Abstract
The honeypot technique has proved its value in system protection and attack analysis over the past 20 years. Distributed honeypot solutions emerge to solve the high cost and risk of maintaining a functional honeypot system. In this paper, we uncover that all existing distributed honeypot systems suffer from one type of anti-honeypot technique called network context cross-checking (NC3) which enables attackers to detect network context inconsistencies before and after breaking into a targeted system. We perform a systematic study of NC3 and identify nine types of network context artifacts that may be leveraged by attackers to identify distributed honeypot systems. As a countermeasure, we propose HoneyPortal, a stealthy traffic redirection framework to defend against the NC3 attack. The basic idea is to project a remote honeypot into the protected local network as a believable host machine. We conduct experiments in a real testbed, and the experimental results show that HoneyPortal can effectively defeat NC3 attacks with a low performance overhead.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Artail, H., Safa, H., Sraj, M., Kuwatly, I., Al-Masri, Z.: A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks. Comput. Secur. 25(4), 274–288 (2006)
Attaran, M., Woods, J.: Cloud computing technology: improving small business performance using the internet. J. Small Bus. Entrep. 31(6), 495–519 (2019)
Bailey, M., Cooke, E., Watson, D., Jahanian, F., Provos, N.: A hybrid honeypot architecture for scalable network monitoring. University of Michigan, Ann Arbor, Michigan, USA, Technical report. CSE-TR-499-04 (2004)
Chovancová, E., et al.: Securing distributed computer systems using an advanced sophisticated hybrid honeypot technology. Comput. Inform. 36(1), 113–139 (2017)
Cole, E.: Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization. Newnes, San Francisco (2012)
Dornseif, M., Holz, T., Klein, C.N.: Nosebreak-attacking honeynets. In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004, pp. 123–129. IEEE (2004)
Fan, W.: Contribution to the design of a flexible and adaptive solution for the management of heterogeneous honeypot systems. Ph.D. thesis, ETSI Telecomunicación (UPM) (2017)
Fan, W., Du, Z., Smith-Creasey, M., Fernández, D.: Honeydoc: an efficient honeypot architecture enabling all-round design. IEEE J. Sel. Areas Commun. 37(3), 683–697 (2019)
Fan, W., Fernández, D.: A novel SDN based stealthy TCP connection handover mechanism for hybrid honeypot systems. In: 2017 IEEE Conference on Network Softwarization (NetSoft), pp. 1–9. IEEE (2017)
Fu, X., Yu, W., Cheng, D., Tan, X., Streff, K., Graham, S.: On recognizing virtual honeypots and countermeasures. In: 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing, pp. 211–218. IEEE (2006)
Høiland-Jørgensen, T., et al.: The express data path: fast programmable packet processing in the operating system kernel. In: Proceedings of the 14th International Conference on Emerging Networking Experiments and Technologies, pp. 54–66 (2018)
Holz, T., Raynal, F.: Detecting honeypots and other suspicious environments. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, pp. 29–36. IEEE (2005)
Jafarian, J.H., Niakanlahiji, A.: Delivering honeypots as a service. In: Proceedings of the 53rd Hawaii International Conference on System Sciences (2020)
Jiang, X., Xu, D.: Collapsar: a VM-based architecture for network attack detention center. In: USENIX Security Symposium, pp. 15–28 (2004)
Kyung, S., et al.: HoneyProxy: design and implementation of next-generation honeynet via SDN. In: 2017 IEEE Conference on Communications and Network Security (CNS), pp. 1–9. IEEE (2017)
Larbi, S.: Options for extending layer 2 on-premises networks to VMware cloud on AWS (2020). https://aws.amazon.com/blogs/apn/options-for-extending-layer-2-on-premises-networks-to-vmware-cloud-on-aws/
Mantog, F.: System and method for checksum offloading, US Patent 7,181,675, 20 February 2007
Memari, N., Hashim, S.J.B., Samsudin, K.B.: Towards virtual honeynet based on LXC virtualization. In: 2014 IEEE REGION 10 SYMPOSIUM, pp. 496–501. IEEE (2014)
Miramirkhani, N., Appini, M.P., Nikiforakis, N., Polychronakis, M.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 1009–1024. IEEE (2017)
Morishita, S., et al.: Detect me if you... oh wait. an internet-wide view of self-revealing honeypots. In: 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 134–143. IEEE (2019)
Mukkamala, S., Yendrapalli, K., Basnet, R., Shankarapani, M., Sung, A.: Detection of virtual environments and low interaction honeypots. In: 2007 IEEE SMC Information Assurance and Security Workshop, pp. 92–98. IEEE (2007)
Rrushi, J.: Honeypot evader: activity-guided propagation versus counter-evasion via decoy OS activity. In: Proceedings of the 14th IEEE International Conference on Malicious and Unwanted Software (2019)
Rytilahti, T., Holz, T.: On using application-layer middlebox protocols for peeking behind NAT gateways, January 2020. https://doi.org/10.14722/ndss.2020.24389
Schindler, S., Schnor, B., Scheffler, T.: Hyhoneydv6: a hybrid honeypot architecture for ipv6 networks. Int. J. Intell. Comput. Res. 6, 562–570 (2015)
Shaikh, S.A., Chivers, H., Nobles, P., Clark, J.A., Chen, H.: Network reconnaissance. Netw. Secur. 2008(11), 12–16 (2008)
Spitzner, L.: Honeypots: catching the insider threat. In: 19th Annual Computer Security Applications Conference, 2003. Proceedings, pp. 170–179. IEEE (2003)
Srisuresh, P., Egevang, K.: Traditional IP network address translator (traditional nat). Technical report, RFC 3022, January (2001)
Sun, J., Liu, S., Sun, K.: A scalable high fidelity decoy framework against sophisticated cyber attacks. In: Proceedings of the 6th ACM Workshop on Moving Target Defense, pp. 37–46 (2019)
Uitto, J., Rauti, S., Laurén, S., Leppänen, V.: A survey on anti-honeypot and anti-introspection methods. In: Rocha, Á., Correia, A.M., Adeli, H., Reis, L.P., Costanzo, S. (eds.) WorldCIST 2017. AISC, vol. 570, pp. 125–134. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56538-5_13
Vrable, M., et al.: Scalability, fidelity, and containment in the potemkin virtual honeyfarm. In: Proceedings of the Twentieth ACM Symposium on Operating Systems Principles, pp. 148–162 (2005)
Wang, D.W.: Software Defined-WAN for the Digital Age: A Bold Transition to Next Generation Networking. CRC Press, Boca Raton (2018)
XDP-project: The express data path (XDP) inside the Linux Kernel (2020). https://github.com/xdp-project. Accessed May 2020
Xiao, X., Hannan, A., Bailey, B., Ni, L.M.: Traffic engineering with MPLS in the internet. IEEE Netw. 14(2), 28–33 (2000)
Yang, Z., Cui, Y., Li, B., Liu, Y., Xu, Y.: Software-defined wide area network (SD-WAN): architecture, advances and opportunities. In: 2019 28th International Conference on Computer Communication and Networks (ICCCN), pp. 1–9. IEEE (2019)
Zou, C.C., Cunningham, R.: Honeypot-aware advanced botnet construction and maintenance. In: International Conference on Dependable Systems and Networks (DSN 2006), pp. 199–208. IEEE (2006)
Acknowledgments
This work was supported in part by the Office of Naval Research grants N00014-16-1-3214, N00014-18-2893, and N00014-20-1-2407.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Liu, S. et al. (2022). Consistency is All I Ask: Attacks and Countermeasures on the Network Context of Distributed Honeypots. In: Cavallaro, L., Gruss, D., Pellegrino, G., Giacinto, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2022. Lecture Notes in Computer Science, vol 13358. Springer, Cham. https://doi.org/10.1007/978-3-031-09484-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-031-09484-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-09483-5
Online ISBN: 978-3-031-09484-2
eBook Packages: Computer ScienceComputer Science (R0)