Dempster-Shafer Evidence Combining for (Anti)-Honeypot Technologies

ABSTRACT Honeypots are network surveillance architectures designed to resemble easy-to-compromise computer systems. They are deployed to trap hackers in order to help security professionals capture, control, and analyze malicious Internet attacks and other activities of hackers. A botnet is an army of compromised computers controlled by a bot herder and used for illicit financial gain. Botnets have become quite popular in recent Internet attacks. Since honeypots have been deployed in many defense systems, attackers constructing and maintaining botnets are forced to find ways to avoid honeypot traps. In fact, some researchers have even suggested equipping normal machines by misleading evidence so that they appear as honeypots in order to scare away rational attackers. In this paper, we address some aspects related to the problem of honeypot detection by botmasters. In particular, we show that current honeypot architectures and operation limitations may allow attackers to systematically collect, combine, and analyze evidence about the true nature of the machines they compromise. In particular, we show how a systematic technique for evidence combining such as Dempster-Shafer theory can allow botmasters to determine the true nature of compromised machines with a relatively high certainty. The obtained results demonstrate inherent limitations of current honeypot designs. We also aim to draw the attention of security professionals to work on enhancing the discussed features of honeypots in order to prevent them from being abused by botmasters.

[1]  A.H. Sung,et al.  Network Based Detection of Virtual Environments and Low Interaction Honeypots , 2006, 2006 IEEE Information Assurance Workshop.

[2]  T. Holz,et al.  Detecting honeypots and other suspicious environments , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[3]  Ryan Cunningham,et al.  Honeypot-Aware Advanced Botnet Construction and Maintenance , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[4]  N.C. Rowe,et al.  Fake Honeypots: A Defensive Tactic for Cyberspace , 2006, 2006 IEEE Information Assurance Workshop.

[5]  Glenn Shafer,et al.  A Mathematical Theory of Evidence , 2020, A Mathematical Theory of Evidence.

[6]  Randy H. Katz,et al.  Above the Clouds: A Berkeley View of Cloud Computing , 2009 .

[7]  Thomas M. Chen,et al.  Dempster-Shafer theory for intrusion detection in ad hoc networks , 2005, IEEE Internet Computing.

[8]  Iyatiti Mokube,et al.  Honeypots: concepts, approaches, and challenges , 2007, ACM-SE 45.

[9]  Mitsuaki Akiyama,et al.  A Proposal of Metrics for Botnet Detection Based on Its Cooperative Behavior , 2007, 2007 International Symposium on Applications and the Internet Workshops.

[10]  Sargur N. Srihari,et al.  Class-wise multi-classifier combination based on Dempster-Shafer theory , 2002, 7th International Conference on Control, Automation, Robotics and Vision, 2002. ICARCV 2002..

[11]  Xuejun Tan,et al.  On Recognizing Virtual Honeypots and Countermeasures , 2006, 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing.

[12]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[13]  Zhen Li,et al.  Botnet Economics: Uncertainty Matters , 2008, WEIS.

[14]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[15]  Mary K. Vernon,et al.  Mapping Internet Sensors with Probe Response Attacks , 2005, USENIX Security Symposium.

[16]  R. Borgaonkar An Analysis of the Asprox Botnet , 2010, 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies.

[17]  Prabir Bhattacharya,et al.  An Intrusion Detection Game Theoretical Model , 2009, Inf. Secur. J. A Glob. Perspect..

[18]  Peter Ferrie Attacks on More Virtual Machine Emulators , 2007 .

[19]  Andrew H. Sung,et al.  Detection of Virtual Environments and Low Interaction Honeypots , 2007 .

[20]  Radu State,et al.  Self Adaptive High Interaction Honeypots Driven by Game Theory , 2009, SSS.