A Markov Decision Process Model for High Interaction Honeypots

Abstract Honeypots, which are traps designed to resemble easy-to- compromise computer systems, have become essential tools for security professionals and researchers because of their significant contribution in disclosing the underworld of cybercrimes. However, recent years have witnessed the development of several anti-honeypot technologies. Botmasters can exploit the fact that honeypots should not participate in illegal actions by commanding the compromised machine to act maliciously against specific targets which are used as sensors to measure the execution of these commands. A machine that is not allowing the execution of such attacks is more likely to be a honeypot. Consequently, honeypot operators need to choose the optimal response that balances between being disclosed and being liable for participating in illicit actions. In this paper, we consider the optimal response strategy for honeypot operators. In particular, we model the interaction between botmasters and honeypots by a Markov Decision Process (MDP) and then determine the optimal policy for honeypots responding to the commands of botmasters. The model is then extended using a Partially Observable Markov Decision Process (POMDP) which allows operators of honeypots to model the uncertainty of the honeypot state as determined by botmasters. The analysis of our model confirms that exploiting the legal liability of honeypots allows botmasters to have the upper hand in their conflict with honeypots. Despite this deficiency in current honeypot designs, our model can help operators of honeypots determine the optimal strategy for responding to botmasters’ commands. We also provide simulation results that show the honeypots’ optimal response strategies and their expected rewards under different attack scenarios.

[1]  Martin L. Puterman,et al.  Markov Decision Processes: Discrete Stochastic Dynamic Programming , 1994 .

[2]  O. Patrick Kreidl,et al.  Analysis of a Markov decision process model for intrusion tolerance , 2010, 2010 International Conference on Dependable Systems and Networks Workshops (DSN-W).

[3]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[4]  Chen-Khong Tham,et al.  Cooperative retransmissions using Markov decision process with reinforcement learning , 2009, 2009 IEEE 20th International Symposium on Personal, Indoor and Mobile Radio Communications.

[5]  Xuejun Tan,et al.  On Recognizing Virtual Honeypots and Countermeasures , 2006, 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing.

[6]  Ehab Al-Shaer,et al.  An Architecture for an Email Worm Prevention System , 2006, 2006 Securecomm and Workshops.

[7]  Ryan Cunningham,et al.  Honeypot-Aware Advanced Botnet Construction and Maintenance , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[8]  David Hsu,et al.  SARSOP: Efficient Point-Based POMDP Planning by Approximating Optimally Reachable Belief Spaces , 2008, Robotics: Science and Systems.

[9]  Leslie Pack Kaelbling,et al.  Acting Optimally in Partially Observable Stochastic Domains , 1994, AAAI.

[10]  Jie Liu,et al.  Optimal combined intrusion detection and biometric-based continuous authentication in high security mobile ad hoc networks , 2009, IEEE Transactions on Wireless Communications.

[11]  Marek Petrik,et al.  Feature Selection Using Regularization in Approximate Linear Programs for Markov Decision Processes , 2010, ICML.

[12]  Peter Ferrie Attacks on More Virtual Machine Emulators , 2007 .

[13]  Yi Zhang,et al.  Two Formal Analysis of Attack Graphs: Two Formal Analysis of Attack Graphs , 2010 .

[14]  Radu State,et al.  Self Adaptive High Interaction Honeypots Driven by Game Theory , 2009, SSS.

[15]  Theodore J. Sheskin,et al.  Markov Chains and Decision Processes for Engineers and Managers , 2010 .

[16]  Ziaul Haq Abbas,et al.  Energy Optimization in Cellular Networks with Micro-/Pico-cells using Markov Decision Process , 2012, EW.

[17]  Sureswaran Ramadass,et al.  A Survey of Botnet and Botnet Detection , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[18]  Amr M. Youssef,et al.  Dempster-Shafer Evidence Combining for (Anti)-Honeypot Technologies , 2012, Inf. Secur. J. A Glob. Perspect..

[19]  Neal Krawetz,et al.  Anti-honeypot technology , 2004, IEEE Security & Privacy Magazine.

[20]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.