Using Reinforcement Learning to Conceal Honeypot Functionality

Automated malware employ honeypot detecting mechanisms within its code. Once honeypot functionality has been exposed, malware such as botnets will cease the attempted compromise. Subsequent malware variants employ similar techniques to evade detection by known honeypots. This reduces the potential size of a captured dataset and subsequent analysis. This paper presents findings on the deployment of a honeypot using reinforcement learning, to conceal functionality. The adaptive honeypot learns the best responses to overcome initial detection attempts by implementing a reward function with the goal of maximising attacker command transitions. The paper demonstrates that the honeypot quickly identifies the best response to overcome initial detection and subsequently increases attack command transitions. It also examines the structure of a captured botnet and charts the learning evolution of the honeypot for repetitive automated malware. Finally it suggests changes to an existing taxonomy governing honeypot development, based on the learning evolution of the adaptive honeypot. Code related to this paper is available at: https://github.com/sosdow/RLHPot.

[1]  Niels Provos,et al.  03-1 A Virtual Honeypot Framework , 2004 .

[2]  Neal Krawetz,et al.  Anti-honeypot technology , 2004, IEEE Security & Privacy Magazine.

[3]  Zhiguang Qin,et al.  Honeypot: a supplemented active defense system for network security , 2003, Proceedings of the Fourth International Conference on Parallel and Distributed Computing, Applications and Technologies.

[4]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[5]  Enda Barrett,et al.  Improving adaptive honeypot functionality with efficient reinforcement learning parameters for automated malware , 2018 .

[6]  Ion Bica,et al.  RASSH - Reinforced adaptive SSH honeypot , 2014, 2014 10th International Conference on Communications (COMM).

[7]  Tsutomu Matsumoto,et al.  IoTPOT: Analysing the Rise of IoT Compromises , 2015, WOOT.

[8]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[9]  Hiroshi Fujinoki,et al.  A Survey: Recent Advances and Future Trends in Honeypot Research , 2012 .

[10]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[11]  H. Artail,et al.  A Dynamic Honeypot Design for Intrusion Detection , 2004, The IEEE/ACS International Conference on Pervasive Services.

[12]  Lei Wu,et al.  Honeypot detection in advanced botnet attacks , 2010, Int. J. Inf. Comput. Secur..

[13]  Hsinchun Chen,et al.  SCADA honeypots: An in-depth analysis of Conpot , 2016, 2016 IEEE Conference on Intelligence and Security Informatics (ISI).

[14]  Georgios Kambourakis,et al.  DDoS in the IoT: Mirai and Other Botnets , 2017, Computer.

[15]  Radu State,et al.  Heliza: talking dirty to the attackers , 2011, Journal in Computer Virology.

[16]  Katerina Goseva-Popstojanova,et al.  Using Multiclass Machine Learning Methods to Classify Malicious Behaviors Aimed at Web Systems , 2012, 2012 IEEE 23rd International Symposium on Software Reliability Engineering.

[17]  Radu State,et al.  Self Adaptive High Interaction Honeypots Driven by Game Theory , 2009, SSS.

[18]  D. Watson,et al.  The Honeynet Project: Data Collection Tools, Infrastructure, Archives and Analysis , 2008, 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing.

[19]  Steven M. Bellovin,et al.  Packets found on an internet , 1993, CCRV.

[20]  Amr M. Youssef,et al.  A Markov Decision Process Model for High Interaction Honeypots , 2013, Inf. Secur. J. A Glob. Perspect..

[21]  T. Holz,et al.  Detecting honeypots and other suspicious environments , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[22]  Joachim Fabini,et al.  Botnet Communication Patterns , 2017, IEEE Communications Surveys & Tutorials.

[23]  Craig Valli,et al.  Patterns and patter - An investigation into SSH activity using Kippo Honeypots , 2013 .

[24]  Ian Welch,et al.  VICTORIA UNIVERSITY OF WELLINGTON , 2006 .

[25]  Adel Bouhoula,et al.  Characterization of attacks collected from the deployment of Web service honeypot , 2014, Secur. Commun. Networks.

[26]  Syed Ali Khayam,et al.  A Taxonomy of Botnet Behavior, Detection, and Defense , 2014, IEEE Communications Surveys & Tutorials.

[27]  Renuka Prasad B,et al.  Hybrid Framework for Behavioral Prediction of Network Attack Using Honeypot and Dynamic Rule Creation with Different Context for Dynamic Blacklisting , 2010, 2010 Second International Conference on Communication Software and Networks.

[28]  Michael Schukat,et al.  A ZigBee honeypot to assess IoT cyberattack behaviour , 2017, 2017 28th Irish Signals and Systems Conference (ISSC).