Enabling an Anatomic View to Investigate Honeypot Systems: A Survey

Wenjun Fan; Zhihui Du; David Fernandez; Victor A. Villagra

doi:10.1109/JSYST.2017.2762161

Enabling an Anatomic View to Investigate Honeypot Systems: A Survey

Wenjun Fan, Zhihui Du, David Fernandez, Victor A. Villagra

Research output: Contribution to journal › Article › peer-review

63 Citations (Scopus)

Abstract

A honeypot is a type of security facility deliberately created to be probed, attacked, and compromised. It is often used for protecting production systems by detecting and deflecting unauthorized accesses. It is also useful for investigating the behavior of attackers, and in particular, unknown attacks. For the past 17 years plenty of effort has been invested in the research and development of honeypot techniques, and they have evolved to be an increasingly powerful means of defending against the creations of the blackhat community. In this paper, by studying a wide set of honeypots, the two essential elements of honeypots - the decoy and the captor - are captured and presented, together with two abstract organizational forms - independent and cooperative - where these two elements can be integrated. A novel decoy and captor (D-C) based taxonomy is proposed for the purpose of studying and classifying the various honeypot techniques. An extensive set of independent and cooperative honeypot projects and research that cover these techniques is surveyed under the taxonomy framework. Furthermore, two subsets of features from the taxonomy are identified, which can greatly influence the honeypot performances. These two subsets of features are applied to a number of typical independent and cooperative honeypots separately in order to validate the taxonomy and predict the honeypot development trends.

Original language	English
Article number	8098608
Pages (from-to)	3906-3919
Number of pages	14
Journal	IEEE Systems Journal
Volume	12
Issue number	4
DOIs	https://doi.org/10.1109/JSYST.2017.2762161
Publication status	Published - Dec 2018
Externally published	Yes

Keywords

Computer security
honeypots
intrusion detection
network security
virtualization

Access to Document

10.1109/JSYST.2017.2762161

Cite this

@article{61d38c9aa3d34050b9c8cfc2b8c1c132,

title = "Enabling an Anatomic View to Investigate Honeypot Systems: A Survey",

abstract = "A honeypot is a type of security facility deliberately created to be probed, attacked, and compromised. It is often used for protecting production systems by detecting and deflecting unauthorized accesses. It is also useful for investigating the behavior of attackers, and in particular, unknown attacks. For the past 17 years plenty of effort has been invested in the research and development of honeypot techniques, and they have evolved to be an increasingly powerful means of defending against the creations of the blackhat community. In this paper, by studying a wide set of honeypots, the two essential elements of honeypots - the decoy and the captor - are captured and presented, together with two abstract organizational forms - independent and cooperative - where these two elements can be integrated. A novel decoy and captor (D-C) based taxonomy is proposed for the purpose of studying and classifying the various honeypot techniques. An extensive set of independent and cooperative honeypot projects and research that cover these techniques is surveyed under the taxonomy framework. Furthermore, two subsets of features from the taxonomy are identified, which can greatly influence the honeypot performances. These two subsets of features are applied to a number of typical independent and cooperative honeypots separately in order to validate the taxonomy and predict the honeypot development trends.",

keywords = "Computer security, honeypots, intrusion detection, network security, virtualization",

author = "Wenjun Fan and Zhihui Du and David Fernandez and Villagra, {Victor A.}",

note = "Funding Information: 91 10.1109/JSYST.2017.2762161 0b00006485fdf2de Active orig-research F T F F F F F Publish 4 IEEE 1932-8184 {\textcopyright} 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications standards/publications/rights/index.html for more information. A honeypot is a type of security facility deliberately created to be probed, attacked, and compromised. It is often used for protecting production systems by detecting and deflecting unauthorized accesses. It is also useful for investigating the behavior of attackers, and in particular, unknown attacks. For the past 17 years plenty of effort has been invested in the research and development of honeypot techniques, and they have evolved to be an increasingly powerful means of defending against the creations of the blackhat community. In this paper, by studying a wide set of honeypots, the two essential elements of honeypots—the decoy and the captor—are captured and presented, together with two abstract organizational forms—independent and cooperative—where these two elements can be integrated. A novel decoy and captor (D-C) based taxonomy is proposed for the purpose of studying and classifying the various honeypot techniques. An extensive set of independent and cooperative honeypot projects and research that cover these techniques is surveyed under the taxonomy framework. Furthermore, two subsets of features from the taxonomy are identified, which can greatly influence the honeypot performances. These two subsets of features are applied to a number of typical independent and cooperative honeypots separately in order to validate the taxonomy and predict the honeypot development trends. 0 0000-0002-7363-9695 Fan, W. Wenjun Fan Wenjun Wenjun Fan Fan School of Computing, University of Kent, Canterbury, U.K. Author W.Fan@kent.ac.uk 0 0000-0002-8435-1611 Du, Z. Zhihui Du Zhihui Zhihui Du Du Tsinghua National Laboratory for Information Science and Technology, Department of Computer Science and Technology, Tsinghua University, Beijing, China Author duzh@tsinghua.edu.cn 0 Fernandez, D. David Fernandez David David Fernandez Fernández Department of Telematics Engineering, Universidad Politécnica de Madrid, Madrid, Spain Author david@dit.upm.es 0 Villagra, V.A. Victor A. Villagra Victor A. Víctor A. Villagra Villagrá Department of Telematics Engineering, Universidad Politécnica de Madrid, Madrid, Spain Author villagra@dit.upm.es 2018 Dec. 2017 11 5 2018 11 21 1131262 08098608.pdf 1-14 8098608 Taxonomy Security Couplings Fans Terminology Monitoring Research and development Computer security honeypots intrusion detection network security virtualization National Key Research and Development Program of China 2016YFB1000602 2017YFB0701501 MOE Research Center for Online Education Foundation 2016ZD302 National Natural Science Foundation of China 10.13039/501100001809 61440057 61363019 Publisher Copyright: {\textcopyright} 2007-2012 IEEE.",

year = "2018",

month = dec,

doi = "10.1109/JSYST.2017.2762161",

language = "English",

volume = "12",

pages = "3906--3919",

journal = "IEEE Systems Journal",

issn = "1932-8184",

publisher = "IEEE",

number = "4",

}

TY - JOUR

T1 - Enabling an Anatomic View to Investigate Honeypot Systems

T2 - A Survey

AU - Fan, Wenjun

AU - Du, Zhihui

AU - Fernandez, David

AU - Villagra, Victor A.

N1 - Funding Information: 91 10.1109/JSYST.2017.2762161 0b00006485fdf2de Active orig-research F T F F F F F Publish 4 IEEE 1932-8184 © 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications standards/publications/rights/index.html for more information. A honeypot is a type of security facility deliberately created to be probed, attacked, and compromised. It is often used for protecting production systems by detecting and deflecting unauthorized accesses. It is also useful for investigating the behavior of attackers, and in particular, unknown attacks. For the past 17 years plenty of effort has been invested in the research and development of honeypot techniques, and they have evolved to be an increasingly powerful means of defending against the creations of the blackhat community. In this paper, by studying a wide set of honeypots, the two essential elements of honeypots—the decoy and the captor—are captured and presented, together with two abstract organizational forms—independent and cooperative—where these two elements can be integrated. A novel decoy and captor (D-C) based taxonomy is proposed for the purpose of studying and classifying the various honeypot techniques. An extensive set of independent and cooperative honeypot projects and research that cover these techniques is surveyed under the taxonomy framework. Furthermore, two subsets of features from the taxonomy are identified, which can greatly influence the honeypot performances. These two subsets of features are applied to a number of typical independent and cooperative honeypots separately in order to validate the taxonomy and predict the honeypot development trends. 0 0000-0002-7363-9695 Fan, W. Wenjun Fan Wenjun Wenjun Fan Fan School of Computing, University of Kent, Canterbury, U.K. Author W.Fan@kent.ac.uk 0 0000-0002-8435-1611 Du, Z. Zhihui Du Zhihui Zhihui Du Du Tsinghua National Laboratory for Information Science and Technology, Department of Computer Science and Technology, Tsinghua University, Beijing, China Author duzh@tsinghua.edu.cn 0 Fernandez, D. David Fernandez David David Fernandez Fernández Department of Telematics Engineering, Universidad Politécnica de Madrid, Madrid, Spain Author david@dit.upm.es 0 Villagra, V.A. Victor A. Villagra Victor A. Víctor A. Villagra Villagrá Department of Telematics Engineering, Universidad Politécnica de Madrid, Madrid, Spain Author villagra@dit.upm.es 2018 Dec. 2017 11 5 2018 11 21 1131262 08098608.pdf 1-14 8098608 Taxonomy Security Couplings Fans Terminology Monitoring Research and development Computer security honeypots intrusion detection network security virtualization National Key Research and Development Program of China 2016YFB1000602 2017YFB0701501 MOE Research Center for Online Education Foundation 2016ZD302 National Natural Science Foundation of China 10.13039/501100001809 61440057 61363019 Publisher Copyright: © 2007-2012 IEEE.

PY - 2018/12

Y1 - 2018/12

N2 - A honeypot is a type of security facility deliberately created to be probed, attacked, and compromised. It is often used for protecting production systems by detecting and deflecting unauthorized accesses. It is also useful for investigating the behavior of attackers, and in particular, unknown attacks. For the past 17 years plenty of effort has been invested in the research and development of honeypot techniques, and they have evolved to be an increasingly powerful means of defending against the creations of the blackhat community. In this paper, by studying a wide set of honeypots, the two essential elements of honeypots - the decoy and the captor - are captured and presented, together with two abstract organizational forms - independent and cooperative - where these two elements can be integrated. A novel decoy and captor (D-C) based taxonomy is proposed for the purpose of studying and classifying the various honeypot techniques. An extensive set of independent and cooperative honeypot projects and research that cover these techniques is surveyed under the taxonomy framework. Furthermore, two subsets of features from the taxonomy are identified, which can greatly influence the honeypot performances. These two subsets of features are applied to a number of typical independent and cooperative honeypots separately in order to validate the taxonomy and predict the honeypot development trends.

AB - A honeypot is a type of security facility deliberately created to be probed, attacked, and compromised. It is often used for protecting production systems by detecting and deflecting unauthorized accesses. It is also useful for investigating the behavior of attackers, and in particular, unknown attacks. For the past 17 years plenty of effort has been invested in the research and development of honeypot techniques, and they have evolved to be an increasingly powerful means of defending against the creations of the blackhat community. In this paper, by studying a wide set of honeypots, the two essential elements of honeypots - the decoy and the captor - are captured and presented, together with two abstract organizational forms - independent and cooperative - where these two elements can be integrated. A novel decoy and captor (D-C) based taxonomy is proposed for the purpose of studying and classifying the various honeypot techniques. An extensive set of independent and cooperative honeypot projects and research that cover these techniques is surveyed under the taxonomy framework. Furthermore, two subsets of features from the taxonomy are identified, which can greatly influence the honeypot performances. These two subsets of features are applied to a number of typical independent and cooperative honeypots separately in order to validate the taxonomy and predict the honeypot development trends.

KW - Computer security

KW - honeypots

KW - intrusion detection

KW - network security

KW - virtualization

UR - http://www.scopus.com/inward/record.url?scp=85033663805&partnerID=8YFLogxK

U2 - 10.1109/JSYST.2017.2762161

DO - 10.1109/JSYST.2017.2762161

M3 - Article

AN - SCOPUS:85033663805

SN - 1932-8184

VL - 12

SP - 3906

EP - 3919

JO - IEEE Systems Journal

JF - IEEE Systems Journal

IS - 4

M1 - 8098608

ER -

Enabling an Anatomic View to Investigate Honeypot Systems: A Survey

Abstract

Keywords

Access to Document

Other files and links

Cite this