Dynamic Hybrid Honeypot System Based Transparent Traffic Redirection Mechanism

  • Wenjun FanEmail author
  • Zhihui Du
  • David Fernández
  • Xinning Hui
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9543)


Honeypots are a type of security tools aimed to capture malicious activity. Related to their data capture function, two main factors are important: scalability and fidelity. A hybrid honeypot is a special honeypot system consisting of frontends and backends that can achieve a good balance between scalability and fidelity, as the frontends can monitor large-scale IP address spaces and the backends can provide fully functional systems to guarantee fidelity. The traffic redirection function is used to bridge the frontends and the backends, allowing to redirect the interesting traffic from the frontends to the backends. In this paper, a dynamic hybrid honeypot system based transparent traffic redirection mechanism is proposed in order to address the identical-fingerprint problem. The experimental results show that this mechanism can keep the traffic redirection stealthy and effective.


Traffic redirection Connection handoff Hybrid honeypot Dynamic honeypot 



This research is supported in part by National Natural Science Foundation of China (No. 61440057, 61272087, 61363019 and 61073008), Beijing Natural Science Foundation (No. 4082016 and 4122039), the Sci-Tech Interdisciplinary Innovation and Cooperation Team Program of the Chinese Academy of Sciences, the Specialized Research Fund for State Key Laboratories. It is also partially funded by the Spanish MICINN (project RECLAMO, Virtual and Collaborative Honeynets based on Trust Management and Autonomous Systems applied to Intrusion Management, with codes TIN2011-28287-C02-01 and TIN2011-28287-C02-02) and the European Commission (FEDER/ERDF).


  1. 1.
    Spitzner, L.: The Value of Honeypots, Part One: Definitions and Values of Honeypots, 10 October 2001.
  2. 2.
    Bailey, M., Cooke, E., Watson, D., Jahanian, F., Provos, N.: A hybrid honeypot architecture for scalable network monitoring. Technical Report CSE-TR-499-04, U. Michigan, October 2004Google Scholar
  3. 3.
    Berthier, R., Cukier, M.: Honeybrid: a hybrid honeypot architecture. In: USENIX Security Symposium (2008)Google Scholar
  4. 4.
    Jiang, X., Xu, D.: Collapsar: a VM-based architecture for network attack detention center. In: Proceedings of the USENIX Security Symposium, August 2004Google Scholar
  5. 5.
    Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A.C., Voelker, G.M., Savage, S.: Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. In: Proceedings of the Twentieth ACM Symposium on Operating Systems Principles (SOSP 2005), pp. 148–162, New York. ACM Press (2005)Google Scholar
  6. 6.
    Chesneau, B.: tproxy 0.5.4 (2011).
  7. 7.
    Aston, P., Fitzgerald, C.: The Grinder (2013).
  8. 8.
    Lin, Y.-D., Shih, T.-B., Yu-Sung, W., Lai, Y.-C.: Secure and transparent network traffic replay, redirect, and relay in a dynamic malware analysis environment. Secur. Comm. Netw. 7(3), 626–640 (2013)CrossRefGoogle Scholar
  9. 9.
    Lengyel, T.K., Neumann, J., Maresca, S., Kiayias, A.: Towards hybrid honeynets via virtual machine introspection and cloning. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 164–177. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  10. 10.
    Hung, M.-H., Tsail, C.-L.: Intrusive behavior analysis based on dynamic honeynet and multidimensional hidden markov model. J. C.C.I.T. 40(1), 29–42 (2011)Google Scholar
  11. 11.
    Hecker, C., Hay, B.: Automated honeynet deployment for dynamic network environment. In: 46th Hawaii International Conference on System Sciences (HICSS), pp. 4880–4889, 7–10 January 2013Google Scholar
  12. 12.
    Fan, W., Fernández, D., Du, Z.: Adaptive and flexible virtual honeynet. In: Proceedings of International Conference on Mobile, Secure and Programmable Networking (MSPN), pp. 1–17, Paris, France, 15-17 June 2015Google Scholar
  13. 13.
    Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th Conference on USENIX Security Symposium (SSYM 2004), vol. 13 (2004)Google Scholar
  14. 14.
    Fernández, D., Cordero, A., Somavilla, J., Rodriguez, J., Corchero, A., Tarrafeta, L., Galan, F.: Distributed virtual scenarios over multi-host Linux environments. In: 5th International DMTF Academic Alliance Workshop on Systems and Virtualization Management (SVM), pp.1–8, 24 October 2011Google Scholar
  15. 15.
    Fan, W., Fernández, D., Villagra, V.: Technology independent honeynet description language. In: Proceedings of 3rd International Conference on Model-Driven Engineering and Software Development (MODELSWARD), pp. 303–311, Angers, Loire Valley, France, 9-11 February 2015Google Scholar
  16. 16.
    Welte, H., Ayuso, P.N.: The “libnetfilter_queue” project (2014).

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Wenjun Fan
    • 1
    Email author
  • Zhihui Du
    • 2
  • David Fernández
    • 1
  • Xinning Hui
    • 2
  1. 1.Departamento de Ingenierisía de Sistemas Telemáticos, ETSI TelecomunicaciónUniversidad Politécnica de MadridMadridSpain
  2. 2.Tsinghua National Laboratory for Information Science and Technology, Department of Computer Science and TechnologyTsinghua UniversityBeijingChina

Personalised recommendations