ETRI Journal

Electronics and Telecommunications Research Institute (한국전자통신연구원)
권호 표지
DOI QR코드

DOI QR Code

New framework for adaptive and agile honeypots

  • Dowling, Seamus (Mayo Campus, Galway Mayo Institute of Technology) ;
  • Schukat, Michael (Discipline of IT, College of Engineering and Informatics, National University of Ireland Galway) ;
  • Barrett, Enda (Discipline of IT, College of Engineering and Informatics, National University of Ireland Galway)
  • Received : 2019.03.29
  • Accepted : 2020.03.24
  • Published : 2020.12.14
Download PDF
⟨ Previous Next ⟩

Abstract

This paper proposes a new framework for the development and deployment of honeypots for evolving malware threats. As new technological concepts appear and evolve, attack surfaces are exploited. Internet of things significantly increases the attack surface available to malware developers. Previously independent devices are becoming accessible through new hardware and software attack vectors, and the existing taxonomies governing the development and deployment of honeypots are inadequate for evolving malicious programs and their variants. Malware-propagation and compromise methods are highly automated and repetitious. These automated and repetitive characteristics can be exploited by using embedded reinforcement learning within a honeypot. A honeypot for automated and repetitive malware (HARM) can be adaptive so that the best responses may be learnt during its interaction with attack sequences. HARM deployments can be agile through periodic policy evaluation to optimize redeployment. The necessary enhancements for adaptive, agile honeypots require a new development and deployment framework.

Keywords

References

  1. C. Kolias et al., Ddos in the iot: Mirai and other botnets, Computer 50 (2017), no. 7, 80-84. https://doi.org/10.1109/MC.2017.201
  2. Kapersky, New iot-malware grew three-fold in h1 2018, 2018, Available from: https://www.kaspersky.com/about/press-releases/2018_new-iot-malware-grew-three-fold-in-h1-2018 [last accessed October 2018].
  3. L. Spitzner, Honeypots: Catching the insider threat, in Proc. Annu. Comput. Security Applicat. Conf. (Las Vegas, NV, USA), Dec. 2003, pp. 170-179.
  4. M. Oosterhof, Not capturing any mirai samples, 2017, Available from: https://github.com/micheloosterhof/cowrie/issues/411 [last accessed February 2018].
  5. Y. M. P. Pa et al., IoTPOT: Analysing the rise of IoT compromises, in Proc. USENIX Conf. Offensive Technol. (Berkeley, CA, USA), Aug. 2015, pp. 1-9.
  6. S. M. Bellovin, Packets found on an internet, ACM SIGCOMM Comput. Commun. Rev. 23 (1993), no. 3, 26-31. https://doi.org/10.1145/174194.174199
  7. N. Provos, Honeyd-A virtual honeypot daemon, in Proc. DFNCERT Workshop (Hamburg, Germany), 2003, p. 4.
  8. B. McCarty, The honeynet arms race, IEEE Secur. Priv. 99 (2003), no. 6, 79-82. https://doi.org/10.1109/MSECP.2003.1253575
  9. P. Baecher et al., The nepenthes platform: An efficient approach to collect malware, in Proc. Int. Workshop Recent Adv. Intrusion Detection (Hamburg, Germany), Sept. 2006, pp. 165-184.
  10. G. Portokalidis, A. Slowinska, and H. Bos, Argos: An emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation, ACM SIGOPS Operat. Syst. Rev. 40 (2006), no. 4, 15-27. https://doi.org/10.1145/1218063.1217938
  11. X. Jiang, X. Wang, and X. Dongyan, Stealthy malware detection and monitoring through VMM-based out-of-the-box semantic view reconstruction, ACM Trans. Inf. Syst. Security 13 (2010), no. 2, 12:1-28.
  12. I. Kuwatly et al., A dynamic honeypot design for intrusion detection, in Proc. IEEE/ACS Int. Conf. Pervasive Services (Beirut, Lebanon), July 2004, pp. 95-104.
  13. N. Kambow and L. K. Passi, The need of network security, Int. J. Comput. Sci. Inform. Technol. 5 (2014), no. 5, 60986101.
  14. M. Nawrocki et al., A survey on honeypot software and data analysis, 2016, Available from: https://arxiv.org/pdf/1608.06249.pdf [last accessed June 2020].
  15. W. Fan et al., Enabling an anatomic view to investigate honeypot systems: a survey, IEEE Syst. J. (2018), no. 99, 1-14.
  16. ENISA, Proactive detection of security incidents - Honeypots, 2012, Available from: https://www.enisa.europa.eu/publications/proactive-detection-of-security-incidents-II-honeypots [last accessed June 2020].
  17. Deutsche Telekom, Dtag community honeypot project, 2018, Available from: http://dtag-dev-sec.github.io/ [last accessed October 2018].
  18. S. Kyung et al., HoneyProxy: Design and implementation of next-generation honeynet via SDN, in Proc. IEEE Conf. Commun. Netw. Security (Las Vegas, NV, USA), Oct. 2017, pp. 1-9.
  19. W. Han et al., HoneyMix: Toward SDN-based Intelligent Honeynet, in Proc. ACM Int. Workshop Security Softw. Defined Netw. Netw. Function Virtualization (New Orleans, LA, USA), Mar. 2016, pp. 1-6.
  20. W. Fan and D. Fernandez, A novel SDN based stealthy TCP connection handover mechanism for hybrid honeypot systems, in Proc. IEEE Conf. Netw. Softwarization (Bologna, Italy), July 2017, pp. 1-9.
  21. W. Fan et al., Honeydoc: An efficient honeypot architecture enabling all-round design, IEEE J. Sel. Areas Commun. 37 (2019), no. 3, 683-697. https://doi.org/10.1109/jsac.2019.2894307
  22. F. Zhang et al., Honeypot: a supplemented active defense system for network security, in Proc. Int. Conf. Parallel Distrib. Comput., Applicat. Technol. (Chengdu, China), Aug. 2003, pp. 231-235.
  23. C. Seifert, I. Welch, and P. Komisarczuk, Taxonomy of honeypots, Victoria University of Wellington, School of Mathematical and Computing Sciences, 2006, pp. 1-19.
  24. W. Fan, D. Zhihui, and D. Fernandez, Taxonomy of honeynet solutions, in Proc. SAI Intell. Syst. Conf. (London, UK), Nov. 2015, pp. 1002-1009.
  25. J. F. Shoch and J. A. Hupp, The "worm" programs-early experience with a distributed computation, Commun. ACM 25 (1982), no. 3, 172-180. https://doi.org/10.1145/358453.358455
  26. F. Cohen, Computer viruses, Comput. Security 6 (1987), no. 1, 22-35. https://doi.org/10.1016/0167-4048(87)90122-2
  27. E. Le Malecot and D. Inoue, The carna botnet through the lens of a network telescope, in Proc. Foundations Practice Security (La Rochelle, France), Oct. 2014, pp. 426-441.
  28. D. Dagon et al., A taxonomy of botnet structures, in Proc. Annu. Comput. Security Applicat. Conf. (Miami Beach, FL, USA), Dec. 2007, pp. 325-339.
  29. J. Wright, Killerbee: practical zigbee exploitation framework, in Proc. ToorCon Conf. (San Diego, CA, USA), Sept. 2009.
  30. B. Mphago et al., Deception in dynamic web application honeypots: Case of Glastopf, in Proc. Int. Conf. Security Manag., 2015, p. 104.
  31. S. Dowling, M. Schukat, and H. Melvin, A ZigBee honeypot to assess IoT cyberattack behaviour, in Proc. Irish Signals Syst. Conf. (Killarney, Ireland), June 2017, pp. 1-6.
  32. Y.-Z. Chen et al., Spatiotemporal patterns and predictability of cyberattacks, PLoS One 10 (2015), no. 5, e0124472. https://doi.org/10.1371/journal.pone.0124472
  33. P. Wang et al., Honeypot detection in advanced botnet attacks, Int. J. Inf. Comput. Secur. 4 (2010), no. 1, 30-51. https://doi.org/10.1504/IJICS.2010.031858
  34. N. Krawetz, Anti-honeypot technology, IEEE Secur. Priv. 2 (2004), no. 1, 76-79. https://doi.org/10.1109/MSECP.2004.1264861
  35. T. Holz and F. Raynal, Detecting honeypots and other suspicious environments, in Proc. Annu. IEEE SMC Inf. Assurance Workshop (West Point, NY, USA), June 2005, pp. 29-36.
  36. S. Khattak et al., A taxonomy of botnet behavior, detection, and defense, IEEE Commun. Survey Tutorials 16 (2014), no. 2, 898-924. https://doi.org/10.1109/SURV.2013.091213.00134
  37. W. Fan, D. Fernandez, and Du Zhihui, Versatile virtual honeynet management framework, IET Inf. Secur. 11 (2016), no. 1, 38-45. https://doi.org/10.1049/iet-ifs.2015.0263
  38. I. You and K. Yim, Malware obfuscation techniques: A brief survey, in Proc. Int. Conf Broadband, Wireless Comput., Commun. Applicat. (Fukuoka, Japan), Nov. 2010, pp. 297-300.
  39. M. Antonakakis et al., Understanding the mirai botnet, in Proc. USENIX Conf. Security Symp. (Berkeley, CA, USA), Aug. 2017, pp. 1093-1110.
  40. E. Alata et al., Collection and analysis of attack data based on honeypots deployed on the internet, in Quality of Protection, Springer, 2006, pp. 79-91.
  41. F. Vanhoenshoven et al., Detecting malicious URLs using machine learning techniques, in Proc. IEEE Symp. Series Comput. Intell. (Athens, Greece), Dec. 2016, pp. 1-8.
  42. S. Nanda et al., Predicting network attack patterns in SDN using machine learning approach, in Proc. IEEE Conf. Netw. Function Virtualization Softw. Defined Netw. (Palo Alto, CA, USA), Nov. 2016, pp. 167-172.
  43. P. Owezarski, Unsupervised classification and characterization of honeypot attacks, in Proc. Int. Conf. Netw. Service Manag. (Rio de Janeiro, Brazil), Nov. 2014, pp. 10-18.
  44. T. Schaul et al., Pybrain, J. Mach. Learn. Res. 11 (2010), 743-746.
  45. S. Dowling, An adaptive honeypot using reinforcement learning implementation, 2017, Available from: https://github.com/sosdow/RLHPot [last accessed December 2018].
  46. G. Wagener et al., Heliza: talking dirty to the attackers, J. Comput. Virol. 7 (2011), no. 3, 221-232. https://doi.org/10.1007/s11416-010-0150-4
  47. A. Pauna and I. Bica, Rassh-Reinforced adaptive ssh honeypot, in Proc. Int. Conf. Commun. (Bucharest, Romania), May 2014, pp. 1-6.
  48. S. Dowling, M. Schukat, and E. Barrett, Improving adaptive honeypot functionality with efficient reinforcement learning parameters for automated malware, J. Cyber Security Technol. 2 (2018), no. 2, 75-91. https://doi.org/10.1080/23742917.2018.1495375
  49. S. Dowling, M. Schukat, and E. Barrett, Using reinforcement learning to conceal honeypot functionality, in Proc. Joint Eur. Conf. Mach. Learn. Knowl. Discovery Databases (Dublin, Ireland), Sept. 2018, pp. 341-355.