A new framework for adaptive and agile honeypots

Abstract

As new technological concepts appear and evolve, cyberattack surfaces and vectors are exploited. Every Internet facing device or service is vulnerable from the untrusted external Internet. Previously standalone devices are accessible through new hardware and software attack vectors. Internet of things significantly increases the attack surface available to malware developers. Malware methods of propagation and compromise are highly automated and highly repetitious. To react to new changes in malware evolution, cybersecurity measures must evolve also. One such tool traditionally used for retrospective analysis is a honeypot. Honeypots facilitate attack interaction with scripted responses to attack command streams. Global honeynets capture large scale datasets which are useful for longitudinal analysis of malware methods. Standard honeypots are deployed for long periods and capture datasets comprising of automated and repetitive attacks. If the honeypot encounters an attack command it cannot process, then the attack terminates. A Honeypot for Automated and Repetitive Malware (HARM) can use reinforcement learning, to learn the best responses when interacting with attack sequences. The actual characteristics of malware, automation and repetition, can be exploited using embedded reinforcement learning within the honeypot. This adaptive ability allows honeypots to prolong interaction, realise attack sequences faster and conceal its functionality from dedicated honeypot detection tools and methods. The agility of HARM’s functionality can be further enhanced by periodically evaluating its performance to optimise further deployments targeting immediate threats. The cyclic method of development, deployment and optimisation improves honeypot operations and requires a new framework for adaptive and agile honeypots.