Abstract
A honeynet is a portion of routed but otherwise unused address space that is instrumented for network traffic monitoring. It is an invaluable tool for understanding unwanted Internet traffic and malicious attacks. We formalize the problem of defending honeynets from systematic mapping (a serious threat to their viability) as a simple two-person game. The objective of the Attacker is to identify a honeynet with a minimum number of probes. The objective of the Defender is to maintain a honeynet for as long as possible before moving it to a new location within a larger address space. Using this game theoretic framework, we describe and prove optimal or near-optimal strategies for both Attacker and Defender. This is the first mathematically rigorous study of this increasingly important problem on honeynet defense. Our theoretical ideas provide the first formalism of the honeynet monitoring problem, illustrate the viability of network address shuffling, and inform the design of next generation honeynet defense.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bethencourt, J., Franklin, J., Vernon, M.: Mapping Internet Sensors with Probe Response Packets. In: Proceedings of USENIX Security Symposium (2005)
Cai, J.-Y., Yegneswaran, V., Alfeld, C., Barford, P.: Honeygames: A Game Theoretic Approach to Defending Network Monitors. In: University of Wisconsin, Technical Report #1577 (2006)
Cooke, E., Bailey, M., Mao, M., Watson, D., Jahanian, F., McPherson, D.: Toward Understanding Distributed Blackhole Placement. In: Proceedings of CCS Workshop on Rapid Malcode (WORM 2004) (October 2004)
German Honeynet Project. Tracking Botnets (2005), http://www.honeynet.org/papers/bots
Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of Internet Background Radiation. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2004)
Provos, N.: A virtual honeypot framework. In: Proceedings of USENIX Security Symposium (2004)
Rajab, M.A., Monrose, F., Terzis, A.: Fast and evasive attacks: Highlighting the challenges ahead. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 206–225. Springer, Heidelberg (2006)
Shinoda, Y., Ikai, K., Itoh, M.: Vulnerabilities of Passive Internet Threat Monitors. In: Proceedings of USENIX Security Symposium (2005)
Staniford, S., Paxson, V., Weaver, N.: How to 0wn the Internet in Your Spare Time. In: Proceedings of the 11th USENIX Security Symposium (2002)
Ullrich, J.: Dshield (2005), http://www.dshield.org
Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A., Voelker, G., Savage, S.: Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm. In: Proceedings of ACM SOSP 2005, Brighton, UK (October 2005)
Yegneswaran, V., Alfeld, C., Barford, P., Cai, J.-Y.: Camouflaging Honeynets. In: Proceedings of IEEE Global Internet Symposium (2007)
Yegneswaran, V., Barford, P., Plonka, D.: On the Design and Use of Internet Sinks for Network Abuse Monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 146–165. Springer, Heidelberg (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cai, JY., Yegneswaran, V., Alfeld, C., Barford, P. (2009). An Attacker-Defender Game for Honeynets. In: Ngo, H.Q. (eds) Computing and Combinatorics. COCOON 2009. Lecture Notes in Computer Science, vol 5609. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02882-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-02882-3_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-02881-6
Online ISBN: 978-3-642-02882-3
eBook Packages: Computer ScienceComputer Science (R0)