A game theoretic investigation for high interaction honeypots

Honeypots are traps designed to resemble easy-to-compromise computer systems in order to deceive botmasters. Such security traps help security professionals to collect valuable information about botmasters' techniques and true identities. Depending on the complexity of services provided by honeypots, botmasters might be able to detect these traps by performing a series of tests. In particular, to detect honeypots, botmasters can command compromised machines to perform specific actions such as targeting sensor machines controlled by them. If honeypots were designed to completely ignore these commands, then they can easily be detected by the botmasters. On the other hand, full participation by honeypots in such activities has its associated costs and may lead to legal liabilities. This raises the need for finding the optimal response strategy needed by the honeypot in order to prolong its stay within the botnet without sacrificing liability. In this paper, we address the problem of honeypot detection by botmasters. In particular, we present a Bayesian game theoretic framework that models the interaction between honeypots and botmasters as a non-zero-sum noncooperative game with uncertainty. The game solution illustrates the optimal response available for both players. Simulation results are conducted to show the botmasters' behavior update and possible interactions between the game players. The obtained results can be utilized by security professionals to determine their best response to these kind of probes by botmasters.

[1]  Mitsuaki Akiyama,et al.  A Proposal of Metrics for Botnet Detection Based on Its Cooperative Behavior , 2007, 2007 International Symposium on Applications and the Internet Workshops.

[2]  Iyatiti Mokube,et al.  Honeypots: concepts, approaches, and challenges , 2007, ACM-SE 45.

[3]  Mary K. Vernon,et al.  Mapping Internet Sensors with Probe Response Attacks , 2005, USENIX Security Symposium.

[4]  John Aycock,et al.  Army of Botnets , 2007, NDSS.

[5]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[6]  Neal Krawetz,et al.  Anti-honeypot technology , 2004, IEEE Security & Privacy Magazine.

[7]  Ryan Cunningham,et al.  Honeypot-Aware Advanced Botnet Construction and Maintenance , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[8]  Abhinav Srivastava,et al.  Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections , 2008, RAID.

[9]  Ken Binmore,et al.  Game theory - a very short introduction , 2007 .

[10]  Zhen Li,et al.  Botnet Economics: Uncertainty Matters , 2008, WEIS.