Skip to main content
SpringerLink
Log in

Consistency is All I Ask: Attacks and Countermeasures on the Network Context of Distributed Honeypots

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13358))

  • 953 Accesses

Abstract

The honeypot technique has proved its value in system protection and attack analysis over the past 20 years. Distributed honeypot solutions emerge to solve the high cost and risk of maintaining a functional honeypot system. In this paper, we uncover that all existing distributed honeypot systems suffer from one type of anti-honeypot technique called network context cross-checking (NC3) which enables attackers to detect network context inconsistencies before and after breaking into a targeted system. We perform a systematic study of NC3 and identify nine types of network context artifacts that may be leveraged by attackers to identify distributed honeypot systems. As a countermeasure, we propose HoneyPortal, a stealthy traffic redirection framework to defend against the NC3 attack. The basic idea is to project a remote honeypot into the protected local network as a believable host machine. We conduct experiments in a real testbed, and the experimental results show that HoneyPortal can effectively defeat NC3 attacks with a low performance overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://nmap.org/.

  2. 2.

    https://www.tenable.com/products/nessus.

  3. 3.

    https://www.wireshark.org/.

  4. 4.

    http://www.tcpdump.org/.

References

  1. Artail, H., Safa, H., Sraj, M., Kuwatly, I., Al-Masri, Z.: A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks. Comput. Secur. 25(4), 274–288 (2006)

    Google Scholar 

  2. Attaran, M., Woods, J.: Cloud computing technology: improving small business performance using the internet. J. Small Bus. Entrep. 31(6), 495–519 (2019)

    Article  Google Scholar 

  3. Bailey, M., Cooke, E., Watson, D., Jahanian, F., Provos, N.: A hybrid honeypot architecture for scalable network monitoring. University of Michigan, Ann Arbor, Michigan, USA, Technical report. CSE-TR-499-04 (2004)

    Google Scholar 

  4. Chovancová, E., et al.: Securing distributed computer systems using an advanced sophisticated hybrid honeypot technology. Comput. Inform. 36(1), 113–139 (2017)

    Article  MathSciNet  Google Scholar 

  5. Cole, E.: Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization. Newnes, San Francisco (2012)

    Google Scholar 

  6. Dornseif, M., Holz, T., Klein, C.N.: Nosebreak-attacking honeynets. In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004, pp. 123–129. IEEE (2004)

    Google Scholar 

  7. Fan, W.: Contribution to the design of a flexible and adaptive solution for the management of heterogeneous honeypot systems. Ph.D. thesis, ETSI Telecomunicación (UPM) (2017)

    Google Scholar 

  8. Fan, W., Du, Z., Smith-Creasey, M., Fernández, D.: Honeydoc: an efficient honeypot architecture enabling all-round design. IEEE J. Sel. Areas Commun. 37(3), 683–697 (2019)

    Article  Google Scholar 

  9. Fan, W., Fernández, D.: A novel SDN based stealthy TCP connection handover mechanism for hybrid honeypot systems. In: 2017 IEEE Conference on Network Softwarization (NetSoft), pp. 1–9. IEEE (2017)

    Google Scholar 

  10. Fu, X., Yu, W., Cheng, D., Tan, X., Streff, K., Graham, S.: On recognizing virtual honeypots and countermeasures. In: 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing, pp. 211–218. IEEE (2006)

    Google Scholar 

  11. Høiland-Jørgensen, T., et al.: The express data path: fast programmable packet processing in the operating system kernel. In: Proceedings of the 14th International Conference on Emerging Networking Experiments and Technologies, pp. 54–66 (2018)

    Google Scholar 

  12. Holz, T., Raynal, F.: Detecting honeypots and other suspicious environments. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, pp. 29–36. IEEE (2005)

    Google Scholar 

  13. Jafarian, J.H., Niakanlahiji, A.: Delivering honeypots as a service. In: Proceedings of the 53rd Hawaii International Conference on System Sciences (2020)

    Google Scholar 

  14. Jiang, X., Xu, D.: Collapsar: a VM-based architecture for network attack detention center. In: USENIX Security Symposium, pp. 15–28 (2004)

    Google Scholar 

  15. Kyung, S., et al.: HoneyProxy: design and implementation of next-generation honeynet via SDN. In: 2017 IEEE Conference on Communications and Network Security (CNS), pp. 1–9. IEEE (2017)

    Google Scholar 

  16. Larbi, S.: Options for extending layer 2 on-premises networks to VMware cloud on AWS (2020). https://aws.amazon.com/blogs/apn/options-for-extending-layer-2-on-premises-networks-to-vmware-cloud-on-aws/

  17. Mantog, F.: System and method for checksum offloading, US Patent 7,181,675, 20 February 2007

    Google Scholar 

  18. Memari, N., Hashim, S.J.B., Samsudin, K.B.: Towards virtual honeynet based on LXC virtualization. In: 2014 IEEE REGION 10 SYMPOSIUM, pp. 496–501. IEEE (2014)

    Google Scholar 

  19. Miramirkhani, N., Appini, M.P., Nikiforakis, N., Polychronakis, M.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 1009–1024. IEEE (2017)

    Google Scholar 

  20. Morishita, S., et al.: Detect me if you... oh wait. an internet-wide view of self-revealing honeypots. In: 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 134–143. IEEE (2019)

    Google Scholar 

  21. Mukkamala, S., Yendrapalli, K., Basnet, R., Shankarapani, M., Sung, A.: Detection of virtual environments and low interaction honeypots. In: 2007 IEEE SMC Information Assurance and Security Workshop, pp. 92–98. IEEE (2007)

    Google Scholar 

  22. Rrushi, J.: Honeypot evader: activity-guided propagation versus counter-evasion via decoy OS activity. In: Proceedings of the 14th IEEE International Conference on Malicious and Unwanted Software (2019)

    Google Scholar 

  23. Rytilahti, T., Holz, T.: On using application-layer middlebox protocols for peeking behind NAT gateways, January 2020. https://doi.org/10.14722/ndss.2020.24389

  24. Schindler, S., Schnor, B., Scheffler, T.: Hyhoneydv6: a hybrid honeypot architecture for ipv6 networks. Int. J. Intell. Comput. Res. 6, 562–570 (2015)

    Article  Google Scholar 

  25. Shaikh, S.A., Chivers, H., Nobles, P., Clark, J.A., Chen, H.: Network reconnaissance. Netw. Secur. 2008(11), 12–16 (2008)

    Article  Google Scholar 

  26. Spitzner, L.: Honeypots: catching the insider threat. In: 19th Annual Computer Security Applications Conference, 2003. Proceedings, pp. 170–179. IEEE (2003)

    Google Scholar 

  27. Srisuresh, P., Egevang, K.: Traditional IP network address translator (traditional nat). Technical report, RFC 3022, January (2001)

    Google Scholar 

  28. Sun, J., Liu, S., Sun, K.: A scalable high fidelity decoy framework against sophisticated cyber attacks. In: Proceedings of the 6th ACM Workshop on Moving Target Defense, pp. 37–46 (2019)

    Google Scholar 

  29. Uitto, J., Rauti, S., Laurén, S., Leppänen, V.: A survey on anti-honeypot and anti-introspection methods. In: Rocha, Á., Correia, A.M., Adeli, H., Reis, L.P., Costanzo, S. (eds.) WorldCIST 2017. AISC, vol. 570, pp. 125–134. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56538-5_13

    Chapter  Google Scholar 

  30. Vrable, M., et al.: Scalability, fidelity, and containment in the potemkin virtual honeyfarm. In: Proceedings of the Twentieth ACM Symposium on Operating Systems Principles, pp. 148–162 (2005)

    Google Scholar 

  31. Wang, D.W.: Software Defined-WAN for the Digital Age: A Bold Transition to Next Generation Networking. CRC Press, Boca Raton (2018)

    Google Scholar 

  32. XDP-project: The express data path (XDP) inside the Linux Kernel (2020). https://github.com/xdp-project. Accessed May 2020

  33. Xiao, X., Hannan, A., Bailey, B., Ni, L.M.: Traffic engineering with MPLS in the internet. IEEE Netw. 14(2), 28–33 (2000)

    Article  Google Scholar 

  34. Yang, Z., Cui, Y., Li, B., Liu, Y., Xu, Y.: Software-defined wide area network (SD-WAN): architecture, advances and opportunities. In: 2019 28th International Conference on Computer Communication and Networks (ICCCN), pp. 1–9. IEEE (2019)

    Google Scholar 

  35. Zou, C.C., Cunningham, R.: Honeypot-aware advanced botnet construction and maintenance. In: International Conference on Dependable Systems and Networks (DSN 2006), pp. 199–208. IEEE (2006)

    Google Scholar 

Download references

Acknowledgments

This work was supported in part by the Office of Naval Research grants N00014-16-1-3214, N00014-18-2893, and N00014-20-1-2407.

Author information

Authors and Affiliations

  1. George Mason University, Fairfax, VA, USA

    Songsong Liu, Pengbin Feng, Xu He, Tommy Chin & Kun Sun

  2. Tsinghua University, Beijing, China

    Jiahao Cao & Qi Li

Authors
  1. Songsong Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pengbin Feng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jiahao Cao
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xu He
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Tommy Chin
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Kun Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Qi Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Songsong Liu .

Editor information

Editors and Affiliations

  1. University College London, London, UK

    Lorenzo Cavallaro

  2. Graz University of Technology, Graz, Austria

    Daniel Gruss

  3. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

    Giancarlo Pellegrino

  4. University of Cagliari, Cagliari, Italy

    Giorgio Giacinto

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Liu, S. et al. (2022). Consistency is All I Ask: Attacks and Countermeasures on the Network Context of Distributed Honeypots. In: Cavallaro, L., Gruss, D., Pellegrino, G., Giacinto, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2022. Lecture Notes in Computer Science, vol 13358. Springer, Cham. https://doi.org/10.1007/978-3-031-09484-2_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-09484-2_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-09483-5

  • Online ISBN: 978-3-031-09484-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation