Locally-Hosted Fidelity-Adaptive Honeypots with Connection-Preserving Capabilities | IEEE Conference Publication | IEEE Xplore

Locally-Hosted Fidelity-Adaptive Honeypots with Connection-Preserving Capabilities


Abstract:

The attack lifecycle starts with the intelligence gathering stage. Network scanning tools are commonly used during this stage to enumerate devices and their services. The...Show More

Abstract:

The attack lifecycle starts with the intelligence gathering stage. Network scanning tools are commonly used during this stage to enumerate devices and their services. These tools may be used in various ways depending on the adversary's motivations. The trade-off is between stealth and potential information gain. Some tools may simply identify live hosts, while others may fully connect to remote devices and interact with their services. Traditionally, the choice of honeypot deployment locations and their fidelity are mostly static and they rely on an abundance of resources for hosting and redirection. This is inefficient and, especially in resource-constrained environments, not suitable. Technologies that enable efficient and adaptive honeypots are critical. This paper describes the multi-fidelity honeypot system (mfhoney) that runs on a local device. The system is capable of suspending and switching to different honeypot processes, on-the-fly, while carrying over their active network connections. An evaluation of mfhoney on a constrained virtual machine indicates that the switchover behavior is seamless and delays are negligible: the behavior and reporting of the Nmap scanning tool, as well as legitimate client applications, does not change when interacting with mfhoney.
Date of Conference: 28 November 2022 - 02 December 2022
Date Added to IEEE Xplore: 24 January 2023
ISBN Information:

ISSN Information:

Conference Location: Rockville, MD, USA

I. Introduction

Defenders typically introduce additional artifacts, called honeypots, in the network to lure attackers away from legitimate assets and to understand their techniques and motivations. Honeypots can range in fidelity from low-interaction, such as a simple listener, to high-interaction, such as a full webserver. The choice in fidelity is largely influenced by available resources. For this reason, previous works have looked at how to strategically place these honeypots to maximize their utility [1]. However, it is infeasible to calculate every move an attacker may take; due to the possibility of there being multiple attackers or changes in intentions.

References

References is not available for this document.