=Paper=
{{Paper
|id=Vol-2081/paper29
|storemode=property
|title=A Survey of Game-Theoretic Approaches to Modeling Honeypots
|pdfUrl=https://ceur-ws.org/Vol-2081/paper29.pdf
|volume=Vol-2081
|authors=Andrey Vishnevsky,Petr Klyucharev
}}
==A Survey of Game-Theoretic Approaches to Modeling Honeypots==
https://ceur-ws.org/Vol-2081/paper29.pdf
A Survey of Game-Theoretic Approaches to
Modeling Honeypots
Andrey Vishnevsky Petr Klyucharev
Information Security Department Information Security department
Bauman Moscow State Technical University Bauman Moscow State Technical University
Moscow, Russia Moscow, Russia
andreyryu@yandex.ru pk.iu8@yandex.ru
Abstract — Honeypots are fake information resources that software and even entire operating systems.
authorized users never connect with and which are under
permanent control of information security specialists. Honeypots In the recent scientific literature, the mechanics of
are widely used traps for hackers, which gather features of honeypots and mathematical models determining the behavior
attacks. Collected features then are accumulated in anti-virus of traps were described.
databases which serve as evidences in cyber forensics or as The main issues of the deception mechanism have been the
reference samples in machine learning systems. The quality of
attraction of attackers into traps, revealing their intention and
security tools depends on the ability to gather representative
collecting as much evidence as possible. From the other side,
information about actual cyber-attacks.
attackers use their methods and targets in interacting with the
During the past twenty years, honeypots have evolved from honeypot system. This suggested system's way helps to achieve
standalone tools emulating one or two network services to increased interactions and adaptation.
systems of many highly interactive traps. Modern honeypots The rest of this paper is organized as follows. Section II
emulate a large scale of services from FTP and SSH to VoIP and contains summaries of the literatures that focus on honeypot
industrial systems. They can monitor web-attacks, client-side
reviews. Section III contains summaries of the articles that
exploitations, targeted attacks in corporate networks and
outlines the recent implementations of game-theoretic model in
intruder’s activity. The weakest point occurs when hackers are
aware of traps and often avoid honeypots by comparing them to deception systems. Section IV contains description of self-
real systems. adaptive honeypots which mechanics, in our opinion, can be
improved by using the game theory. Section V is the
To solve this problem, researchers introduced game theoretic conclusion of this survey, followed by the list of references in
models to adapt behavior of honeypots to be undetected by this survey. Each literature is referenced by the list of the
hackers. In addition, they embed machine-learning techniques to authors.
improve the performance of honeypots if only a few stages of
hacker attacks are executed. This paper is a review of game- II. OTHER HONEYPOT REVIEWS
theoretic models on which adaptive honeypots function. There are a number of different types of honeypots with
various technical options. Such deceptive technologies are
Keywords—survey, review, honeypots, machine learning, game widely mentioned in scientific literature.
theory, deception games, intrusion detection, information security.
In 2012 Bringer M.L., Chelmecki C., and Fujinoki H.
I. INTRODUCTION published the research in the field of honeypots aimed at the
Honeypots are traps disguised as information resources, invention of new types of honeypots, improvement of their
which capture the details of computer attacks aimed at them. creation and configuration, optimization of output data
The collected data is added to signature bases of antiviruses, processing methods, and modernization of traps camouflage
blacklists of firewalls and serve as reliable evidences in [1].
computer forensics. All trapped files, links, ip-addresses and The history of honeypots’ evolution from 1997 to 2016 is
other artifacts are clearly malicious software fragments, described by Nawrocki M. et al. in the survey [2]. Their review
because authorized users do not interact with honeypots. summarizes that modern honeypots can emulate vulnerabilities
Modern honeypots emulate a wide range of vulnerable in files transfer services: SMB, FTP, TFTP [24]; remote access
programs from web-applications and database management services: SSH [21], Telnet; email protocols: SMTP, POP3,
systems to VoIP-services, Internet-of-Things firmware and IMAP; database management systems: Elasticsearch, MSSQL,
industrial information systems. Honeypots have started MySQL [20]; wireless protocols: IEEE 802.11 (WiFi),
emulating not only server-side software but client-side Bluetooth; entire workstations with operating systems:
applications: web-browsers and plugins for them, office Microsoft Windows XP, Windows 7, Linux, Android [22];
web-applications: Apache, php-BB, php-MyAdmin, web-
servers [23]; instant messaging services: IRC; applications for
The reported study was funded by RFBR according to the research
project № 16-29-09517
139
�voice communications: VoIP [19], emulate DNS nodes in computer network which are the most optimal to be
vulnerabilities, IoT devices [18] and Supervisory Control and replaced by honeypots [7].
Data Acquisition (SCADA) systems [22].
In 2017, Shi L. et al. put forward the idea of a mimicry
However, the current situation of the game-theoretic honeypot system [8]. In this model, the defense has at its
models realizations in honeypots is not detailed enough [26]. disposal real services, honeypots and pseudo honeypots (real
We managed to find only one recent review of a game theory services disguised as honeypots). The goal of the defense is to
application in honeypots that deserves attention. It was distinguish the attacker from a legitimate user. The proposed
published in 2016. Sangeetha R., Mohana M. have provided a game model was realized as vulnerable FTP-server and
survey on game-theoretic approaches in honeypot enabled validated by simulation.
networks for the Internet of Things (IoT) [3]. They have
summarized risks of IoT infrastructures and classified In 2017, Du Miao et al. tried to find out novel ways of
honeypots related to defense against attacks on IoT. preventing DDoS attacks which were targeted at social
networks [9]. The difference with the previous works is the
In our view, many of the articles about realizations of ability to see a new type of attackers as rational and adapting to
game-theoretic models in deception systems were not the strategy of the defender. They offered a new pseudo
mentioned in surveys. Our paper is intended to fill this gap. honeypot game model based on a Bayesian game and showed
how to find Bayesian Nash equilibrium in the restrictions of the
III. GAME-THEORETIC MODELS proposed model. It was shown empirically that computed
Researchers have proposed the game-theoretic approach to optimal strategies make the defense more effective.
make the behaviour of honeypots more like an operation of the In 2017, Ziad Ismail et al. formulated a game-theoretic
real computer. Table I. summarizes the articles in this category. model for intrusion detection in computer networks [10]. In the
The table reflects the most essential features of proposed game- restrictions of this model, the resources of the defense are
models: definitions of players and list of available actions. limited. The goal of the defender is to optimize the allocation
In 2009, Wagener G. et al. has built and implemented a of intrusion detection systems (IDS) in the network.
high interactive honeypot disguised as a SSH-server [4]. Additionally, interdependencies between equipment
Honeypot behaviour was determined by a game-theoretic vulnerabilities were taken to improve the quality of game-
model and machine learning. In the restrictions of this model, theoretic analysis. The proposed model was tested in a real
the attacker can input various commands into SSH-shell. The world scenario.
honeypot can execute the entered commands or replace the In 2016, Hayreddin Ceker et al. proposed a game-theoretic
application which has to execute the command. The honeypot model of interaction between the defender and the attacker
payoff is defined as a number of new unknown dangerous [11]. The goal of the defender is to optimize the network
objects, in particular, the number of malicious files, which configuration for DoS attack prevention. In this model the
were uploaded by the attacker. In this model, the honeypot defender can camouflage honeypots as real services and vice
chooses actions with probability which is defined by a versa. The proposed model is based on signaling game with
predictor of a potential payoff. The predictor is learned using a incomplete information. The existence of perfect Bayesian
set of previous decisions of the honeypot. equilibrium was proved and used for finding optimal strategies.
In 2012, Hayatle O., Otrok H., and Youssef A. proposed a It is expected that the proposed deception strategy could be
game-theoretic model of interaction between an attacker and used to develop high quality and cheap security solutions for
client honeypot [5]. In this model, the attacker has a botnet, i.e. preventing DoS-attacks.
a set of infected machines managed by him. The attacker In 2017, Wang K. et al. formulated the interaction
doesn’t know if his current target is a trap or a real host. In the between Advanced Metering Infrastructure (AMI) network and
restrictions of the proposed game, the attacker, to not expose the intruder as a game-theoretic model [12]. The defender’s
his intentions, can probe the target in three ways: commands challenge is to embed honeypots to an AMI network for DDoS
the bot to attack the sensor machine, commands the bot to attack detection. To explore the optimal strategies of the
attack the real target, chooses not to perform any activity. In defender and the attacker Bayesian Nash Equilibriums were
the case of successful probing, the intruder attacks his target or used. The proposed game-theoretic model was validated
otherwise retreats. The intruder can attack without preliminary empirically in the smart grid and its efficiency was proved.
probing of the infected machine. The honeypot has only two
available actions: to allow the attack or to deny it. Optimal In 2017, Nguyen T., Wellman M. P., Singh S. have
strategies were theoretically established for the attacker and the explored the problem of allocating detection resources
defender. (detectors) in a computer network to deter botnet attacks [13].
In our opinion, honeypots could be used as detectors in the
In 2016, Mohammadi A. et al. suggested the honeypot implementation of this model. In the proposed game-theoretic
which is composed of fake avatars in social networks could model, the attacker eavesdrops on network traffic and tries to
distinguish hacked profiles [6]. The signal games and Nash send the stolen data outside the defender’s network. The
equilibrium were used to develop the strategy of the honeypot. defender allocates limited detectors to protect the most
In 2016, Kiekintveld C., Lisy V., and Pibil R created a valuable resources of the network. The goal of the defender is
game-theoretic approach to compute selection strategy of to randomize the placement of the detectors so that the
locations of them become unpredictable to the intruder. The
140
�algorithm of computing optimal game strategies was offered honeypots. Consequently, the area of adaptive honeypots is
with some heuristics for approximately solving the game when relative to game theory topic as a point of novel game models
the number of nodes in the network is large. Given game model realization in the future. From the viewpoint of applying game-
was evaluated via synthetic and real-world network topologies. theoretic approaches, in our opinion, are next articles about
adaptive honeypots.
TABLE I. DECEPTION GAME MODELS
In 2017, Fernandez G., Nieto A., and Lopez J. have
Players Actions formulated a concept of malware-driven honeypots and
Players: the attacker and high The attacker can enter commands developed a mechanism for the dynamic reconfiguration of
interaction honeypot. into SSH. The honeypot can execute honeypots [14]. The goal of the proposed honeypot
[4] or spoof entered command with management system is to create trap environments so the
probability defined by reinforcement whole malicious activity could be captured. To fulfill malware
learning. requirements the management system uses recent Indicators of
Players: attacker and client honeypot The attacker can scan trap, attack Compromise (IOS) from malware intelligence services such as
[5] another computers from the infected Malware Information Sharing Platform (MISP) and Virus Total
trap or idle. The client honeypot can Intelligence (VTI). It is the first published approach of using
permit or block the attack.
malware intelligence platforms for the dynamic deployment of
Players: fake avatar in social The attacker and user can send honeypots. In our opinion, malware writers choose required
network, an attacker and legal user. benign or infected messages. The features of a victim machine environment to infect as many
[6] fake avatar can raise the alarm or
idle.
computers as they can and to be undetected as long as possible.
So, fulfilling the requirements of malware in traps can be
Players: attacker and honeynet The defender places honeypots in described in the future as a competitive game between the
composed of real computers and computer network and sets their
defender and the attacker.
honeypots [7] importance level. The attacker
chooses target in the network on the In 2017, Pauna A. and Bica I. presented a changing
basis of resource importance.
behavior honeypot system that overlaps with some of the
Players: server, legal user and The server can response to user as disadvantages in the existing deception systems [15]. The
attacker. [8] real service, as honeypot or as pseudo offered honeypot system is made by using Python and it
honeypot. The attacker can attack or emulates a SSH (Secure Shell) server. The proposed system
abandon the attack.
interacts with attackers and uses means of reinforcement
Players: real service, honeypot Real service, honeypot and pseudo learning algorithms. In our opinion, reinforcement learning of
service and pseudo honeypot service, honeypot can provide service or not. honeypots can be used to make traps capable of dynamically
legitimate users and attackers [9] Legitimate user and the attacker can
provide access or not changing their behavior. This task is naturally related to
strategic decision making using game-theoretic approaches.
Players: an attacker and The attacker can attack any node in
a defender [10] the network. In 2014, Pauna A., Patriciu V.V. have created an
The defender’s can distribute autonomous honeypot system capable of learning and adapting
monitoring resources on network its behaviour by interacting with the attackers [16]. The
nodes in order to detect attacks.
designed case adaptive SSH honeypot is based on an existing
Players: an attacker and The defender can deploy honeypots, medium interaction honeypot (Kippo) and implements Case
a defender [11] disguise normal systems as Based Reasoning and Belief-Desire-Intention agents. Case
honeypots and honeypots as normal
systems.
Base Reasoning system is a system which solves tasks by
The attacker can successfully making decisions used for similar tasks. The Belief-Desire-
compromise normal systems, but not Intention agent model has a view of the world (Beliefs), a
honeypots. number of goals (Desires) and possible actions (Intentions).
Players: real communications, Real communications, honeypot The actions are planned using the accumulated experience. The
honeypot service, anti-honeypot service and anti-honeypot service practical experiments have shown that the number of captured
service, legitimate visitors and can provide service or not provide payload s is relatively similar to the ones obtained by the
attackers [12] service. Legitimate visitors and the standard Kippo honeypot. As in the previous work, game
attackers can access or not access.
theory approaches can be used to improve the intellectuality of
Players: an attacker and The defender can deploy limited traps.
a defender [13] number of detection resources in
network. The attacker can In 2017, Orzel M.J. and Grzegorz K. proposed few schemes
compromise limited number of nodes of web-attack detection [17]. For this purpose features from
in the network. web-server log files were used. The collection of events was
gathered from real web-site logs and helped to find unwanted
web crawlers’ traces. In our opinion, the considered features
IV. RELATED WORK from web server log files could be used for building web-based
Honeypots are designed to attract intruders and collect server side honeypot system. Because there was no article
information about attacks. The game theory provides methods about implementing the game theory to web-based honeypots,
which can be used to make traps more interactive and therefore we mentions this article as a paper containing features to be
indistinguishable from real resources than traditional collected by novel server-side traps.
141
� V. CONCLUSION [12] Wang K., Du M., Maharjan S., Sun Y. Strategic Honeypot Game Model
for Distributed Denial of Service Attacks in the Smart Grid. In IEEE
For the last decades honeypots have evolved to networks of Transactions on Smart Grid. V. 8. N 5. P. 2474-2482. 2017. DOI:
sensors which emulate various types of devices and 10.1109/TSG.2017.2670144.
applications. Honeypot configurations are increasingly based [13] Nguyen T., Wellman M. P., Singh S. A Stackelberg Game Model for
on game-theoretic models. The game-theoretic approach is Botnet Data Exfiltration. In Decision and Game Theory for Security -
8th International Conference, GameSec 2017, Proceedings. 2017. V.
used for honeypot preparation before an attack and for trap 10575. P. 151-170. Springer Verlag. DOI: 10.1007/978-3-319-68711-
behavior adaptation during an attack. However, most 7_9.
publications about realization of game-theoretic models in [14] Fernandez G., Nieto A., Lopez J. Modeling Malware-driven Honeypots.
honeypots are purely theoretical. Only a few practices are 14th International Conference On Trust, Privacy & Security In Digital
related to implementation of game-theoretic models to Business (TrustBus 2017). 2017. V. 10442. P. 130-144. DOI
honeypots disguised as FTP and SSH servers. 10.1007/978-3-319-64483-7_9.
[15] Pauna A., Bica I. RASSH - Reinforced adaptive SSH honeypot. 2014
Most effectiveness is expected from implementation of the 10th International Conference on Communications (COMM). Bucharest.
game-theoretic approach to high interaction honeypots and to 2014. P. 1-6. DOI: 10.1109/ICComm.2014.6866707.
social networks, but this carries the risk of additional [16] Pauna A., Patriciu V.V. CASSHH – Case Adaptive SSH Honeypot. In
opportunities given to the attackers. These risks are discussed Recent Trends in Computer Networks and Distributed Systems Security.
in the articles related to legal and ethical issues of using SNDS 2014. Communications in Computer and Information Science,
Springer, Berlin, Heidelberg. 2014. V. 420. DOI: 10.1007/978-3-642-
honeypots [25]. 54525-2_29.
The combination of the game theory and machine learning [17] Orzel M.J., Grzegorz K. Detection of Security Incidents in a Context of
Unwelcome or Dangerous Activity of Web Robots. 2017. P. 215-225.
has, in our view, the greatest potential for a honeypot to DOI: 10.1007/978-3-319-43982-2_19.
develop. The honeypot experience enriched during the attacks,
[18] Dowling S., Schukat M., Melvin H. A ZigBee honeypot to assess IoT
by our estimates, will allow honeypot strategies to adapt so the cyberattack behaviour. 2017. P. 1-6. DOI: 10.1109/ISSC.2017.7983603.
traps will be indistinguishable from real services. [19] Jordao R., Vargas S., Kleinschmidt H. Capture and Analysis of
Malicious Traffic in VoIP Environments Using a Low Interaction
REFERENCES Honeypot. In IEEE Latin America Transactions. 2015. V. 13. N. 3. P.
[1] Bringer M.L., Chelmecki C., Fujinoki H. A survey: Recent advances and 777-783. DOI: 10.1109/TLA.2015.7069104.
futuretrends in honeypot research. 2012. V. 4. N 09. DOI: [20] Djanali S., Arunanto F., Pratomo B. A., Studiawan H., Nugraha S. G.
10.5815/ijcnis.2012.10.07. SQL injection detection and prevention system with raspberry Pi
[2] Nawrocki M., Wahlisch M., Schmidt T., Keil C., Schonfelder J. A honeypot cluster for trapping attacker. 2014 International Symposium on
survey on honeypot software and data analysis. 2016. Technology Management and Emerging Technologies. Bandung. 2014.
P. 163-166. DOI: 10.1109/ISTMET.2014.6936499.
[3] Sangeetha R., Mohana M. A Survey on Game Theory against Attack in
Honeypot Enabled Networks for IoT. 2016. DOI: [21] Koniaris I., Papadimitriou G., Nicopolitidis P. Analysis and
10.17148/IJARCCE.2016.51051. visualization of SSH attacks using honeypots. Eurocon 2013. Zagreb.
2013. P. 65-72. DOI: 10.1109/EUROCON.2013.6624967.
[4] Wagener G., State R., Engel T., Dulaunoy A. Adaptive and self-
configurable honeypots. Integrated Network Management. 2011. P. 345- [22] Jicha A., Patton M., Chen H. SCADA honeypots: An in-depth analysis
352. DOI: 10.1109/INM.2011.5990710. of Conpot. 2016 IEEE Conference on Intelligence and Security
Informatics (ISI). Tucson, AZ. 2016. P. 196-198. DOI:
[5] Hayatle O., Otrok H.,Youssef A. A game theoretic investigation for high
10.1109/ISI.2016.7745468.
interaction honeypots. Proceedings of the 2012 IEEE International
Conference on Communications (ICC), Ottawa, Canada. 2012. P. 6662- [23] Rahmatullah D. K., Nasution S. M., Azmi F. Implementation of low
6667. DOI:10.1109/ICC.2012.6364760. interaction web server honeypot using cubieboard. 2016 International
Conference on Control, Electronics, Renewable Energy and
[6] Mohammadi A., Manshaei M. H., Moghaddam M. M., Zhu Q. A Game-
Communications (ICCEREC). Bandung. 2016. P. 127-131. DOI:
Theoretic Analysis of Deception over Social Networks Using Fake
10.1109/ICCEREC.2016.7814970.
Avatars. Proceedings of the Decision and Game Theory for Security -
7th International Conference, GameSec 2016. 2016. V. 9996. P. 382- [24] Perevozchikov V. A., Shaymardanov T. A., Chugunkov I. V. New
394. DOI:10.1007/978-3-319-47413-7_22. techniques of malware detection using FTP Honeypot systems. 2017
IEEE Conference of Russian Young Researchers in Electrical and
[7] Kiekintveld C., Lisy V., Pibil R. Game-Theoretic Foundations for the
Electronic Engineering (EIConRus). St. Petersburg. 2017. P. 204-207.
Strategic Use of Honeypots in Network Security. // Jajodia S., Shakarian
DOI: 10.1109/EIConRus.2017.7910529.
P., Subrahmanian V., Swarup V., Wang C. (Eds.) Cyber Warfare.
Advances in Information Security. V. 56. P. 81-101. 2015. DOI: [25] Sokol P. Legal issues of honeynet's generations. Proceedings of the 2014
10.1007/978-3-319-14039-1_5. 6th International Conference on Electronics, Computers and Artificial
Intelligence (ECAI). Bucharest. 2014. P. 63-69. DOI:
[8] Shi L., Zhao J., Jiang L., Xing W., Gong J., Liu X. Game theoretic
10.1109/ECAI.2014.7090212.
simulation on the mimicry honeypot. Wuhan University Journal of
Natural Sciences. 2016. V. 21. P. 69–74. DOI: 10.1007/s11859-016- [26] Shmatova E. The Choice of Strategy for the Spurious Information
1140-2. System on the Basis of the Game Theory Model. Voprosy
kiberbezopasnosti [Cybersecurity issues], 2015. N 5 (13). P. 36-40.
[9] Du M., Li Y., Lu Q., Wang K. Bayesian Game Based Pseudo Honeypot
DOI: 10.21681/2311-3456-2015-5-36-40.
Model in Social Networks. 2017. DOI: 10.1007/978-3-319-68542-7_6
[10] Ismail Z., Kiennert C., Leneutre J., Chen L. A game Theoretical Model
for Optimal Distribution of Network Security Resources. 2017. DOI:
10.1007/978-3-319-68711-7_13.
[11] Ceker H., Shambhu J., Quang U., Soong D. Deception-Based Game
Theoretical Approach to Mitigate DoS Attacks. 2016. DOI:
10.1007/978-3-319-47413-7_2.
142
�