Self-Adaptive Honeypots Coercing and Assessing Attacker Behaviour

Information security communities are always talking about ”attackers” or “blackhats”, but in reality very little is known about their skills. The idea of studying attacker behaviors was pioneered in the early nineties. In the last decade the number of attacks has increased exponentially and honeypots were introduced in order to gather information about attackers and to develop early-warning systems. Honeypots come in different flavors with respect to their interaction potential. A honeypot can be very restrictive, but this implies only a few interactions. However, if a honeypot is very tolerant, attackers can quickly achieve their goal. Choosing the best trade-off between attacker freedom and honeypot restrictions is challenging. In this dissertation, we address the issue of self-adaptive honeypots that can change their behavior and lure attackers into revealing as much information as possible about themselves. Rather than being allowed simply to carry out attacks, attackers are challenged by strategic interference from adaptive honeypots. The observation of the attackers’ reactions is particularly interesting and, using derived measurable criteria, the attacker’s skills and capabilities can be assessed by the honeypot operator. Attackers enter sequences of inputs on a compromised system which is generic enough to characterize most attacker behaviors. Based on these principles, we formally model the interactions of attackers with a compromised system. The key idea is to leverage game-theoretic concepts to define the configuration and reciprocal actions of high-interaction honeypots. We have also leveraged machine learning techniques for this task and have developed a honeypot that uses a variant of reinforcement learning in order to arrive at the best behavior when facing attackers. The honeypot is capable of adopting behavioral strategies that vary from blocking commands or returning erroneous messages, right up to insults that aim to irritate the intruder and serve as a reverse Turing Test distinguishing human attackers from machines. Our experimental results show that behavioral strategies are dependent on contextual parameters and can serve as advanced building blocks for intelligent honeypots. The knowledge obtained can be used either by the adaptive honeypots themselves or to reconfigure low-interaction honeypots. te l-0 06 27 98 1, v er si on 1 30 S ep 2 01 1