INTRODUCTION

Honeypots are traps disguised as information resources, which capture the details of computer attacks aimed at them. The collected data is added to signature bases of antiviruses, blacklists of firewalls and serve as reliable evidences in computer forensics. All trapped files, links, ip-addresses and other artifacts are clearly malicious software fragments, because authorized users do not interact with honeypots.

Modern honeypots emulate a wide range of vulnerable programs from web-applications and database management systems to VoIP-services, Internet-of-Things firmware and industrial information systems. Honeypots have started emulating not only server-side software but client-side applications: web-browsers and plugins for them, office

The reported study was funded by RFBR according to the research project № 16-29-09517

In 2012 Bringer M.L., Chelmecki C., and Fujinoki H. published the research in the field of honeypots aimed at the invention of new types of honeypots, improvement of their creation and configuration, optimization of output data processing methods, and modernization of traps camouflage [ 1 ].

The history of honeypots’ evolution from 1997 to 2016 is described by Nawrocki M. et al. in the survey [ 2 ]. Their review summarizes that modern honeypots can emulate vulnerabilities in files transfer services: SMB, FTP, TFTP [ 24 ]; remote access services: SSH [ 21 ], Telnet; email protocols: SMTP, POP3, IMAP; database management systems: Elasticsearch, MSSQL, MySQL [ 20 ]; wireless protocols: IEEE 802.11 (WiFi), Bluetooth; entire workstations with operating systems: Microsoft Windows XP, Windows 7, Linux, Android [ 22 ]; web-applications: Apache, php-BB, php-MyAdmin, webservers [ 23 ]; instant messaging services: IRC; applications for voice communications: VoIP [ 19 ], emulate DNS vulnerabilities, IoT devices [ 18 ] and Supervisory Control and Data Acquisition (SCADA) systems [ 22 ].

However, the current situation of the game-theoretic models realizations in honeypots is not detailed enough [ 26 ]. We managed to find only one recent review of a game theory application in honeypots that deserves attention. It was published in 2016. Sangeetha R., Mohana M. have provided a survey on game-theoretic approaches in honeypot enabled networks for the Internet of Things (IoT) [ 3 ]. They have summarized risks of IoT infrastructures and classified honeypots related to defense against attacks on IoT.

In our view, many of the articles about realizations of game-theoretic models in deception systems were not mentioned in surveys. Our paper is intended to fill this gap.

III.

Researchers have proposed the game-theoretic approach to make the behaviour of honeypots more like an operation of the real computer. Table I. summarizes the articles in this category. The table reflects the most essential features of proposed gamemodels: definitions of players and list of available actions.

In 2009, Wagener G. et al. has built and implemented a high interactive honeypot disguised as a SSH-server [4]. Honeypot behaviour was determined by a game-theoretic model and machine learning. In the restrictions of this model, the attacker can input various commands into SSH-shell. The honeypot can execute the entered commands or replace the application which has to execute the command. The honeypot payoff is defined as a number of new unknown dangerous objects, in particular, the number of malicious files, which were uploaded by the attacker. In this model, the honeypot chooses actions with probability which is defined by a predictor of a potential payoff. The predictor is learned using a set of previous decisions of the honeypot.

In 2012, Hayatle O., Otrok H., and Youssef A. proposed a game-theoretic model of interaction between an attacker and client honeypot [ 5 ]. In this model, the attacker has a botnet, i.e. a set of infected machines managed by him. The attacker doesn’t know if his current target is a trap or a real host. In the restrictions of the proposed game, the attacker, to not expose his intentions, can probe the target in three ways: commands the bot to attack the sensor machine, commands the bot to attack the real target, chooses not to perform any activity. In the case of successful probing, the intruder attacks his target or otherwise retreats. The intruder can attack without preliminary probing of the infected machine. The honeypot has only two available actions: to allow the attack or to deny it. Optimal strategies were theoretically established for the attacker and the defender.

In 2016, Mohammadi A. et al. suggested the honeypot which is composed of fake avatars in social networks could distinguish hacked profiles [6]. The signal games and Nash equilibrium were used to develop the strategy of the honeypot.

In 2016, Kiekintveld C., Lisy V., and Pibil R created a game-theoretic approach to compute selection strategy of nodes in computer network which are the most optimal to be replaced by honeypots [ 7 ].

In 2017, Shi L. et al. put forward the idea of a mimicry honeypot system [ 8 ]. In this model, the defense has at its disposal real services, honeypots and pseudo honeypots (real services disguised as honeypots). The goal of the defense is to distinguish the attacker from a legitimate user. The proposed game model was realized as vulnerable FTP-server and validated by simulation.

In 2017, Du Miao et al. tried to find out novel ways of preventing DDoS attacks which were targeted at social networks [ 9 ]. The difference with the previous works is the ability to see a new type of attackers as rational and adapting to the strategy of the defender. They offered a new pseudo honeypot game model based on a Bayesian game and showed how to find Bayesian Nash equilibrium in the restrictions of the proposed model. It was shown empirically that computed optimal strategies make the defense more effective.

In 2017, Ziad Ismail et al. formulated a game-theoretic model for intrusion detection in computer networks [ 10 ]. In the restrictions of this model, the resources of the defense are limited. The goal of the defender is to optimize the allocation of intrusion detection systems (IDS) in the network. Additionally, interdependencies between equipment vulnerabilities were taken to improve the quality of gametheoretic analysis. The proposed model was tested in a real world scenario.

In 2016, Hayreddin Ceker et al. proposed a game-theoretic model of interaction between the defender and the attacker [ 11 ]. The goal of the defender is to optimize the network configuration for DoS attack prevention. In this model the defender can camouflage honeypots as real services and vice versa. The proposed model is based on signaling game with incomplete information. The existence of perfect Bayesian equilibrium was proved and used for finding optimal strategies. It is expected that the proposed deception strategy could be used to develop high quality and cheap security solutions for preventing DoS-attacks.

In 2017, Wang K. et al. formulated the interaction between Advanced Metering Infrastructure (AMI) network and the intruder as a game-theoretic model [ 12 ]. The defender’s challenge is to embed honeypots to an AMI network for DDoS attack detection. To explore the optimal strategies of the defender and the attacker Bayesian Nash Equilibriums were used. The proposed game-theoretic model was validated empirically in the smart grid and its efficiency was proved.

In 2017, Nguyen T., Wellman M. P., Singh S. have explored the problem of allocating detection resources (detectors) in a computer network to deter botnet attacks [ 13 ]. In our opinion, honeypots could be used as detectors in the implementation of this model. In the proposed game-theoretic model, the attacker eavesdrops on network traffic and tries to send the stolen data outside the defender’s network. The defender allocates limited detectors to protect the most valuable resources of the network. The goal of the defender is to randomize the placement of the detectors so that the locations of them become unpredictable to the intruder. The Players: real service, honeypot Real service, honeypot and pseudo service and pseudo honeypot service, honeypot can provide service or not. legitimate users and attackers [ 9 ] Legitimate user and the attacker can provide access or not

Honeypots are designed to attract intruders and collect information about attacks. The game theory provides methods which can be used to make traps more interactive and therefore indistinguishable from real resources than traditional algorithm of computing optimal game strategies was offered with some heuristics for approximately solving the game when the number of nodes in the network is large. Given game model was evaluated via synthetic and real-world network topologies. honeypots. Consequently, the area of adaptive honeypots is relative to game theory topic as a point of novel game models realization in the future. From the viewpoint of applying gametheoretic approaches, in our opinion, are next articles about adaptive honeypots.

In 2017, Fernandez G., Nieto A., and Lopez J. have formulated a concept of malware-driven honeypots and developed a mechanism for the dynamic reconfiguration of honeypots [ 14 ]. The goal of the proposed honeypot management system is to create trap environments so the whole malicious activity could be captured. To fulfill malware requirements the management system uses recent Indicators of Compromise (IOS) from malware intelligence services such as Malware Information Sharing Platform (MISP) and Virus Total Intelligence (VTI). It is the first published approach of using malware intelligence platforms for the dynamic deployment of honeypots. In our opinion, malware writers choose required features of a victim machine environment to infect as many computers as they can and to be undetected as long as possible. So, fulfilling the requirements of malware in traps can be described in the future as a competitive game between the defender and the attacker.

In 2017, Pauna A. and Bica I. presented a changing behavior honeypot system that overlaps with some of the disadvantages in the existing deception systems [ 15 ]. The offered honeypot system is made by using Python and it emulates a SSH (Secure Shell) server. The proposed system interacts with attackers and uses means of reinforcement learning algorithms. In our opinion, reinforcement learning of honeypots can be used to make traps capable of dynamically changing their behavior. This task is naturally related to strategic decision making using game-theoretic approaches.

In 2014, Pauna A., Patriciu V.V. have created an autonomous honeypot system capable of learning and adapting its behaviour by interacting with the attackers [ 16 ]. The designed case adaptive SSH honeypot is based on an existing medium interaction honeypot (Kippo) and implements Case Based Reasoning and Belief-Desire-Intention agents. Case Base Reasoning system is a system which solves tasks by making decisions used for similar tasks. The Belief-DesireIntention agent model has a view of the world (Beliefs), a number of goals (Desires) and possible actions (Intentions). The actions are planned using the accumulated experience. The practical experiments have shown that the number of captured payload s is relatively similar to the ones obtained by the standard Kippo honeypot. As in the previous work, game theory approaches can be used to improve the intellectuality of traps.

In 2017, Orzel M.J. and Grzegorz K. proposed few schemes of web-attack detection [ 17 ]. For this purpose features from web-server log files were used. The collection of events was gathered from real web-site logs and helped to find unwanted web crawlers’ traces. In our opinion, the considered features from web server log files could be used for building web-based server side honeypot system. Because there was no article about implementing the game theory to web-based honeypots, we mentions this article as a paper containing features to be collected by novel server-side traps.

For the last decades honeypots have evolved to networks of sensors which emulate various types of devices and applications. Honeypot configurations are increasingly based on game-theoretic models. The game-theoretic approach is used for honeypot preparation before an attack and for trap behavior adaptation during an attack. However, most publications about realization of game-theoretic models in honeypots are purely theoretical. Only a few practices are related to implementation of game-theoretic models to honeypots disguised as FTP and SSH servers.

Most effectiveness is expected from implementation of the game-theoretic approach to high interaction honeypots and to social networks, but this carries the risk of additional opportunities given to the attackers. These risks are discussed in the articles related to legal and ethical issues of using honeypots [ 25 ].

The combination of the game theory and machine learning has, in our view, the greatest potential for a honeypot to develop. The honeypot experience enriched during the attacks, by our estimates, will allow honeypot strategies to adapt so the traps will be indistinguishable from real services.