Abstract
A honeynet is a portion of routed but otherwise unused address space that is instrumented for network traffic monitoring. It is an invaluable tool for understanding unwanted Internet traffic and malicious attacks. We formalize the problem of defending honeynets from systematic mapping (a serious threat to their viability) as a simple two-person game. The objective of the Attacker is to identify a honeynet with a minimum number of probes. The objective of the Defender is to maintain a honeynet for as long as possible before moving it to a new location within a larger address space. Using this game theoretic framework, we describe and prove optimal or near-optimal strategies for both the Attacker and the Defender. This is the first mathematically rigorous study of this increasingly important problem on honeynet defense. Our theoretical ideas provide the first formalism of the honeynet monitoring problem, illustrate the viability of network address shuffling, and inform the design of next generation honeynet defense systems.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Antonatos S, Akritidis P, Markatos E, Anagnostakis K (2005) Defending against hitlist worms using network address space randomization. In: Proceedings of ACM CCS WORM ’05, Fairfax, VA, November 2005
Atighetchi M, Pal P, Webber F, Schantz R, Jones C (2003) Adaptive use of network-centric mechanisms in cyber defense. In: Proceedings of the 6th international symposium on object-oriented real-time distributed computing, May 2003
Bailey M, Cooke E, Jahanian F, Nazario J, Watson D (2005) The Internet motion sensor: A distributed blackhole monitoring system. In: Proceedings of the 12th network and distributed systems security symposium (NDSS ’05), San Diego, CA, February 2005
Bethencourt J, Franklin J, Vernon M (2005) Mapping Internet sensors with probe response packets. In: Proceedings of USENIX security symposium
Casado M, Garfinkel T, Cui W, Paxson V, Savage S (2005) Opportunistic measurement. In: Proceedings of the fourth workshop on hot topics in networks (HotNets IV), College Park, MD, November 2005
Cooke E, Bailey M, Mao M, Watson D, Jahanian F, McPherson D (2004) Toward understanding distributed blackhole placement. In: Proceedings of CCS workshop on rapid malcode (WORM ’04), October 2004
Dagon D, Qin X, Gu G, Lee W, Grizzard J, Levine J, Owen H (2004) Honeystat: local worm detection using honeypots. In: Proceedings of symposium on recent advances in intrusion detection (RAID), Sophia Antipolis, France, September 2004
German Honeynet Project (2005) Tracking botnets. http://www.honeynet.org/papers/bots
Jiang X, Xu D (2004) A vm-based architecture for network attack detention center. In: Proceedings of the USENIX security symposium, San Diego, CA, August 2004
Kewley D, Lowry J, Fink R, Dean M (2001) Dynamic approaches to thwart adversary intelligence gathering. In: Proceedings of the DARPA information survivability conference and exposition (DISCEX)
Michalski J, Price C, Stanton E, Chua E, Seah K, Heng W, Pheng T (2002) Final report for the network security mechanisms utilizing network address translation ldrd project. Technical Report SAND2002-3613, Sandia National Laboratories, November 2002
Pang R, Yegneswaran V, Barford P, Paxson V, Peterson L (2004) Characteristics of Internet background radiation. In: Proceedings of the ACM SIGCOMM Internet measurement conference
Provos N (2004) A virtual honeypot framework. In: Proceedings of USENIX security symposium
Rajab MA, Monrose F, Terzis A (2006) Fast and evasive attacks: highlighting the challenges ahead. In: RAID
Shinoda Y, Ikai K, Itoh M (2005) Vulnerabilities of passive Internet threat monitors. In: Proceedings of USENIX security symposium
Staniford S, Paxson V, Weaver N (2002) How to 0wn the Internet in your spare time. In: Proceedings of the 11th USENIX security symposium
Ullrich J (2005) Dshield. http://www.dshield.org
Vrable M, Ma J, Chen J, Moore D, Vandekieft E, Snoeren A, Voelker G, Savage S (2005) Scalability, fidelity and containment in the Potemkin virtual honeyfarm. In: Proceedings of ACM SOSP ’05, Brighton, UK, October 2005
W32 Agobot IB (2005) http://www.sophos.com/virusinfo/analyses/trojagobotib.html
Yegneswaran V, Barford P, Ullrich J (2003) Internet intrusions: global characteristics and prevalence. In: Proceedings ACM SIGMETRICS
Yegneswaran V, Barford P, Plonka D (2004) On the design and use of Internet sinks for network abuse monitoring. In: Proceedings RAID
Yegneswaran V, Barford P, Paxson V (2005) Using honeynets for Internet situational awareness. In: Proc. ACM Hotnets
Yegneswaran V, Alfeld C, Barford P, Cai J-Y (2007) Camouflaging honeynets. In: Proceedings of IEEE global Internet symposium
Author information
Authors and Affiliations
Corresponding author
Additional information
A preliminary version of this paper appeared in the 15th International Computing and Combinatorics Conference (COCOON’2009).
J.-Y. Cai is supported by NSF CCR-0208013 and CCR-0511679.
This work was supported in part by the National Science Foundation (NSF) grants CNS-0716460 and CNS-0831427. Any opinions, findings, conclusions or other recommendations expressed in this material are those of the authors and do not necessarily reflect the view of the NSF.
Rights and permissions
About this article
Cite this article
Cai, JY., Yegneswaran, V., Alfeld, C. et al. Honeynet games: a game theoretic approach to defending network monitors. J Comb Optim 22, 305–324 (2011). https://doi.org/10.1007/s10878-009-9285-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10878-009-9285-y