IJCNIS Vol. 4, No. 10, 8 Sep. 2012
Cover page and Table of Contents: PDF (size: 298KB)
Full Text (PDF, 298KB), PP.63-75
Views: 0 Downloads: 0
Honeypots, Alarm system, Computer hacking, Computer crime, Computer security
This paper presents a survey on recent advances in honeypot research from a review of 80+ papers on honeypots and related topics mostly published after year 2005. This paper summarizes 60 papers that had significant contribution to the field. In reviewing the literature, it became apparent that the research can be broken down into five major areas: new types of honeypots to cope with emergent new security threats, utilizing honeypot output data to improve the accuracy in threat detections, configuring honeypots to reduce the cost of maintaining honeypots as well as to improve the accuracy in threat detections, counteracting honeypot detections by attackers, and legal and ethical issues in using honeypots. Our literature reviews indicate that the advances in the first four areas reflect the recent changes in our networking environments, such as those in user demography and the ways those diverse users use new applications. Our literature reviews on legal and ethical issues in using honeypots reveals that there has not been widely accepted agreement on the legal and ethical issues about honeypots, which must be an important agenda in future honeypot research.
Matthew L. Bringer, Christopher A. Chelmecki, Hiroshi Fujinoki, "A Survey: Recent Advances and Future Trends in Honeypot Research", International Journal of Computer Network and Information Security(IJCNIS), vol.4, no.10, pp.63-75, 2012. DOI:10.5815/ijcnis.2012.10.07
[1]Michael Bailey, Evan Cooke, Farnam Jahanian, Yunjing Xu, and Manish Karir, "A Survey of Botnet Technology and Defenses," Proceedings of the Cybersecurity Applications & Technology Conference for Homeland Security, March 2009, pp. 299-304.
[2]Thorsten Holz, "Learning More about Attack Patterns with Honeypots," Proceedings of Sicherheit 2006, February 2006, pp. 30-41.
[3]Christian Seifert, Ian Welch, and Peter Komisarczuk, "Taxonomy of Honeypots," CS Technical Report TR-06-12, School of Mathematics, Statistics and Computer Science, Victoria University of Wellington, New Zealand. Available: http://www.mcs.vuw.ac.nz/comp/Publications/CS-TR-06-12 .abs.html (last accessed: August 17, 2012).
[4]Xinwen Fu, Wei Yu, Dan Cheng, Xuejun Tan, Kevin Streff, and Steve Graham, "On Recognizing Virtual Honeypots and Countermeasures," Proceedings of the IEEE International Symposium on Dependable, Autonomic and Secure Computing, September 2006, pp. 211-218.
[5]Phillip Porras and Vitaly Shmatikov, "Large-Scale Collection and Sanitization of Network Security Data: Risks and Challenges," Proceedings of the Workshop on New Security Paradigms, September 2006, pp. 57-64.
[6]Yu Adachi and Yoshihiro Oyama, "Malware Analysis System using Process-Level Virtualization," Proceedings of IEEE Symposium on Computers and Communications, July 2009, pp. 550-556.
[7]Ion Alberdi, Éric Philippe, Owezarski Vincent, and Nicomette M. Kaâniche, "Shark: Spy Honeypot with Advanced Redirection Kit," Proceedings of the IEEE Workshop on Monitoring, Attack Detection and Mitigation, November 2007. Available: http://spiderman-2.laas.fr/ METROSEC/monam.pdf (last accessed: August 17, 2012).
[8]Yaser Alosefer and Omer Rana, "Honeyware - Web-based Low Interaction Client Honeypot," Proceedings of the International Conference on Software Testing, Verification, and Validation Workshops, April 2010, pp. 410-417.
[9]K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis "Detecting Targeted Attacks Using Shadow Honeypots," Proceedings of the Conference on USENIX Security Symposium, August 2005, pp. 9-23.
[10]Michael D. Bailey, Evan Cooke, Farnam Jahanian, Niels Provos, Karl Rosaen, and David Watson, "Data Reduction for the Scalable Automated Analysis of Distributed Darknet Traffic," Proceedings of the ACM SIGCOMM Conference on Internet Measurement, October 2005, pp. 239-252.
[11]Vinu V. Das, "Honeypot Scheme for Distributed Denial-of-Service," Proceedings of the 2009 International Conference on Advanced Computer Control, January 2009, pp. 497-501.
[12]Abdallah Ghourabi, Tarek Abbes, and Adel Bouhoula, "Honeypot Router for Routing Protocols Protection," Proceedings of the International Conference on Risks and Security of Internet and Systems, October 2009, pp. 127-130.
[13]Xuxian Jiang and Xinyuan Wang, "Out-of-the-Box Monitoring of VM-Based High-Interaction Honeypots," Proceedings of the International Conference on Recent Advances in Intrusion Detection, September 2007, pp. 198-218.
[14]Sherif M. Khattab, Chatree Sangpachatanaruk, Daniel Moss, Rami Melhem, and Taieb Znati, "Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks," Proceedings of the International Conference on Distributed Computing Systems, March 2004, pp. 328–337.
[15]Christian Kreibichi and Jon Crowcroft, "Honeycomb – Creating Intrusion Detection Signatures Using Honeypots," ACM SIGCOMM Computer Communication Review, vol. 34, no. 1, January 2004, pp. 51-56.
[16]Tobias Lauinger, Veikko Pankakoski, Davide Balzarotti, and Engin Kirda, "Honeybot, Your Man in the Middle for Automated Social Engineering," Proceedings of USENIX Symposium on Networked Systems Design and Implementation, April 2010. Available: http://portal.acm. org/citation.cfm?id=1855697.
[17]Shujun Li and Roland Schmitz, "A Novel Anti-Phishing Framework Based on Honeypots," Proceedings of eCrime Researchers Summit, October 2009, pp. 1-13.
[18]Jose Nazario, "PhoneyC: A Virtual Client Honeypot," Proceedings of USENIX Workshop on Large-Scale and Emergent Threats, April 2009, pp. 1-8.
[19]Georgios Portokalidis, Asia Slowinska, and Herbert Bos, "Argos: an Emulator for Fingerprinting Zero-Day Attacks," ACM SIGOPS Operating Systems Review, vol. 40, no. 4, October 2006, pp. 15-27.
[20]Anoosha Prathapani, Lakshmi Santhanam, and Dharma P Agrawal, "Intelligent Honeypot Agent for Blackhole Attack Detection in Wireless Mesh Networks," Proceedings of IEEE International Conference on Mobile Adhoc and Sensor Systems, October 2009, pp. 753-758.
[21]Bill McCarty, "Anti-Honeypot Technology," IEEE Security & Privacy, vol. 2, no. 1, January 2004, pp. 76-79.
[22]Neil C. Rowe, E. John Custy, Binh T. Duong, "Defending Cyberspace with Fake Honeypots," Journal of Computers, vol. 2, no. 2, April 2007, pp. 25-36.
[23]Steve Webb, James Caverlee, and Calton Pu, "Social Honeypots: Making Friends with a Spammer Near You," Proceedings of the Conference on Email and Anti-Spam, August 2008. Available: http://citeseerx.ist.psu.edu/ viewdoc/summary?doi=10.1.1.150.588 (last accessed: August 17, 2012).
[24]Jianwei Zhuge, Thorsten Holz, Xinhui Han, and Wei Zou, "Collecting Autonomous Spreading Malware using High-Interaction Honeypots," Proceedings of the International Conference on Information and Communications Security, December 2007, pp. 438-451.
[25]Lin Chen, Zhitang Li, Cuixia Gao, and Lan Liu, "Dynamic Forensics based on Intrusion Tolerance," Proceedings of IEEE International Symposium on Parallel and Distributed Processing with Applications, August 2009, pp. 469-473.
[26]Evan Cooke, Farnam Jahanian, and Danny McPherson, "The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets," Proceedings of the USENIX Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, July 2005, pp. 39-44.
[27]Ram Dantu, Joao W. Cangussu, and Sudeep Patwardhan, "Fast Worm Containment Using Feedback Control," IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 2, April-June 2007, pp. 119-136.
[28]Kevin D. Fairbanks, Ying H. Xia, and Henry L. Owen III, "A Method for Historical Ext3 Inode to Filename Translation on Honeypots," Proceedings of the IEEE International Computer Software and Applications Conference, July 2009, pp. 392-397.
[29]Jérôme Francois, Radu State, and Olivier Festor, "Activity Monitoring for Large Honeypots and Network Telescopes," International Journal on Advances in Systems and Measurements, vol. 1, no. 1, 2008, pp. 1-13.
[30]Cristine Hoepers, Nandamudi L. Vijaykumar, and Antonio Montes, "HIDEF: a data Exchange Format for Information Collected in Honeypots and Honeynets," INFOCOMP Journal of Computer Science, vol. 7, no. 1, March 2008, pp. 87-96.
[31]Sven Krasser, Gregory Conti, Julian Grizzard, Jeff Gribschaw, and Henry Owen, "Real-Time and Forensics Network Data Analysis using Animated and Coordinated Visualization," Proceedings of IEEE International Conference on Systems, Man and Cybernetics Information Assurance Workshop, August 2005, pp. 42-49.
[32]Mohssen M. Z. E. Mohammed, H. Anthony Chan, Neco Ventura, Mohsim Hashim, Izzeldin Amin, and Eihab Bashier, "Detection of Zero-Day Polymorphic Worms Using Principal Component Analysis," Proceedings of International Conference on Networking and Services, March 2007, pp. 277-281.
[33]Julia Narvaez, Chiraag Aval, Barbara Endicott-Popovsky, Christian Seifert, Ashish Malviya, and Doug Nordwall, "Assessment of Virtualization as a Sensor Technique," Proceedings of the IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, May 2010, pp. 61-65.
[34]James Newsome, Brad Karp, and Dawn Song, "Polygraph: Automatically Generating Signatures for Polymorphic Worms," Proceedings of IEEE Symposium on Security and Privacy, May 2005, pp. 226-241.
[35]Frederic Raynal, Yann Berthier, Philippe Biondi, and Danielle Kaminsky "Honeypot Forensics Part I: Analyzing the Network," IEEE Security and Privacy, vol. 2, no. 4, July 2004, pp. 72-78.
[36]Frederic Raynal, Yann Berthier, Philippe Biondi, and Danielle Kaminsky "Honeypot Forensics Part II: Analyzing the Compromised Host," IEEE Security and Privacy, vol. 2, no. 5, September 2004, pp. 77-80.
[37]Ming-Yang Su, "Internet Worms Identification through Serial Episodes Mining," Proceedings of the International Conference on Electrical Engineering /Electronics Computer Telecommunications and Information, May 2010, pp. 132-136.
[38]Heikki Mannila, Hannu Toivonen, and A. Inkeri Verkamo, "Discovery of Frequent Episodes in Event Sequences," Data Mining and Knowledge Discovery, vol. 1, no. 3, 1997, pp. 259-289.
[39]Yong Tang and Shigang Chen, "Defending against Internet Worms: a Signature-based Approach," Proceedings of IEEE INFOCOM, vol. 2, March 2005, pp. 1384-1394.
[40]Oliver Thonnard and Marc Dadier, "A Framework for Attack Pattern's Discovery in Honeynet Data," Digital Investigation, vol. 5, no. 1, September 2008, pp. 128-139.
[41]Aarjav J. Trivedi, Paul Q. Judge, and Sven Krasser, "Analyzing Network and Content Characteristics of Spim using Honeypots," Proceedings of the USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet, June 18, 2007, pp.1-9.
[42]Gérard Wagener, Alexandre Dulaunoy, and Thomas Engel, "Towards an Estimation of the Accuracy of TCP Reassembly in Network Forensics," Proceedings of the International Conference on Future Generation Communication and Networking, vol. 2, December 2008, pp. 273-278.
[43]Vinod Yegneswaran, Paul Barford, and Vern Paxon, "Using Honeynets for Internet Situational Awareness," Proceedings of the ACM/USENIX Workshop on Hot Topics in Networks, November 2005, pp. 240-243.
[44]Narisa Zhao and Xianfeng Zhang, "The Worm Propagation Model and Control Strategy Based on Distributed Honeynet," Proceedings of the International Conference on Computer Science and Software Engineering, vol. 3, December 2008, pp. 868-871.
[45]Jérémy Briffaut, Jean-François Lalande, and Christian Toinard, "Security and Results of a Large-Scale High-Interaction Honeypot," Journal of Computers Special Issue on Security and High Performance Computer Systems, vol. 4, no. 5, May 2009, pp. 395-404.
[46]Thomas E. Carroll and Daniel Grosu, "A Game Theoretic Investigation of Deception in Network Security," Proceedings of the International Conference on Computer Communications and Networks, September 2009, pp. 1-6.
[47]Haifeng Wang and Qingkui Chen, "Design of Cooperative Deployment in Distributed Honeynet System," Proceedings of the International Conference on Computer Supported Cooperative Work in Design, April 2010, pp. 711–716.
[48]Thomas M. Chen and John Buford, "Design Considerations for a Honeypot for SQL Injection Attacks," Proceedings of IEEE Local Computer Networks, October 2009, pp. 915-921.
[49]Christopher Hecker, Kara L. Nance, and Brian Hay, "Dynamic Honeypot Construction," Proceedings of the Colloquium for Information Systems Security Education, June 2006, pp. 95-102.
[50]Jan Kohlrausch, "Experiences with the NoAH Honeynet Testbed to Detect new Internet Worms," Proceedings of the International Conference on IT Security Incident Management and IT Forensics, September 2009, pp. 13-26.
[51]Lance Spitzner, "Honeypots: Catching the Insider Threat," Proceedings of the Computer Security Applications Conference, December 2003, pp. 170-179.
[52]Maximillian Dornseif, Thorsten Holz, and Christian N. Klein, "NoSEBrEaK - Attacking Honeynets," Proceedings of IEEE International Conference on Systems, Man and Cybernetics Information Assurance Workshop, June 2004, pp. 123-129.
[53]Thorsten Holz and Frederic Raynal, "Detecting Honeypots and Other Suspicious Environments," Proceedings of IEEE International Conference on Systems, Man and Cybernetics Information Assurance Workshop, June 2005, pp. 29-36.
[54]S. Mukkamala, K. Yendrapalli, R. Basnet, M. K. Shankarapani, and A. H. Sung, "Detection of Virtual Environments and Low Interaction Honeypots," Proceedings of IEEE International Conference on Systems, Man and Cybernetics Information Assurance Workshop, June 2007, pp. 92-98.
[55]Roberto Perdisci, David Dagon, Wenke Lee, Prahlad Fogla, and Monirul Sharif, "Misleading Worm Signature Generators Using Deliberate Noise Injection," Proceedings of IEEE Symposium on Security and Privacy, May 2006, pp. 15-31.
[56]Ping Wang, Sherri Sparks, and Cliff C. Zou, "An Advanced Hybrid Peer-to-Peer Botnet," IEEE Transaction on Dependable and Secure Computing, vol. 7, no. 2, April-June 2010, pp. 113-127.
[57]Vinod Yegneswaran, Chris Alfred, Paul Barford, and Jin-Yi Cai, "Camouflaging Honeynets," Proceedings of IEEE Global Internet Symposium, May 2007, pp. 49-54.
[58]Cliff C. Zou and Ryan Cunningham, "Honeypot-Aware Advanced Botnet Construction and Maintenance," Proceedings of the International Conference on Dependable Systems and Networks, June 2006, pp. 199-208.
[59]Bradley S. Rubin and Donald Cheung, "Computer Security Education and Research: Handle with Care," IEEE Security & Privacy, vol. 4, no. 6, November-December 2006, pp. 56-59.
[60]Brian Scottberg, William Yurcik, and David Doss, "Internet Honeypots: Protection or Entrapment?," Proceedings of International Symposium on Technology and Society, August 2002, pp. 387-391.