Adapting with Honeypot Configurations to Detect Evolving Exploits

Honeypots are decoy cyberdefense systems placed in a network to entice malicious entities into attacking in order to waste attacker resources and learn information about attack behavior or previously unknown exploits. We focus on the strategic selection of various honeypot configurations in order to adapt to an intelligent attacker amidst a dynamic environment. In order to infiltrate networks, attackers leverage various exploits on the system. However, these exploits and the value they provide dynamically change over time as more information is gathered about them. We introduce a model that addresses the combinatorial complexity of the honeypot selection problem and allow for these dynamic exploits. To solve this new problem, we map this model to a Multi-Armed Bandit (MAB) problem, which is a class of machine learning problems that maintain balance between exploration and exploitation. We show empirically that both stochastic and adversarial MAB solutions improve over static defense strategies.