SpringerLink
Log in

Lightweight On-Demand Honeypot Deployment for Cyber Deception

  • Conference paper
  • First Online:
Digital Forensics and Cyber Crime (ICDF2C 2021)

Included in the following conference series:

  • 1156 Accesses

Abstract

Honeypots that are capable of deceiving attackers are an effective tool because they not only help protect networks and devices, but also because they collect information that can lead to the understanding of an attacker’s strategy and intent. Several trade-offs must be considered when employing honeypots. Systems and services in a honeypot must be relevant and attractive to an adversary and the computing and manpower costs must fit within the function and budget constraints of the system.

It is infeasible to instigate a single, static configuration to accommodate every type of system or target every possible adversary. The work we describe in this paper demonstrates a novel approach, introducing new capabilities to the Cyber Deception Experimentation System (CDES) to realize selective and on-demand honeypot instantiation. This allows honeypot resources to be introduced dynamically in response to detected adversarial actions. These honeypots consist of kernel namespaces and virtual machines that are invoked from an “at-rest” state. We provide a case study and analyze the performance of CDES when placed inline on a network. We also use CDES to start and subsequently redirect traffic to different honeynets dynamically. We show that these mechanisms can be used to swap with no noticeable delay. Additionally, we show that Nmap host-specific scans can be thwarted during a real scan, so that probes are sent to a honey node instead of to the legitimate node.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
EUR 29.95
Price includes VAT (Germany)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR 71.68
Price includes VAT (Germany)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR 90.94
Price includes VAT (Germany)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Acosta, J.C., Basak, A., Kiekintveld, C., Leslie, N., Kamhoua, C.: Cybersecurity deception experimentation system. In: 2020 IEEE Secure Development (SecDev), pp. 34–40. IEEE (2020)

    Google Scholar 

  2. Basak, A., Kamhoua, C., Venkatesan, S., Gutierrez, M., Anwar, A.H., Kiekintveld, C.: Identifying stealthy attackers in a game theoretic framework using deception. In: Alpcan, T., Vorobeychik, Y., Baras, J.S., Dán, G. (eds.) GameSec 2019. LNCS, vol. 11836, pp. 21–32. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32430-8_2

    Chapter  Google Scholar 

  3. dmpayton: Django Admin Honeypot. https://github.com/dmpayton/django-admin-honeypot. Accessed 20 Mar 2021

  4. huuck: ADBHoney. https://github.com/huuck/ADBHoney. Accessed 20 Mar 2021

  5. Jicha, A., Patton, M., Chen, H.: SCADA honeypots: an in-depth analysis of Conpot. In: 2016 IEEE Conference on Intelligence and Security Informatics (ISI), pp. 196–198. IEEE (2016)

    Google Scholar 

  6. KeyFocus: KFSensor. http://www.keyfocus.net/kfsensor/features/. Accessed 20 Mar 2021

  7. Sandia National Laboratories: HADES. https://www.osti.gov/servlets/purl/1525940. Accessed 29 Mar 2021

  8. Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure. Com LLC, US (2008)

    Google Scholar 

  9. Nazario, J.: Awesome-Honeypots. https://github.com/paralax/awesome-honeypots. Accessed 20 Mar 2021

  10. Provos, N.: Honeyd-a virtual honeypot daemon. In: 10th DFN-CERT Workshop, Hamburg, Germany, vol. 2, p. 4 (2003)

    Google Scholar 

  11. Razmjoo, A.: OWASP Honeypot. https://github.com/OWASP/Python-Honeypot/wiki. Accessed 20 Mar 2021

  12. Cymmetria Research: Struts Honeypot. https://github.com/Cymmetria/StrutsHoneypot. Accessed 20 Mar 2021

  13. schmalle: Nodepot. https://github.com/schmalle/Nodepot. Accessed 20 Mar 2021

  14. Spitzner, L.: The honeynet project: trap** the hackers. IEEE Secur. Priv. 1(2), 15–23 (2003)

    Article  Google Scholar 

  15. Stahn, M.: pypacker. https://gitlab.com/mike01/pypacker. Accessed 20 Mar 2021

  16. travisbgreen: AMT Honeypot. https://github.com/travisbgreen/intel_amt_honeypot. Accessed 20 Mar 2021

  17. TrendMicro: GasPot. https://github.com/sjhilt/GasPot. Accessed 20 Mar 2021

  18. Yadav, T., Rao, A.M.: Technical aspects of cyber kill chain. In: Abawajy, J.H., Mukherjea, S., Thampi, S.M., Ruiz-Martínez, A. (eds.) SSCC 2015. CCIS, vol. 536, pp. 438–452. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22915-7_40

    Chapter  Google Scholar 

Download references

Acknowledgment

This research was sponsored by the U.S. Army Combat Capabilities Development Command Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF-13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the U.S. Army Combat Capabilities Development Command Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes not withstanding any copyright notation here on.

Author information

Authors and Affiliations

  1. DEVCOM Army Research Laboratory, Adelphi, USA

    Jaime C. Acosta & Charles Kamhoua

  2. Department of Computer Science, University of Texas at El Paso, El Paso, USA

    Anjon Basak & Christopher Kiekintveld

Authors
  1. Jaime C. Acosta
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anjon Basak
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christopher Kiekintveld
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Charles Kamhoua
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jaime C. Acosta .

Editor information

Editors and Affiliations

  1. School of Computer Science, University College Dublin, Dublin, Ireland

    Pavel Gladyshev

  2. State University of New York, University at Albany, Albany, NY, USA

    Sanjay Goel

  3. DFIR Science, Champaign, IL, USA

    Joshua James

  4. Missouri University, Rolla, MO, USA

    George Markowsky

  5. Rochester Institute of Technology, Rochester, NY, USA

    Daryl Johnson

Rights and permissions

Reprints and permissions

Copyright information

© 2022 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Acosta, J.C., Basak, A., Kiekintveld, C., Kamhoua, C. (2022). Lightweight On-Demand Honeypot Deployment for Cyber Deception. In: Gladyshev, P., Goel, S., James, J., Markowsky, G., Johnson, D. (eds) Digital Forensics and Cyber Crime. ICDF2C 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 441. Springer, Cham. https://doi.org/10.1007/978-3-031-06365-7_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-06365-7_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-06364-0

  • Online ISBN: 978-3-031-06365-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation