• ETRI Journal
• /
• v.42 no.6
• /
• pp.965-975
• /
• 2020

This paper proposes a new framework for the development and deployment of honeypots for evolving malware threats. As new technological concepts appear and evolve, attack surfaces are exploited. Internet of things significantly increases the attack surface available to malware developers. Previously independent devices are becoming accessible through new hardware and software attack vectors, and the existing taxonomies governing the development and deployment of honeypots are inadequate for evolving malicious programs and their variants. Malware-propagation and compromise methods are highly automated and repetitious. These automated and repetitive characteristics can be exploited by using embedded reinforcement learning within a honeypot. A honeypot for automated and repetitive malware (HARM) can be adaptive so that the best responses may be learnt during its interaction with attack sequences. HARM deployments can be agile through periodic policy evaluation to optimize redeployment. The necessary enhancements for adaptive, agile honeypots require a new development and deployment framework.

• ETRI Journal
• /
• v.38 no.6
• /
• pp.1145-1152
• /
• 2016

Because the nodes in a wireless sensor network (WSN) are mobile and the network is highly dynamic, monitoring every node at all times is impractical. As a result, an intruder can attack the network easily, thus impairing the system. Hence, detecting anomalies in the network is very essential for handling efficient and safe communication. To overcome these issues, in this paper, we propose a rule-based anomaly detection technique using roaming honeypots. Initially, the honeypots are deployed in such a way that all nodes in the network are covered by at least one honeypot. Honeypots check every new connection by letting the centralized administrator collect the information regarding the new connection by slowing down the communication with the new node. Certain predefined rules are applied on the new node to make a decision regarding the anomality of the node. When the timer value of each honeypot expires, other sensor nodes are appointed as honeypots. Owing to this honeypot rotation, the intruder will not be able to track a honeypot to impair the network. Simulation results show that this technique can efficiently handle the anomaly detection in a WSN.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.5
• /
• pp.15-24
• /
• 2006

Many computer security systems use the signatures of well-known attacks to respond to hackers. For these systems, it is very important to get the accurate signatures of new attacks as soon as possible. For this reason, honeypots and honeypot farms have been actively researched. However, they can only collect a small amount of information because hackers have a strong tendency to directly attack servers of which IP addresses are allocated. In this paper, we propose an unused ports-based decoy system to redirect hackers toward honeypots. This system opens unused ports to lure hackers. All interactions with the unused ports are considered as suspect, because the ports aren't those for real service. Accordingly, every request sent to the unused ports is redirected to a honeypot. Consequently, this system enables honeypots to collect information about hackers attacking real servers other than themselves.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.5 no.4
• /
• pp.406-411
• /
• 2010

A honeynet is a closely monitored computing resource that we want to be probed, attacked or compromised. More precisely, a honeypot is "an information system resource whose value lies in unauthorized or illicit use of that resource The value of honeynet is weighed by the information that can be obtained from it. but It's very difficult to deploy Honeynet in Real World, So I focused on Virtual Honeynet. The strength of virtual honeynet is scalability and ease of maintenance. It is inexpensive to deploy and accessible to almost everyone. Compared with physical honeypots, this approach is more lightweight. Instead of deploying a physical computer system that acts as a honeypot, we can also deploy one physical computer that hosts several virtual machines that act as honeypots.

• International Journal of Computer Science & Network Security
• /
• v.21 no.1
• /
• pp.162-173
• /
• 2021

The Honeypot is the mechanism that is made to learn more about the attackers like knowing about the method and pattern of attack and is also used to obtain very useful info about all intrusive activities. Honeypots usually categorized according to the interaction's level as (high, medium, low) interaction. The main purpose which is used as honey production and honey research. This paper includes a detailed study of two honeypot tools. The different honey pot findings are put in in this paper to illustrate how honey is working in a real environment and even how it reacts when undesirable interest obtain in this network, and these tools are used to improve the concept of security, protection and confidentiality within or outside the organization to avoid attacks, vulnerabilities and breaches.

• Proceedings of the Korean Information Science Society Conference
• /
• 2003.04a
• /
• pp.347-349
• /
• 2003

최근들어 인터넷의 보급이 급속도로 확산되면서 인터넷을 통한 개인 정보의 불법적인 침해 사고도 많이 발생하고 있다. 갈수록 다양해지는 공격 방법에 대비하기 위하여 공격 정보를 수집할 필요성이 생기게 되었는데 그에 따라 등장한 것이 Honeypot이라는 개념이다. Honeypot은 고의로 공격자에 의해 공격을 당함으로써 공격 정보를 수집하는 네트웍 자원을 말한다. Honeypot을 구현할 때에는 그것이 다른 정상적인 자원을 공격하는 데에 사용되지 않도록 해야 하는데. 기존의 방법들에서는 확실한 제한이 이루어지지 않았다. 따라서 본 논문에서는 패킷의 방향 재설정을 통하여 Honeypot 오용을 확실히 제한하고, 더 많은 공격 정보를 수집할 수 있는 방법을 제안하였다.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.7 no.2
• /
• pp.279-285
• /
• 2012

Most national critical key infrastructure, such like electricity, nuclear power plant, and petroleum is run on SCADA (Supervisory Control And Data Acquisition) system as the closed network type. These systems have treated the open protocols like TCP/IP, and the commercial operating system, which due to gradually increasing dependence on IT(Information Technology) is a trend. Recently, concerns have been raised about the possibility of these facilities being attacked by cyber terrorists, hacking, or viruses. In this paper, the method to minimize threats and vulnerabilities is proposed, with the virtual honeynet system architecture and the attack detection algorithm, which can detect the unknown attack patterns of Zero-Day Attack are reviewed.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.9
• /
• pp.4512-4526
• /
• 2018

The Internet of Things (IoT) has become an emerging industry that is broadly used in many fields from industrial and agricultural manufacturing to home automation and hospitality industry. Because of the sheer number of connected devices transmitting valuable data, the IoT infrastructures have become a main target for cyber-criminals. One of the key challenges in protecting IoT devices is the lack of security measures by design. Although there are many hardware and software based security solutions (firewalls, honeypots, IPDS, anti-virus etc.) for information systems, most of these solutions cannot be applied to IoT devices because of the fact that IoT devices have limited computing resources (CPU, RAM,). In this paper, we propose a honeypot system called HoneyThing for modem/router devices (i.e. a kind of IoT device). HoneyThing emulates TR-069 protocol which is prevalent protocol used to remotely manage customer-premises equipment (CPE) devices, e.g. modems, routers. Honeything also serves an embedded web server simulating a few actual, critical vulnerabilities associated with the implementation of TR-069 protocol. To show effectiveness of the HoneyThing in capturing real world attacks, we have deployed it in the Internet. The obtained results are highly promising and facilitate to reveal network attacks targeting to CPE devices.

• ETRI Journal
• /
• v.41 no.5
• /
• pp.585-598
• /
• 2019

A cyber-physical system (CPS) is a new mechanism controlled or monitored by computer algorithms that intertwine physical and software components. Advanced persistent threats (APTs) represent stealthy, powerful, and well-funded attacks against CPSs; they integrate physical processes and have recently become an active research area. Existing offensive and defensive processes for APTs in CPSs are usually modeled by incomplete information game theory. However, honeypots, which are effective security vulnerability defense mechanisms, have not been widely adopted or modeled for defense against APT attacks in CPSs. In this study, a honeypot game-theoretical model considering both low- and high-interaction modes is used to investigate the offensive and defensive interactions, so that defensive strategies against APTs can be optimized. In this model, human analysis and honeypot allocation costs are introduced as limited resources. We prove the existence of Bayesian Nash equilibrium strategies and obtain the optimal defensive strategy under limited resources. Finally, numerical simulations demonstrate that the proposed method is effective in obtaining the optimal defensive effect.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.5
• /
• pp.117-130
• /
• 2007

A honeypot is a security resource whose value lies in being attack. It collects data regarding the attack strategies and tools of hackers. However, the honeypot is normally located at a single point, and the possibility is small that a hacker will attack it. Unused ports-based decoy systems which gather data about hackers activities have been developed to complement honeypots. However, the systems have some problems to be deployed in actual environment. In this paper, we propose an agent-based system which enhances shortcomings of the unused ports-based decoy systems. It makes honeypot gather more information regarding hacker activities and protects clients from attacks. Moreover, the proposed system can increase the chance of tracking hackers activities without wasting additional IP addresses and computer hardwares.