论文信息 - Detection of Virtual Environments and Low Interaction Honeypots

Detection of Virtual Environments and Low Interaction Honeypots

This paper focuses on the detection of virtual environments and low interaction honeypots by using a feature set that is built using traditional system and network level finger printing mechanisms. Earlier work in the area has been mostly based on the system level detection. The results aim at bringing out the limitations in the current honeypot technology. This paper also describes the results concerning the robustness and generalization capabilities of kernel methods in detecting honeypots using system and network finger printing data. We use traditional support vector machines (SVM), biased support vector machine (BSVM) and leave-one-out model selection for support vector machines (looms) for model selection. We also evaluate the impact of kernel type and parameter values on the accuracy of a support vector machine (SVM) performing honeypot classification. Through a variety of comparative experiments, it is found that SVM performs the best for data sent on the same network; BSVM performs the best for data sent from a remote network.

[1] Chih-Jen Lin,et al. A comparison of methods for multiclass support vector machines , 2002, IEEE Trans. Neural Networks.

[2] Olivier Chapelle,et al. Model Selection for Support Vector Machines , 1999, NIPS.

[3] Chi-Hang Chan,et al. Using Biased Support Vector Machine to Improve Retrieval Result in Image Retrieval with Self-organizing Map , 2004, ICONIP.

[4] James P. Egan,et al. Signal detection theory and ROC analysis , 1975 .

[5] Vladimir Cherkassky,et al. Model complexity control and statistical learning theory , 2002, Natural Computing.

[6] Kevin Curran,et al. Monitoring hacker activity with a Honeynet , 2005 .

[7] A.H. Sung,et al. Network Based Detection of Virtual Environments and Low Interaction Honeypots , 2006, 2006 IEEE Information Assurance Workshop.