Towards improving the security of low-interaction honeypots: insights from a comparative analysis

The recent increase in the number of security attacks by cyber-criminals on small businesses meant that security remained a concern for such organizations. In many such cases, detecting the attackers remained a challenge. A common tool to augment existing attack detection mechanisms within networks involves the use of honeypot systems. A fundamental feature of low-interaction honeypots is to be able to lure intruders, but the effectiveness of such systems has nevertheless been affected by various constraints. To be able to secure honeypots systems, it is important to firstly determine its requirements, before taking appropriate actions to ensure that the identified requirements have been achieved. This paper critically examines how existing low-interaction honeypot systems abide to major requirements before recommending how their security could be improved

Design requirements for generating deceptive content to protect document repositories

For nearly 30 years, fake digital documents have been used to identify external intruders and malicious insider threats. Unfortunately, while fake files hold potential to assist in data theft detection, there is little evidence of their application outside of niche organisations and academic institutions. The barrier to wider adoption appears to be the difficulty in constructing deceptive content. The current generation of solutions principally: (1) use unrealistic random data; (2) output heavily formatted or specialised content, that is difficult to apply to other environments; (3) require users to manually build the content, which is not scalable, or (4) employ an existing production file, which creates a protection paradox. This paper introduces a set of requirements for generating automated fake file content: (1) enticing, (2) realistic, (3) minimise disruption, (4) adaptive, (5) scalable protective coverage, (6) minimise sensitive artefacts and copyright infringement, and (7) contain no distinguishable characteristics. These requirements have been drawn from literature on natural science, magical performances, human deceit, military operations, intrusion detection and previous fake file solutions. These requirements guide the design of an automated fake file content construction system, providing an opportunity for the next generation of solutions to find greater commercial application and widespread adoption

Towards a set of metrics to guide the generation of fake computer file systems

Fake file systems are used in the field of cyber deception to bait intruders and fool forensic investigators. File system researchers also frequently generate their own synthetic document repositories, due to data privacy and copyright concerns associated with experimenting on real-world corpora. For both these fields, realism is critical. Unfortunately, after creating a set of files and folders, there are no current testing standards that can be applied to validate their authenticity, or conversely, reliably automate their detection. This paper reviews the previous 30 years of file system surveys on real world corpora, to identify a set of discrete measures for generating synthetic file systems. Statistical distributions, such as size, age and lifetime of files, common file types, compression and duplication ratios, directory distribution and depth (and its relationship with numbers of files and sub-directories) were identified and the respective merits discussed. Additionally, this paper highlights notable absences in these surveys, which could be beneficial, such as analysing, on mass, the text content distribution, file naming habits, and comparing file access times against traditional working hours

Dempster-Shafer Evidence Combining for (Anti)-Honeypot Technologies

Honeypots are network surveillance architectures designed to resemble easy-to-compromise computer systems. They are deployed to trap hackers in order to help security professionals capture, control, and analyze malicious Internet attacks and other activities of hackers. A botnet is an army of compromised computers controlled by a bot herder and used for illicit financial gain. Botnets have become quite popular in recent Internet attacks. Since honeypots have been deployed in many defense systems, attackers constructing and maintaining botnets are forced to find ways to avoid honeypot traps. In fact, some researchers have even suggested equipping normal machines by misleading evidence so that they appear as honeypots in order to scare away rational attackers. In this paper, we address some aspects related to the problem of honeypot detection by botmasters. In particular, we show that current honeypot architectures and operation limitations may allow attackers to systematically collect, combine, and analyze evidence about the true nature of the machines they compromise. In particular, we show how a systematic technique for evidence combining such as Dempster-Shafer theory can allow botmasters to determine the true nature of compromised machines with a relatively high certainty. The obtained results demonstrate inherent limitations of current honeypot designs. We also aim to draw the attention of security professionals to work on enhancing the discussed features of honeypots in order to prevent them from being abused by botmasters

Three Decades of Deception Techniques in Active Cyber Defense -- Retrospect and Outlook

Deception techniques have been widely seen as a game changer in cyber defense. In this paper, we review representative techniques in honeypots, honeytokens, and moving target defense, spanning from the late 1980s to the year 2021. Techniques from these three domains complement with each other and may be leveraged to build a holistic deception based defense. However, to the best of our knowledge, there has not been a work that provides a systematic retrospect of these three domains all together and investigates their integrated usage for orchestrated deceptions. Our paper aims to fill this gap. By utilizing a tailored cyber kill chain model which can reflect the current threat landscape and a four-layer deception stack, a two-dimensional taxonomy is developed, based on which the deception techniques are classified. The taxonomy literally answers which phases of a cyber attack campaign the techniques can disrupt and which layers of the deception stack they belong to. Cyber defenders may use the taxonomy as a reference to design an organized and comprehensive deception plan, or to prioritize deception efforts for a budget conscious solution. We also discuss two important points for achieving active and resilient cyber defense, namely deception in depth and deception lifecycle, where several notable proposals are illustrated. Finally, some outlooks on future research directions are presented, including dynamic integration of different deception techniques, quantified deception effects and deception operation cost, hardware-supported deception techniques, as well as techniques developed based on better understanding of the human element.Comment: 19 page

ANALYTICAL MODELS FOR THE INTERACTION BETWEEN BOTMASTERS AND HONEYPOTS

Honeypots are traps designed to resemble easy-to-compromise computer systems in order to tempt attackers to invade them. When attackers target a honeypot, all their actions, tools and techniques are recorded and analyzed in order to help security professionals in their conflict against the attackers and the botmasters. However, botmasters might be able to detect honeypots. In particular, they can command compromised machines to perform illicit actions in which the targeted victims work as sensors that measure the machine's willingness to perform these actions. If honeypots were designed to completely ignore these commands, then they can be easily detected by botmasters. On the other hand, full participation by honeypots in such activities has its associated costs and may lead to legal liabilities. This raises the need for finding the optimal response strategy needed by honeypots in order to prolong their stay within botnets without exposing them to liability. In this work, we show that current honeypot architectures and operation limitations may allow botmasters to uncover honeypots in their botnet. In particular, we show how botmasters can systematically collect, combine and analyze evidence about the true nature of the machines they compromise using Dempster-Shafer theory. To determine the currently available optimal response for honeypots, we provide a Bayesian game theoretic framework that models the interaction between honeypots and botmasters as a non-zero-sum noncooperative game with uncertainty. However, the solution of the game shows that botmasters always have the upper hand in the conflict with honeypots since botmasters can update their belief about the true nature of the opponents and consequently act optimally based on the new belief value. This motivated us to investigate a better strategy that enables honeypots to maximize their outcome by optimally responding to the probes of the botmasters. In particular, we provide a Markov Decision Processes model that helps security professionals to determine the optimal strategy that enables the honeypots to prolong their stay in the botnets while minimizing the cost of possible legal liability. Throughout this thesis, we also provide different scenarios that illustrate and support our proposed analysis and solutions

A Methodology For Intelligent Honeypot Deployment And Active Engagement Of Attackers

Thesis (Ph.D.) University of Alaska Fairbanks, 2012The internet has brought about tremendous changes in the way we see the world, allowing us to communicate at the speed of light, and dramatically changing the face of business forever. Organizations are able to share their business strategies and sensitive or proprietary information across the globe in order to create a sense of cohesiveness. This ability to share information across the vastness of the internet also allows attackers to exploit these different avenues to steal intellectual property or gather information vital to the national security of an entire nation. As technology advances to include more devices accessing an organization's network and as more business is handled via the internet, attackers' opportunities increase daily. Honeypots were created in response to this cyber warfare. Honeypots provide a technique to gather information about attackers performing reconnaissance on a network or device without the voluminous logs obtained by the majority of intrusion detection systems. This research effort provides a methodology to dynamically generate context-appropriate honeynets. Administrators are able to modify the system to conform to the target environment and gather the information passively or through increasing degrees of active scanning. The information obtained during the process of scanning the environment aids the administrator in creating a network topology and understanding the flux of devices in the network. This research continues the effort to defend an organization's networks against the onslaught of attackers

Emulation of Industrial Control Field Device Protocols

It has been shown that thousands of industrial control devices are exposed to the Internet, however, the extent and nature of attacks on such devices remains unknown. The first step to understanding security problems that face modern supervisory control and data acquisition (SCADA) and industrial controls networks is to understand the various attacks launched on Internet-connected field devices. This thesis describes the design and implementation of an industrial control emulator on a Gumstix single-board computer as a solution. This emulator acts as a decoy field device, or honeypot, intended to be probed and attacked via an Internet connection. Evaluation techniques are developed to assess the accuracy of the emulation implemented on the Gumstix and are compared against the implementation on a standard PC and the emulation target, a Koyo DirectLogic 405 programmable logic controller. The results show that both the Gumstix and PC emulator platforms are very accurate to the workloads presented. This suggests that a honeypot implemented on a Gumstix emulator and a standard PC are both suitable for applications in SCADA attack-landscape research