A honeypot is a tool or system used to record, redirect, and even lure hackers into penetrating and exploiting a system. The increasing development of technology causes cyber hackers to realize the ...existence of honeypots using various other software and tools. So, honeypots need a way to learn how hackers behave. The idea proposed is to combine honeypots with reinforcement learning algorithms so that honeypots become adaptive honeypots. This study suggests the concept by comparing the two Q learning-based RL algorithms, namely DQN and DDQN, to reach which algorithm is more optimal. The study results showed that the DDQN algorithm is more optimal in determining actions when compared to the DQN algorithm because using a double Q-value can help determine the action more accurately. Based on the result, the DDQN algorithm consumed less memory than the DQN Honeypot. The learning rate curve and the processing of DDQN algorithm commands can be used as an alternative algorithm that can be combined with honeypots because of the learning rate, which can make honeypots faster in the dynamic environment.
Leveraging high-performance software-defined networks (SDNs) to manage industrial Internet of Things (IIoT) devices has become a promising trend; the SDN is expected to be the next generation as a ...unified and virtualized network platform that provides unprecedented automation, flexibility, and efficiency. As the core of business applications and sensitive data storage, the SDN is vulnerable to distributed denial-of-service (DDoS) attacks in IIoT environment that numerous requests are sent to the SDN to interrupt its services. In the traditional defense systems, honeypots have shown great promises in resisting DDoS attacks. In this paper, we reveal a new attack that can identify honeypots to invalidate their protection. In addition, we analyze the optimal strategies of attackers, so that they can find the best time to carry on attacks. To protect SDN from such a kind of anti-honeypot attacks, we propose a pseudo-honeypot game (PHG) strategy with theoretical performance guarantee. We prove several groups of Bayesian-Nash Equilibrium in the PHG strategy. Moreover, we show that these strategies can achieve the optimal equilibrium between legitimate users and attackers. The proposed honeypot strategies can provide dynamic protection for SDN. Hence, malicious attacks under our strategies can be effectively controlled. Finally, we evaluate our proposals on a testbed, and experimental results show that our proposals can effectively resist DDoS attacks with lower energy consumption compared with the existing methods.
Integrasi kecerdasan buatan (AI) dalam Security Orchestration, Automation, and Response (SOAR) menjanjikan revolusi dalam operasi keamanan siber. Adopsi teknologi SOAR yang didukung AI dapat membantu ...organisasi meningkatkan ketahanan mereka terhadap serangan siber. Beberapa penelitian mengusulkan penggunaan mesin SOAR yang dapat menerapkan honeypot khusus dan mengidentifikasi serangan, sedangkan yang lain mengintegrasikan kecerdasan buatan untuk meningkatkan pemahaman situasional dan respons terhadap ancaman keamanan. Penggunaan teknologi AI/ML dalam keamanan siber dapat meningkatkan efektivitas analis SOC dalam mendeteksi, mencegah, dan merespons serangan keamanan dengan cara seperti deteksi ancaman yang lebih baik, otomatisasi tugas rutin, analisis data yang lebih cepat dan akurat, peningkatan respons terhadap serangan, dan pengurangan beban kerja. Kemampuan deteksi pada mesin SOAR mencakup deteksi HTTP IDS, Botnet, dan DDoS, dengan menggunakan model pembelajaran mesin yang dilatih pada berbagai jenis data. Mesin SOAR juga dilengkapi dengan kemampuan deteksi ancaman keamanan lainnya, seperti analisis perilaku, analisis log, analisis malware, dan analisis intelijen ancaman. Sistem SOAR yang dilengkapi dengan mesin pembelajaran berbasis jaringan saraf tiruan mampu menganalisis data secara real-time dan melakukan deteksi ancaman dengan cepat. Sehingga penggunaan teknologi AI dan analisis real-time membantu dalam mengurangi beban kerja profesional keamanan dan meningkatkan efisiensi dalam menghadapi serangan siber.
Honeypot Internet of Things (IoT) (HIoTPOT) keep a secret eye on IoT devices and analyzes the various recent threats which are dangerous to IoT devices. In this paper, implementation of a research ...honeypot is presented which is used to learn the recent tactics and ethics used by black hat community to attack on IoT devices. As IoT is open and easy for accessing, all the intruders are highly attracted towards IoT. Recently Telnet based attacks are very famous on IoT devices to get easy access and attack on other devices. To reduce these kinds of threats, it is necessary to know in details about intruder, therefore the aim of this research work is to implement novel based secret eye server known as HIoTPOT which will make the IoT environment more safe and secure.
To proactively defend computer systems against cyber-attacks, a honeypot system—purposely designed to be prone to attacks—is commonly used to detect attacks, discover new vulnerabilities, exploits or ...malware before they actually do real damage to real systems. Its usefulness lies in being able to operate without being identified as a trap by adversaries; otherwise, its values are significantly reduced. A honeypot is commonly classified by the degree of interactions that they provide to the attacker: low, medium and high-interaction honeypots. However, these systems have some shortcomings of their own. First, the low and medium-interaction honeypots can be easily detected due to their limited and simulated functions of a system. Second, the usage of real systems in high-interaction honeypots has a high risk of security being compromised due to its unlimited functions. To address these problems, we developed Asgard an adaptive self-guarded honeypot, which leverages reinforcement learning to learn and record attacker’s tools and behaviour while protecting itself from being deeply compromised. In this paper, we compare Asgard and its variant Midgard with two conventional SSH honeypots: Cowrie and a real Linux system. The goal of the paper is (1) to demonstrate the effectiveness of the adaptive honeypot that can learn to compromise between collecting attack data and keeping the honeypot safe, and (2) the benefit of coupling of the environment state and the action in reinforcement learning to define the reward function to effectively learn its objectives. The experimental results show that Asgard could collect higher-quality attacker data compared to Cowrie while evading the detection and could also protect the system for as long as it can through blocking or substituting the malicious programs and some other commands, which is the major problem of the high-interaction honeypot.
Honeypots are decoy systems that lure attackers by presenting them with a seemingly vulnerable system. They provide an early detection mechanism as well as a method for learning how adversaries work ...and think. However, over the past years, several researchers have shown methods for fingerprinting honeypots. This significantly decreases the value of a honeypot; if an attacker is able to recognize the existence of such a system, they can evade it. In this article, we revisit the honeypot identification field, by providing a holistic framework that includes state-of-the-art and novel fingerprinting components. We decrease the probability of false positives by proposing a rigid multi-step approach for labeling a system as a honeypot. We perform extensive scans covering 2.9 billion addresses of the IPv4 space and identify a total of 21,855 honeypot instances. Moreover, we present several interesting side findings such as the identification of around 355,000 non-honeypot systems that represent potentially misconfigured or unpatched vulnerable servers (e.g., SSH servers with default password configurations and vulnerable versions). We ethically disclose our findings to network administrators about the default configuration and the honeypot developers about the gaps in implementation that lead to possible honeypot fingerprinting. Last, we discuss countermeasures against honeypot fingerprinting techniques.
Automated attacks allow adversaries to exploit vulnerabilities in enterprise IT systems at short notice. To identify such attacks as well as new cybersecurity threats, defenders use honeypot systems; ...these monitored decoy resources mimic legitimate devices to entice adversaries. The domain of enterprise IT honeypots has been an active area of development and research, especially in the open-source community. In this work, we survey open-source honeypots, honeypot frameworks, and tools that help to develop or discover honeypot deployments. In contrast to existing surveys, our work provides a detailed discussion of the honeypots’ system architecture, software architecture, and cloud-native deployment options. In addition, we cover the most recent academic research in honeypot detection and evasion techniques, and discuss how these advances impact current open-source honeypots. This work helps the reader to make an educated choice when selecting a honeypot for deployment or further development.
The Internet of Things (IoT), the Industrial Internet of Things (IIoT), and Cyber-Physical Systems (CPS) have become essential for our daily lives in contexts such as our homes, buildings, cities, ...health, transportation, manufacturing, infrastructure, and agriculture. However, they have become popular targets of attacks, due to their inherent limitations which create vulnerabilities. Honeypots and honeynets can prove essential to understand and defend against attacks on IoT, IIoT, and CPS environments by attracting attackers and deceiving them into thinking that they have gained access to the real systems. Honeypots and honeynets can complement other security solutions (i.e., firewalls, Intrusion Detection Systems - IDS) to form a strong defense against malicious entities. This paper provides a comprehensive survey of the research that has been carried out on honeypots and honeynets for IoT, IIoT, and CPS. It provides a taxonomy and extensive analysis of the existing honeypots and honeynets, states key design factors for the state-of-the-art honeypot/honeynet research and outlines open issues for future honeypots and honeynets for IoT, IIoT, and CPS environments.
The widespread use of programmable logic controllers (PLCs) in critical infrastructures has given rise to escalating cybersecurity concerns regarding PLC attacks. As a proactive defense mechanism, ...PLC honeypots emulate genuine controllers to engage adversaries so as to observe their attack tactics and techniques. As part of the arms race between the offense and defense, multiple PLC honeypot identification tools have been developed. However, many existing tools cannot recognize high-fidelity honeypots, since they rely on identifying common network services and fingerprints. In this paper, we propose an innovative and practical honeypot identification framework called HoneyJudge, which goes beyond state-of-the-art (SOTA) network fingerprint-based identification tools like Nmap and the PLCScan tool. HoneyJudge tests the suspected target's special memory content and features. Specifically, HoneyJudge models the internal memory of a PLC in three categories, from system-level, user-level, to process-level categories, based on which it extracts six representative memory features. All characteristics are acquired through automated network request messages. Then, we design a weighted voting algorithm to combine the test results over different memory features to reach the final conclusion. We validate the effectiveness of HoneyJudge in comparison with several SOTA honeypot identification tools, and the results indicate that the memory-related issues have not been well addressed in existing PLC honeypots and still need substantial research efforts.