Primer -- A Tool for Testing Honeypot Measures of Effectiveness
Authors:
Jason M. Pittman,
Kyle Hoffpauir,
Nathan Markle
Abstract:
Honeypots are a deceptive technology used to capture malicious activity. The technology is useful for studying attacker behavior, tools, and techniques but can be difficult to implement and maintain. Historically, a lack of measures of effectiveness prevented researchers from assessing honeypot implementations. The consequence being ineffective implementations leading to poor performance, flawed i…
▽ More
Honeypots are a deceptive technology used to capture malicious activity. The technology is useful for studying attacker behavior, tools, and techniques but can be difficult to implement and maintain. Historically, a lack of measures of effectiveness prevented researchers from assessing honeypot implementations. The consequence being ineffective implementations leading to poor performance, flawed imitation of legitimate services, and premature discovery by attackers. Previously, we developed a taxonomy for measures of effectiveness in dynamic honeypot implementations. The measures quantify a dynamic honeypot's effectiveness in fingerprinting its environment, capturing valid data from adversaries, deceiving adversaries, and intelligently monitoring itself and its surroundings. As a step towards developing automated effectiveness testing, this work introduces a tool for priming a target honeypot for evaluation. We outline the design of the tool and provide results in the form of quantitative calibration data.
△ Less
Submitted 1 November, 2020;
originally announced November 2020.
A Taxonomy for Dynamic Honeypot Measures of Effectiveness
Authors:
Jason M. Pittman,
Kyle Hoffpauir,
Nathan Markle,
Cameron Meadows
Abstract:
Honeypots are computing systems used to capture unauthorized, often malicious, activity. While honeypots can take on a variety of forms, researchers agree the technology is useful for studying adversary behavior, tools, and techniques. Unfortunately, researchers also agree honeypots are difficult to implement and maintain. A lack of measures of effectiveness compounds the implementation issues spe…
▽ More
Honeypots are computing systems used to capture unauthorized, often malicious, activity. While honeypots can take on a variety of forms, researchers agree the technology is useful for studying adversary behavior, tools, and techniques. Unfortunately, researchers also agree honeypots are difficult to implement and maintain. A lack of measures of effectiveness compounds the implementation issues specifically. In other words, existing research does not provide a set of measures to determine if a honeypot is effective in its implementation. This is problematic because an ineffective implementation may lead to poor performance, inadequate emulation of legitimate services, or even premature discovery by an adversary. Accordingly, we have developed a taxonomy for measures of effectiveness in dynamic honeypot implementations. Our aim is for these measures to be used to quantify a dynamic honeypot's effectiveness in fingerprinting its environment, capturing valid data from adversaries, deceiving adversaries, and intelligently monitoring itself and its surroundings.
△ Less
Submitted 26 May, 2020;
originally announced May 2020.
