Lightweight On-Demand Honeypot Deployment for Cyber Deception

Acosta, Jaime C.; Basak, Anjon; Kiekintveld, Christopher; Kamhoua, Charles A.

doi:10.1007/978-3-031-06365-7_18

Cited by 4 publications

(2 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To perform fingerprinting, NMAP sends out a series of probes, analyzes the responses received, and compares them against a database of known OS characteristics. By carefully analyzing network traffic, NMAP is widely used for attempting to determine the OS running on the target device [14]. However, it is worth noting that the accuracy of NMAP's OS identification in real-world networks and on the Internet remains a topic of debate, and there is limited research available on this subject to serve as a reference [15].…”

Section: Introductionmentioning

confidence: 99%

Automated Network Incident Identification through Genetic Algorithm-Driven Feature Selection

Aksoy,

Valle,

Kar

2024

Electronics

View full text Add to dashboard Cite

The cybersecurity landscape presents daunting challenges, particularly in the face of Denial of Service (DoS) attacks such as DoS Http Unbearable Load King (HULK) attacks and DoS GoldenEye attacks. These malicious tactics are designed to disrupt critical services by overwhelming web servers with malicious requests. In contrast to DoS attacks, there exists nefarious Operating System (OS) scanning, which exploits vulnerabilities in target systems. To provide further context, it is essential to clarify that NMAP, a widely utilized tool for identifying host OSes and vulnerabilities, is not inherently malicious but a dual-use tool with legitimate applications, such as asset inventory services in company networks. Additionally, Domain Name System (DNS) botnets can be incredibly damaging as they harness numerous compromised devices to inundate a target with malicious DNS traffic. This can disrupt online services, leading to downtime, financial losses, and reputational damage. Furthermore, DNS botnets can be used for other malicious activities like data exfiltration, spreading malware, or launching other cyberattacks, making them a versatile tool for cybercriminals. As attackers continually adapt and modify specific attributes to evade detection, our paper introduces an automated detection method that requires no expert input. This innovative approach identifies the distinct characteristics of DNS botnet attacks, DoS HULK attacks, DoS GoldenEye attacks, and OS-Scanning, explicitly using the NMAP tool, even when attackers alter their tactics. By harnessing a representative dataset, our proposed method ensures robust detection of such attacks against varying attack parameters or behavioral shifts. This heightened resilience significantly raises the bar for attackers attempting to conceal their malicious activities. Significantly, our approach delivered outstanding outcomes, with a mid 95% accuracy in categorizing NMAP OS scanning and DNS botnet attacks, and 100% for DoS HULK attacks and DoS GoldenEye attacks, proficiently discerning between malevolent and harmless network packets. Our code and the dataset are made publicly available.

show abstract

Section: Introductionmentioning

confidence: 99%

Automated Network Incident Identification through Genetic Algorithm-Driven Feature Selection

Aksoy,

Valle,

Kar

2024

Electronics

View full text Add to dashboard Cite

show abstract

“…Considering the computation load and time complexities, Acosta et al [ 16 ] developed lightweight reactive honeypot principles for improving the security features of cyber deception models. In general, cyber deception is the strategy used for tricking the attackers into fake resources (honeypot).…”

Section: Introductionmentioning

confidence: 99%

Interleaved Honeypot-Framing Model with Secure MAC Policies for Wireless Sensor Networks

Rajasoundaran

Maheswar

Muthuramalingam

et al. 2022

Sensors

View full text Add to dashboard Cite

The Wireless Medium Access Control (WMAC) protocol functions by handling various data frames in order to forward them to neighbor sensor nodes. Under this circumstance, WMAC policies need secure data communication rules and intrusion detection procedures to safeguard the data from attackers. The existing secure Medium Access Control (MAC) policies provide expected and predictable practices against channel attackers. These security policies can be easily breached by any intelligent attacks or malicious actions. The proposed Wireless Interleaved Honeypot-Framing Model (WIHFM) newly implements distributed honeypot-based security mechanisms in each sensor node to act reactively against various attackers. The proposed WIHFM creates an optimal Wireless Sensor Network (WSN) channel model, Wireless Interleaved Honeypot Frames (WIHFs), secure hash-based random frame-interleaving principles, node-centric honeypot engines, and channel-covering techniques. Compared to various existing MAC security policies, the proposed model transforms unpredictable IHFs into legitimate frame sequences against channel attackers. Additionally, introducing WIHFs is a new-fangled approach for distributed WSNs. The successful development of the proposed WIHFM ensures resilient security standards and neighbor-based intrusion alert procedures for protecting MAC frames. Particularly, the proposed wireless honeypot methodology creates a novel idea of using honeypot frame traps against open wireless channel attacks. The development of a novel wireless honeypot traps deals with various challenges such as distributed honeypot management principles (node-centric honeypot, secretly interleaved-framing principles, and interleaving/de-interleaving procedures), dynamic network backbone management principles (On Demand Acyclic Connectivity model), and distributed attack isolation policies. This effort provides an effective wireless attack-trapping solution in dynamic WSNs. The simulation results show the advantage of the proposed WIHFM over the existing techniques such as Secure Zebra MAC (SZ-MAC), Blockchain-Assisted Secure-Routing Mechanism (BASR), and the Trust-Based Node Evaluation (TBNE) procedure. The experimental section confirms the proposed model attains a 10% to 14% superior performance compared to the existing techniques.

show abstract