Xingyu Chen
ABSTRACT
Honeypot detection is a popular technology in the current cyber security, which can be used to check the disguise and protection level of deployed honeypots. To address the problem of low detection accuracy of existing honeypot detection techniques, this paper proposes a honeypot detection method based on the differences of anomalous requests’ response. The method uses the anomalous request packet construction method designed in this paper to construct anomalous request packets, and sends the constructed anomalous request packets to the identity-known devices to collect the responses. Combined with the responses analysis method designed in this paper, the responses are analyzed in terms of similarity in both content and structure dimensions, which enables the evaluation of anomalous request packets in turn, and the selection of those that can consistently trigger a differential response from the honeypots to form a probing packets set based on anomaly. A deep learning model aiming at honeypot detection is designed using the responses of the identity-known devices in response to the probing packets set based on anomaly. The model and the responses of the nodes to detect to the probing packets set based on anomaly are used to detect honeypots. Experiment shows that the method is able to detect the nodes to detect with an accuracy of 96.4%.
- Chuanlin Wang, Anning Shang. Preliminary study on the development of honeypot technology [J]. Information security and communication confidentiality, 2008(8):3.Google Scholar
- T. Holz and F. Raynal, "Detecting honeypots and other suspicious environments," Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, 2005, pp. 29-36, doi: 10.1109/IAW.2005.1495930.Google ScholarCross Ref
- Ping Wang, Lei Wu, Ryan Cunningham, and Cliff C. Zou. 2010. Honeypot detection in advanced botnet attacks. Int. J. Inf. Comput. Secur. 4, 1 (February 2010), 30–51. https://doi.org/10.1504/IJICS.2010.031858Google ScholarDigital Library
- Osama Hayatle, Amr Youssef, and Hadi Otrok. 2012. Dempster-Shafer Evidence Combining for Anti-Honeypot Technologies. Inf. Sec. J.: A Global Perspective 21, 6 (2012), 306–316. https://doi.org/10.1080/19393555.2012.738375Google ScholarDigital Library
- S. Morishita , "Detect Me If You… Oh Wait. An Internet-Wide View of Self-Revealing Honeypots," 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), 2019, pp. 134-143.Google Scholar
- Srinivasa, Shreyas “Gotta catch 'em all: a Multistage Framework for honeypot fingerprinting.” ArXiv abs/2109.10652 (2021): n. pag.Google Scholar
- S. Mukkamala, K. Yendrapalli, R. Basnet, M. K. Shankarapani and A. H. Sung, "Detection of Virtual Environments and Low Interaction Honeypots," 2007 IEEE SMC Information Assurance and Security Workshop, 2007, pp. 92-98, doi: 10.1109/IAW.2007.381919.Google ScholarCross Ref
- Papazis, K., Chilamkurti, N. Detecting indicators of deception in emulated monitoring systems. SOCA 13, 17–29 (2019). https://doi.org/10.1007/s11761-018-0252-2Google ScholarDigital Library
- Alexander Vetterl and Richard Clayton. 2018. Bitter harvest: systematically fingerprinting low- and medium-interaction honeypots at internet scale. In Proceedings of the 12th USENIX Conference on Offensive Technologies (WOOT'18). USENIX Association, USA, 9.Google Scholar
- Cheng Huang, Jiaxuan Han, Xing Zhang, Jiayong Liu, "Automatic Identification of Honeypot Server Using Machine Learning Techniques", Security and Communication Networks, vol. 2019, Article ID 2627608, 8 pages, 2019. https://doi.org/10.1155/2019/2627608Google ScholarCross Ref
- Murad Abdo Rassam and Mohd. Aizaini Maarof, "Artificial Immune Network Clustering approach for Anomaly Intrusion Detection," Journal of Advances in Information Technology, Vol. 3, No. 3, pp. 147-154, August, 2012.doi:10.4304/jait.3.3.147-154Google ScholarCross Ref
- Kavitha B., Karthikeyan S., and Sheeba Maybell P., "Emerging Intuitionistic Fuzzy Classifiers for Intrusion Detection System," Journal of Advances in Information Technology, Vol. 2, No. 2, pp. 99-108, May, 2011.doi:10.4304/jait.2.2.99-108Google ScholarCross Ref
- Omar Al-Jarrah and Ahmad Arafat, "Network Intrusion Detection System Using Neural Network Classification of Attack Behavior," Vol. 6, No. 1, pp. 1-8, February, 2015. doi:10.12720/jait.6.1.1-8Google ScholarCross Ref
- Md. Badiuzzaman Pranto, Md. Hasibul Alam Ratul, Md. Mahidur Rahman, Ishrat Jahan Diya, and Zunayeed-Bin Zahir, "Performance of Machine Learning Techniques in Anomaly Detection with Basic Feature Selection Strategy - A Network Intrusion Detection System," Journal of Advances in Information Technology, Vol. 13, No. 1, pp. 36-44, February 2022.Google Scholar
- Siphesihle P. Sithungu and Elizabeth M. Ehlers, "GAAINet: A Generative Adversarial Artificial Immune Network Model for Intrusion Detection in Industrial IoT Systems," Journal of Advances in Information Technology, Vol. 13, No. 5, pp. 456-461, October 2022.Google Scholar
- Gunay Abdiyeva-Aliyeva and Mehran Hematyar, "Statistic Approached Dynamically Detecting Security Threats and Updating a Signature-Based Intrusion Detection System's Database in NGN," Journal of Advances in Information Technology, Vol. 13, No. 5, pp. 524-529, October 2022.Google Scholar
- Fielding R, Gettys J, Mogul J, RFC2616: Hypertext Transfer Protocol–HTTP/1.1 [J]. 1999.Google ScholarDigital Library
- Weiming Li, Aifang Zhang, Jiancai Liu, Zhitang Li. Automated fuzz testing vulnerability mining methods for network protocols [J]. Journal of Computer Science ,2011,34(02):242-255.Google Scholar
- Luo C, Zhan J, Xue X, Cosine normalization: Using cosine similarity instead of dot product in neural networks [C]//International Conference on Artificial Neural Networks. Springer, Cham, 2018: 382-391.Google Scholar
- Gulati A, Holler A, Ji M, Vmware distributed resource management: Design, implementation, and lessons learned [J]. VMware Technical Journal, 2012, 1(1): 45-64.Google Scholar
- Singh U, Garg U. An ASCII value based text data encryption System [J]. International Journal of Scientific and Research Publications, 2013, 3(11): bll 2250-3153.Google Scholar
- McCann J, Deering S, Mogul J, Path MTU Discovery for IP version 6 [R]. 2017.Google ScholarDigital Library
- CHN.Faker. Which is more scientific, Chinese or American rankings? [EB/OL]. [2022-10-04]. https://www.zhihu.com/question/422508480.Google Scholar
- Iandola F N, Han S, Moskewicz M W, SqueezeNet: AlexNet-level accuracy with 50x fewer parameters and < 0.5 MB model size [J]. arXiv preprint arXiv:1602.07360, 2016.Google Scholar
- Yalta K, Ozturk S, Yetkin E. Golden Ratio and the heart: A review of divine aesthetics [J]. International journal of cardiology, 2016, 214: 107-112.Google ScholarCross Ref
- Berners-Lee T, Fielding R, Frystyk H. Hypertext transfer protocol–HTTP/1.0 [R]. 1996.Google ScholarDigital Library
- Fielding R, Gettys J, Mogul J, Hypertext transfer protocol–HTTP/1.1 [R]. 1999.Google ScholarDigital Library
- J. Iyengar, Ed, QUIC: A UDP-Based Multiplexed and Secure Transport, draft-ietf-quic-transport-27, 21 February 2020; https://datatracker.ietf.org/doc/html/draft-ietf-quic-transport-27Google Scholar
- Fielding R, Reschke J. Hypertext transfer protocol (HTTP/1.1): Semantics and content [R]. 2014.Google ScholarDigital Library
- Kalita L. Socket programming [J]. International Journal of Computer Science and Information Technologies, 2014, 5(3): 4802-4807.Google Scholar
- Pazzi Robotics. Express Honeypot [EB/OL]. 2022.1 [2022.8.31]. https://github.com/christophe77/express-honeypot.Google Scholar
- Kayos. HellPot [EB/OL]. 2022.4 [2022.8.31]. https://github.com/yunginnanet/HellPot.Google Scholar
- Markus Schmall. NodePot [EB/OL]. 2015.8 [2022.8.31]. https://github.com/schmalle/Nodepot.Google Scholar
- Leaden G, Zimmermann M, DeCusatis C, An API honeypot for DDoS and XSS analysis [C]//2017 IEEE MIT Undergraduate Research Technology Conference (URTC). IEEE, 2017: 1-4.Google Scholar
- Thandeeswaran R, Subhashini S, Jeyanthi N, Secured multi-cloud virtual infrastructure with improved performance [J]. Cybernetics and Information Technologies, 2012, 12(2): 11-22.Google ScholarDigital Library
- Brady Sullivan. Drupot [EB/OL]. 2020.6 [2022.8.31]. https://github.com/d1str0/drupot.Google Scholar
- Willem Mouton. OWA-honeypot [EB/OL]. 2019.6 [2022.8.31]. https://github.com/joda32/owa-honeypot/find/master.Google Scholar
- Karabulut B, Aydin M A, Zaim A H. An Application on Honeypot-Based Hybrid Deployment System: in the Turkish Software Industry [J]. BSEU Journal of Engineering Research and Technology, 2020, 1(1): 24-30.Google Scholar
- Wafi H, Fiade A, Hakiem N, Implementation of a modern security systems honeypot honey network on wireless networks [C]//2017 International Young Engineers Forum (YEF-ECE). IEEE, 2017: 91-96.Google Scholar
- Acosta J C, Basak A, Kiekintveld C, Lightweight On-demand Honeypot Deployment for Cyber Deception [C]//International Conference on Digital Forensics and Cyber Crime. Springer, Cham, 2022: 294-312.Google Scholar
- Candes E, Fan Y, Janson L, Panning for gold:‘model‐X'knockoffs for high dimensional controlled variable selection [J]. Journal of the Royal Statistical Society: Series B (Statistical Methodology), 2018, 80(3): 551-577.sGoogle ScholarCross Ref
Index Terms
- Honeypot Detection Method Based on Anomalous Requests Response Differences
Recommendations
Honeypot detection in advanced botnet attacks
Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes
This paper reports the design principles and evaluation results of a new experimental hybrid intrusion detection system (HIDS). This hybrid system combines the advantages of low false-positive rate of signature-based intrusion detection system (IDS) and ...
Detecting botnet by anomalous traffic
Botnets can cause significant security threat and huge loss to organizations, and are difficult to discover their existence. Therefore they have become one of the most severe threats on the Internet. The core component of botnets is their command and ...
Comments