LEARNING CYBERATTACK PATTERNS WITH ACTIVE HONEYPOTS

Download
Author
Chong, Wai Hoe
Koh, Chong Khai Roger
Date
2018-09Advisor
Rowe, Neil C.
Second Reader
Fulp, John D.
Metadata
Show full item recordAbstract
Honeypots can detect new attacks and vulnerabilities like zero-day exploits, based on an attacker’s behavior. Existing honeypots, however, are typically passive in nature and poor at detecting new and complex attacks like those carried out by state-sponsored actors. Deception is a commonly used tactic in conventional military operations, but it is rarely used in cyberspace. In this thesis, we implemented “active honeypots,” which incorporate deception into honeypot responses. In five phases of testing, we incorporated deception techniques such as fake files, defensive camouflage, delays, and false excuses into a Web honeypot built with SNARE and TANNER software, and an SSH honeypot built with Cowrie software.
Our experiments sought to investigate how cyberattackers respond to the deception techniques. Our results showed that most attackers performed only vulnerability scanning and fingerprinting of our honeypots. Some appeared to be performing horizontal scanning, accessing both honeypots in the same phase. We found that the attackers were primarily non-interactive and did not respond to customized deception. We also observed that attackers who established a non-interactive session might be unable to exit the session without external intervention. Thus, we can delay to penalize these attackers. We also discovered that some attackers used unusual means of transferring files to the SSH server, and we recommend exploring how deception can be used against such techniques.
Rights
Copyright is reserved by the copyright owner.Copyright is reserved by the copyright owner.
Related items
Showing items related by title, author, creator and subject.
-
Testing deceptive honeypots
Yahyaoui, Aymen (Monterey, California: Naval Postgraduate School, 2014-09);Deception can be a useful defensive technique against cyber attacks. It has the advantage of unexpectedness to attackers and offers a variety of tactics. Honeypots are a good tool for deception. They act as decoy computers ... -
Deception in defense of computer systems from cyber-attack
Rowe, Neil C. (Monterey, California. Naval Postgraduate School, 2007);While computer systems can be quite susceptible to deception by attackers, deception by defenders has increasingly been investigated in recent years. Military history has classic examples of defensive deceptions, but not ... -
Fake Honeypots: A Defensive Tactic for Cyberspace
Rowe, Neil C.; Duong, Binh T.; Custy, E. John (Monterey, California. Naval Postgraduate School, 2006-06);Cyber-attackers are becoming more aware of honeypots. They generally want to avoid honeypots since it is hard to spread attacks from them, attacks are thoroughly monitored on them, and some honeypots contain planted false ...