Article

On Recognizing Virtual Honeypots and Countermeasures

Authors:

Wei Yu,

Steve GrahamAuthors Info & Claims

DASC '06: Proceedings of the 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing

Pages 211 - 218

https://doi.org/10.1109/DASC.2006.36

Published: 29 September 2006 Publication History

Publisher Site

Abstract

Honeypots are decoys designed to trap, delay, and gather information about attackers. We can use honeypot logs to analyze attackers' behaviors and design new defenses. A virtual honeypot can emulate multiple honeypots on one physical machine and provide great flexibility in representing one or more networks of machines. But when attackers recognize a honeypot, it becomes useless. In this paper, we address issues related to detecting and "camouflaging" virtual honeypots, in particular Honeyd, which can emulate any size of network on physical machines. We find that an attacker may remotely fingerprint Honeyd by measuring the latency of the network links emulated by Honeyd. We analyze the threat from this fingerprint attack based on the Neyman-Pearson decision theory and find that this class of attack can achieve a high detection rate and low false alarm rate. In order to counter this fingerprint attack, we make virtual honeypots behave like their surrounding networks and blend in with their surroundings. We design a camouflaged Honeyd by revising a small part of the Honeyd toolkit code and by appropriately patching the operating system. Our experiments demonstrate the effectiveness of our approach to camouflaging Honeyd.

Cited By

View all

Zhang LThing V(2021)Three decades of deception techniques in active cyber defense - Retrospect and outlookComputers and Security10.1016/j.cose.2021.102288106:COnline publication date: 1-Jul-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102288
Huang CHan JZhang XLiu J(2019)Automatic Identification of Honeypot Server Using Machine Learning TechniquesSecurity and Communication Networks10.1155/2019/26276082019Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1155/2019/2627608
Papazis KChilamkurti N(2019)Detecting indicators of deception in emulated monitoring systemsService Oriented Computing and Applications10.1007/s11761-018-0252-213:1(17-29)Online publication date: 1-Mar-2019
https://dl.acm.org/doi/10.1007/s11761-018-0252-2
Show More Cited By

Index Terms

On Recognizing Virtual Honeypots and Countermeasures

Recommendations

Virtual honeypots: from botnet tracking to intrusion detection
Virtual honeypots and detection of telnet botnets
CECC 2018: Proceedings of the Central European Cybersecurity Conference 2018

Despite recommendations to not use telnet, there is an increasing number of telnet-based botnets and a need to analyse these attacks. We deployed a network of high interaction honeypots that simulate telnet devices. From the collected data, we created a ...
Heat-seeking honeypots: design and experience
WWW '11: Proceedings of the 20th international conference on World wide web

Many malicious activities on the Web today make use of compromised Web servers, because these servers often have high pageranks and provide free resources. Attackers are therefore constantly searching for vulnerable servers. In this work, we aim to ...

Comments

Information & Contributors

Information

Published In

DASC '06: Proceedings of the 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing

September 2006

348 pages

ISBN:0769525393

Publisher

IEEE Computer Society

United States

Publication History

Published: 29 September 2006

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Zhang LThing V(2021)Three decades of deception techniques in active cyber defense - Retrospect and outlookComputers and Security10.1016/j.cose.2021.102288106:COnline publication date: 1-Jul-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102288
Huang CHan JZhang XLiu J(2019)Automatic Identification of Honeypot Server Using Machine Learning TechniquesSecurity and Communication Networks10.1155/2019/26276082019Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1155/2019/2627608
Papazis KChilamkurti N(2019)Detecting indicators of deception in emulated monitoring systemsService Oriented Computing and Applications10.1007/s11761-018-0252-213:1(17-29)Online publication date: 1-Mar-2019
https://dl.acm.org/doi/10.1007/s11761-018-0252-2
Vetterl AClayton RRossow CYounan Y(2018)Bitter harvestProceedings of the 12th USENIX Conference on Offensive Technologies10.5555/3307423.3307432(9-9)Online publication date: 13-Aug-2018
https://dl.acm.org/doi/10.5555/3307423.3307432
Anton SFraunholz DKrummacker DFischer CKarrenbauer MSchotten H(2018)The Dos and Don'ts of Industrial Network SimulationProceedings of the 2nd International Symposium on Computer Science and Intelligent Control10.1145/3284557.3284716(1-8)Online publication date: 21-Sep-2018
https://dl.acm.org/doi/10.1145/3284557.3284716
Çeker HZhuang JUpadhyaya SLa QSoong B(2016)Deception-Based Game Theoretical Approach to Mitigate DoS Attacks7th International Conference on Decision and Game Theory for Security - Volume 999610.1007/978-3-319-47413-7_2(18-38)Online publication date: 2-Nov-2016
https://dl.acm.org/doi/10.1007/978-3-319-47413-7_2
Crouse MProsser BFulp ECybenko GHuang D(2015)Probabilistic Performance Analysis of Moving Target and Deception Reconnaissance DefensesProceedings of the Second ACM Workshop on Moving Target Defense10.1145/2808475.2808480(21-29)Online publication date: 12-Oct-2015
https://dl.acm.org/doi/10.1145/2808475.2808480
Araujo FHamlen KBiedermann SKatzenbeisser SAhn GYung MLi N(2014)From Patches to Honey-PatchesProceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security10.1145/2660267.2660329(942-953)Online publication date: 3-Nov-2014
https://dl.acm.org/doi/10.1145/2660267.2660329
Yu WWang XChampion AXuan DLee D(2011)On detecting active worms with varying scan rateComputer Communications10.1016/j.comcom.2010.10.01434:11(1269-1282)Online publication date: 1-Jul-2011
https://dl.acm.org/doi/10.1016/j.comcom.2010.10.014

Abstract

Cited By

Index Terms

Recommendations

Virtual honeypots: from botnet tracking to intrusion detection

Virtual honeypots and detection of telnet botnets

Heat-seeking honeypots: design and experience

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Share

Share this Publication link

Share on social media

Affiliations