Do You Really Need to Disguise Normal Servers as Honeypots

2025-08-18 0 0 479.47KB 7 页 10玖币
侵权投诉
Do You Really Need to Disguise Normal Servers
as Honeypots?
Suhyeon Lee, Kwangsoo Cho, and Seungjoo Kim
Cyber Operations Command, Republic of Korea
School of Cybersecurity, Korea University
Email: {orion-alpha, cks4386, skim71}@korea.ac.kr
Abstract—A honeypot, which is a kind of deception strategy,
has been widely used for at least 20 years to mitigate cyber
threats. Decision-makers have believed that honeypot strategies
are intuitive and effective, since honeypots have successfully pro-
tected systems from Denial-of-Service (DoS) attacks to Advanced
Persistent Threats (APT) in real-world cases. Nonetheless, there is
a lack of research on the appropriate level of honeypot technique
application to choose real-world operations. We examine and
contrast three attack-defense games with respect to honeypot
detection techniques in this paper. In particular, we specifically
design and contrast two stages of honeypot technology one by
one, starting with a game without deception. We demonstrate
that the return for a defender using honeypots is higher than
for a defender without them, albeit the defender may not always
benefit financially from using more honeypot deception strategies.
Particularly, disguising regular servers as honeypots does not
provide defenders with a better reward. Furthermore, we take in
consideration that fake honeypots can make maintaining normal
nodes more costly. Our research offers a theoretical foundation
for the real-world operator’s decision of honeypot deception
tactics and the required number of honeypot nodes.
Index Terms—cybersecurity, game theory, honeypot, signaling
game
I. INTRODUCTION
Cyber attacks are getting more threatening as a consequence
of the proliferation of digital technologies such as cloud
computing and the Internet of Things (IoT). Defenders create
strategies to counterattack. Accordingly, attackers are persis-
tent in developing new methods. A honeypot is one technology
that enables cybersecurity agents to trap attackers and collect
threat intelligence. This intelligence ultimately enables them
to learn and strengthen safeguards against future threats.
However, only establishing a large number of honeypots is
not a viable option, and installing and operating honeypots
requires a strategic approach.
Cybersecurity can utilize game theory to analyze the most
effective techniques [1], [2]. Game theory has applications in
all social science disciplines, as well as logic, systems sci-
ence, and computer science. Originally, it addressed zero-sum
games, in which each player’s earnings or losses are exactly
balanced by those of the other players. In game-theoretic
examination of honeypot technology, it can be described as
a signaling game in which the defender indicates whether a
specific node is honeypot or normal. These models were the
subject of a significant investigation in [3]. Perfect Bayesian
Equilibrium (PBE) was investigated using a signaling game
with symmetric payoffs. They derived 10 equilibria that every
node sends the same honeypot or normal signal.
La et al. [4] analyzed honeypot defense strategies in Internet
of Things (IoT). In their model, an attacker sends a signal
and the defender chooses the defense strategy according to
the signal. Li et al. [5] analyzed signaling games with anti-
honeypot techniques in industrial systems. Diamantoulakis et
al. [6] studied the optimal honeypot ratio by analyzing the
strategy of switching nodes to honeypot in an environment
where no new nodes are added. Nevertheless, systems must
retain their normal nodes to maintain service quality. In this
perspective, we focus on the number of honeypot nodes rather
than the number of defensive nodes. Shortridge [7] claimed
that making defenders’ environment resemble an analyst’s
sandbox can be a good strategy from a practical perspective.
We found her reasoning to be really compelling. This study
concentrated on how the payoffs of defenders vary as honeypot
nodes and fake honeypot nodes are gradually added.
Our contributions are as follows:
We show that profits do not always increase even if the
number of defense techniques increase in the honeypot
game. This research applies zero to three honeypot decep-
tion actions to attacker-defender games. In the presence of
additional cost in the normal node deception, we conclude
that deception techniques for normal nodes are practically
ineffective in choosing the best strategy.
We demonstrate that an increase in the number of hon-
eypot nodes does not always increase the payoff of the
defender. The defender’s payoff continues to increase to
a certain point, but continues to decrease beyond the
maximum point. Furthermore, we confirm that payoff can
be dramatically reduced assuming that the honeypot cost
is dynamic.
The paper is organized as follows. In Section II, we give an
overview of the background of the honeypot deception and
the signaling game. In Section III, we describe a scenario
and models of honeypot deception games. In Section IV, we
analyze the equilibria of the signaling games of honeypot de-
ception. In Section V, we find optimal honeypot distributions
based on the analysis. Finally, we examine the dynamic payoff
in the honeypot deception game. In Section VI, we show cases
of signaling games with a fixed cost and a dynamic cost of
honeypot nodes. In Section VIII, conclusions are presented.
arXiv:2210.17399v1 [cs.CR] 31 Oct 2022
II. BACKGROUND
In this section, we provide an overview of honeypot decep-
tion strategies and a signaling game in a game theory.
A. Honeypot Deception
The honeypot technology is a methodology of avoiding
attacks or analyzing attacks by attracting attackers. Honeypot
techniques can be used to defend not only low level-attacker
but also high-level attacks related to industrial control systems
[4], [5], [8], DoS [9], and APT [10]. Fig. 1 illustrates basic
elements of honeypot options. Conceptually, in a honeypot
strategy, honeypots should look like a normal system for
attackers. In Fig. 1, the second server ‘honeypot’ is such a con-
cept. Since attackers try to avoid honeypot systems, attempts
have emerged to disguise a normal node as a honeypot node.
It is called normal-as-honeypot which is the fourth server in
Fig. 1.
From the attacker’s point of view, attackers need anti-
honeypot techniques. Conversely, the defender’s technique to
prevent attackers’ investigation is termed an anti-introspection
technique [11], [12]. It is the crux of the honeypot strategy
that attackers and defenders deceive and avoid each other
persistently. Depending on the strategic situation, it may also
be useful to be clearly seen as a honeypot node. For example,
if it is determined that a defender disguises a normal server
as a honeypot, the attacker targets a server that has features
like a honeypot. It is the first server in Fig. 1
Fig. 1. Honeypot Deception Game
B. Signaling Game
A signaling game is a two-player incomplete information
game. A sender and a receiver participate in the game. The
sender has private information. The sender is selected under
a certain probability as one of types that are provided by
the game model. Then the sender selects a signal type and
sends the signal (or message) to the receiver. The receiver
observes the signal and selects an action. At last, their payoffs
are decided. The equilibrium in a signaling game is Perfect
Bayesian Equilibrium (PBE), a refined concept of Bayesian
Nash Equilibrium (BNE). In a Bayesian game based on
incomplete information, players have types and beliefs. Types
are decided by a special player called ‘nature’ for convenience.
Beliefs are the probability distribution of one player’s signal
and type by another player. In PBE at least, each player’s
strategy should be a best response in the given beliefs. At the
same time, each player’s strategy should be a best response to
the updated belief. For off-equilibrium paths, the beliefs can
be arbitrary. However, some arbitrary beliefs can be irrational
so that a PBE which relies on such beliefs can be eliminated
with advanced refinement rules [13].
III. HONEYPOT DECEPTION GAME MODEL
In this section, we describe the scenario and models of
the honeypot deception game. Table I shows the notation
associated with the game models. Table II describes the
payoffs of attackers and defenders.
A. The attacker-defender honeypot game scenario
The attacker-defender honeypot game scenario fundamen-
tally consists of attackers outside invading a defender’s net-
work as illustrated in Fig. 1. The attacker finds a node in
the defender’s network and decides whether to attack it or
leave without attacking it. The defender’s network consists of
two types: a normal node and a honeypot node. When the
attacker attacks a normal node, they benefit from achieving
the desired goal, and the defender receives damage. When the
attacker attacks a honeypot node, the attack method is exposed,
TABLE I
LIST OF NOTATIONS
Notation Description
H A node is honeypot
N A node is normal
h Signal that the node is honeypot
n Signal that the node is normal
A Attack the node
L Leave the node without attack
PhProbability that nature selects a node as honeypot
1PhProbability that nature selects a node as normal
p Probability that the node observed as normal to the attacker
is actually honeypot
1-p Probability that the node observed as normal to the attacker
is actually normal
q Probability that the node observed as honeypot to the
attacker is actually honeypot
1-q Probability that the node observed as honeypot to the
attacker is actually normal
摘要:

DoYouReallyNeedtoDisguiseNormalServersasHoneypots?SuhyeonLeey,KwangsooChoy,andSeungjooKimyCyberOperationsCommand,RepublicofKoreaySchoolofCybersecurity,KoreaUniversityEmail:forion-alpha,cks4386,skim71g@korea.ac.krAbstract—Ahoneypot,whichisakindofdeceptionstrategy,hasbeenwidelyusedforatleast20yearst...

展开>> 收起<<
Do You Really Need to Disguise Normal Servers as Honeypots.pdf

共7页,预览2页

还剩页未读, 继续阅读

声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!

相关推荐

更多
立即下载
分类:图书资源 价格:10玖币 属性:7 页 大小:479.47KB 格式:PDF 时间:2025-08-18

开通VIP享超值会员特权

  • 多端同步记录
  • 高速下载文档
  • 免费文档工具
  • 分享文档赚钱
  • 每日登录抽奖
  • 优质衍生服务

作者详情

相关内容

更多

热门标签

高考理综 人际关系 配电装置 动力学连接体 力的合成 全宋诗作者索引 公务员考试
/ 7
评分 收藏
分享
立即下载
客服
关注