing and administrating the data-centers. The fast growing technology raised security questions of how to control the access to the services hosted on the cloud, and whether the performance and the latency of the solutions offered to address these questions are within the bearable limits. This research is introducing the honeypots to the cloud in a revolutionary way that exposes and applies what is called a HoneyProxy to work as a honeynet gateway for a reverse proxy that is controlling the incoming and outgoing flow to the back-end services. This HoneyProxy is connected to a HoneyFarm that is hosted on the same machine (cloud server) each honeypot is serviced in a docker container dedicated for every unique IP, so that each attack session can be isolated within one container with the ability to switch between different types of containers that can fool the attacker without suspecting the existence of a honeypot. This defending mechanism can detect and log attackers behavior which can reveal new attack techniques and even zero day exploits. The contribution of this work is introducing the framework to implement the HoneyProxy on the cloud services using Docker containers

    Enlightening the Darknets: Augmenting Darknet Visibility with Active Probes

    Get PDF
    Darknets collect unsolicited traffic reaching unused address spaces. They provide insights into malicious activities, such as the rise of botnets and DDoS attacks. However, darknets provide a shallow view, as traffic is never responded. Here we quantify how their visibility increases by responding to traffic with interactive responders with increasing levels of interaction. We consider four deployments: Darknets, simple, vertical bound to specific ports, and, a honeypot that responds to all protocols on any port. We contrast these alternatives by analyzing the traffic attracted by each deployment and characterizing how traffic changes throughout the responder lifecycle on the darknet. We show that the deployment of responders increases the value of darknet data by revealing patterns that would otherwise be unobservable. We measure Side-Scan phenomena where once a host starts responding, it attracts traffic to other ports and neighboring addresses. uncovers attacks that darknets and would not observe, e.g. large-scale activity on non-standard ports. And we observe how quickly senders can identify and attack new responders. The “enlightened” part of a darknet brings several benefits and offers opportunities to increase the visibility of sender patterns. This information gain is worth taking advantage of, and we, therefore, recommend that organizations consider this option
    corecore