Intrusion research frequently collects data on attack techniques currently employed and their potential symptoms. This includes deploying honeypots, logging events from existing devices, employing a red team for a sample attack campaign, or simulating system activity. However, these observational studies do not clearly discern the cause-and-efect relationships between the design of the environment and the data recorded. Neglecting such relationships increases the chance of drawing biased conclusions due to unconsidered factors, such as spurious correlations between features and errors in measurement or classification. In this paper, we present the theory and empirical data on methods that aim to discover such causal relationships eficiently. Our adaptive design (AD) is inspired by the clinical trial community: a variant of a randomized control trial (RCT) to measure how a particular “treatment” afects a population. To contrast our method with observational studies and RCT, we run the first controlled and adaptive honeypot deployment study, identifying the causal relationship between an ssh vulnerability and the rate of server exploitation. We demonstrate that our AD method decreases the total time needed to run the deployment by at least 33%, while still confidently stating the impact of our change in the environment. Compared to an analogous honeypot study with a control group, our AD requests 17% fewer honeypots while collecting 19% more attack recordings than an analogous honeypot study with a control group.
CEUR ceur-ws.org
Automated cyber intrusion attacks continuously scan and probe internet-connected systems [
Intrusion datasets can be acquired from third party vendors or compiled by recording logs
from existing, simulated, or newly deployed research infrastructure [
© 2023 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
Security “a study comparing honeypots with and without a vulnerability” “our Ubuntu honeypots with our host-based sensors”
“a honeypot” “starting more honeypots with specific characteristics”
“attacker technique for exploit”
“corruption” or “the presence or insertion of a vulnerability”
“corrupted”
attacks implemented against the given systems and how to observe the attacks in the given
environment. However, even in large volumes, observational data has a high potential for bias
due to uncontrolled characteristics, including possible spurious correlations between variables
and outcomes or measurement error [
To limit potential erroneous conclusions by both statistical models and researchers, we
explore intrusion data collection with a control group: a collection of systems studied that
are not altered to compare with identical systems that have been altered. Our usage of control
groups in an experimental study draws inspiration from clinical research, one of the oldest
ifelds conducting control-based studies [
Unlike clinical trials with human patients, intrusion research aims to increase the occurrence of events of interest (i.e., intrusions or exploits). See Table 1 for some of the terminology from healthcare mapped to security as it is used to define our work. To demonstrate our intrusionfocused interventional methods, we use a honeypot, a common tool for recording intrusion data. A honeypot is an intentionally vulnerable system with covert monitoring that is used to both entice and observe attackers without their knowing [20, pg.7].
Traditional honeypot deployments - or “vanilla” deployments as we will call them in this paper - expose a large number of identical vulnerable systems for a particular (extended) length of time to collect intrusion data [21, 22, 23, 24, 25][20, pg.20-21]. While suficiently large and long-lived vanilla deployments all but guarantee observations and can summarize the general state of automated threats, they carry several risks and costs that could be unacceptable. If a meaningful quantity of identical honeypots were left online, it would provide an opportunity for adversaries to identify the presence of the employed monitoring tools. This can hinder observations (i.e., bias the data) and render the tools useless (i.e., when adversaries stop acting after detecting active monitoring or debugging tools). Additionally, large scale deployments cost time and money, which absorbs budget, and can hinder or preclude timely observations.
In this paper, we present the first control-based deployment method for honeypots to optimize resource allocation and limit honeypot exposure. Our method is used in an exemplary study to determine the impact of an ssh vulnerability on cloud servers across the United States. When compared to the vanilla deployment method with the same setup, we find that AD can determine the impact of the vulnerability in 33% of the total trial duration, while limiting the likelihood of error. and requesting 17% fewer honeypots overall. With a control group, our AD collects 19% more attack recordings than the RCT trial.
Our contributions in this work are as follows: • The first adaptive method for a control study in security, optimizing resource allocation and duration of the study based on the events seen in prior stages and error tolerance. • The first interventional study using honeypots, demonstrating the efectiveness of our adaptive method and how it helps attribution of environment changes during data collection.
Although we showcase our method with honeypot deployments, it can be used for other control studies in security applications. For example, one could study the impact of a new spam email training on the rate of spam emails being opened, or on the removal of local file inclusion access on the exploitation rate of a web application hosting other vulnerabilities. Our AD strategy uses a new interpretation of clinical trial methodologies, encouraging infections rather than preventing them mid-trial. Additionally, our study ran using automated scripts, presenting the first fully-automated experimental study. This automation and cheaper application setting enables future inventors of new clinical trial methodologies a new venue to showcase their improvements, rather than run an expensive trial with patients.
This paper is structured as follows. Section 2 reviews control studies in security and provides a brief background on the healthcare-based methods that inspired this work. We then introduce our new AD method in Section 3 while contrasting it with the vanilla and RCT methods. In Section 4, we implement our method against the vanilla and RCT methods in a exemplary honeypot deployment. We conclude and consider how the method might not behave the same in other settings in Sections 5.
An experimental study starts from a hypothesis on how a change or treatment will alter an aspect of a given environment [26]. The hypothesis is then tested, in the simplest form, by observing a control group that is unchanged and comparing it with another (ideally identical) group that is then changed. An RCT provides one of the strongest evidence on an intervention’s impact due to its random allocation of participants to treatment arms (there might be multiple treatments available) or control arm (standard care or a placebo) [27, 28]. This process removes potential bias of unaccounted factors in the environment. Participants are then observed and their outcomes recorded.
Part of the rigor of RCTs is that all aspects of the trial conduct and (interim) analysis must be documented prior to the execution of the study. This prospective approach avoids the introduction of bias from investigators and statisticians mid-trial. An important part of this planning process is the sample size calculation. Using estimates and prior knowledge of interventions, trialists (those conducting the trial) can estimate the required number of participants that must be recruited in order to detect a significant diference in outcomes between the groups [ 29]. After approximating the needs and impacts of the study, the execution of the study should be justified.
For medicine, developing the justification to go from drug discovery to licensing can take an average of over 10 years [30]; recent advances in trial methodology have been able to improve the eficiency of trials in order to reduce this time [ 31]. The conduct and methodology of a clinical trial are highly regulated because of the direct involvement of patients [28]. However, this is not often a barrier to research in cyber security.
Security has several advantages in running experimental studies. Digital infrastructure is cheap with the advancement of cloud technologies [32]. Our honeypot study could have cost up to $2,000USD with 600 participants, compared to the millions of USD required in drug testing [33]. Digital resources can also be exactly copied as many times as needed, whereas biological studies must make strong assumptions about the similarity between patients. Security experimental studies can be quicker to complete if they consider the attacks that occur at a higher frequency and pace of development than a biological infection or disease.
In this section, we review previous experimental studies in security settings that consider or run control groups. We finish this section by briefly highlighting the other techniques developed to improve the classic experimental design that have spawned from the constrained medical setting.
Our work is not the first to apply clinical methodology within security; prior works focus on the
interaction of security and users of digital systems. For example, Simoiu et al. [
Few experimental studies have been published without humans in cyber security. Bošnjak
et al. [
These studies indicate a major challenge in security experimental studies: the need for humaninterpretable interventions. Recording data in medical settings is relatively straightforward, e.g., heartbeats per minute or body temperature indicating there is a fever. Understanding how these indicate a particular disease is also fairly intuitive. But translating host-based logs to indications of unwanted activity in a system is immensely dificult, let alone stating the type of unwanted activity. Thus, mapping “symptoms” from sensor logs can be dificult unless we control our human-level interventions.
Randomization limits the impact of unknown external factors in influencing a participant’s
chance of receiving a treatment, we therefore expect the baseline characteristics of participants
to be similar between studied groups. If there is a concern about some baseline characteristics
that may be prognostic, then we can stratify randomization based on these variables without
loss of statistical strength [
Traditional RCTs are known for their rigor and complete pre-specification of procedure. A
common adaptation to an RCT is the inclusion of stopping rules for eficacy, safety, or futility [
Contemporary approaches to running RCTs aim to make the process of evaluating an intervention faster and more eficient [ 31]. As mentioned, we implement one such method, adaptive design (AD). The principle of AD is that it permits certain aspects of a study to be modified intermittently based on available evidence.
Interim data used to inform stopping decisions can also be used to inform an updated sample
size calculation, or even to update randomization allocation proportions [19]. A well-known
example of this is the REMAP-CAP study, which has many treatments available across multiple
domains for treating community acquired pneumonia, including severe COVID-19, in intensive
care unit settings [
In this section, we define our methods for interventional data collection in security applications. This setting typically studies adversarial efects, i.e., encouraging intrusions as data are collected. We call the change or treatment (e.g., a drug or surgical procedure) made to a population a corruption1. We shall now enumerate the key terms to document prior to executing a study as we define our AD method.
The population considered in the experiment is assumed to be a device or contained system that is or is not corrupted. Deploying a copy of these devices or systems is the same as recruiting a patient into a study. The goal of the study is to achieve a set of objectives, evident from observing a particular event of interest. One can identify an event of interest through the recorded logs on the population; these events should be clear evidence that the corruption caused some change in system behavior. For example, if the corruption is a new login website and we are interested in its efect on attempted SQL injections, then events of interest should be a record of when an SQL injection occurs.
The objectives of our methods are always two fold:
2. Maximize the recording of events of interest.
Returning to the SQL injection example, if we wanted to collect a diverse range of attacks rather than automated repeated uses of the same attack, the events of interest could be only recorded if not seen prior.
Before recording events and running the study, it is crucial to accurately define endpoints to anticipate possible errors or miscalculations. Similar to clinical trials, we recommend setting an endpoint bounding the trial resources by the given budget. We also recommend stopping the trial early if the adaptive design tries to deploy a group that is too small. If this occurs in the early stages of the trial, it can indicate the rates of allocation have converged to nothing conclusive. This should be followed with a manual review by human experts. While it might seem inconsequential, it is good practice to list obvious endpoints. This might include recording an unexpected exploit technique or an overwhelming number of exploits that break data collection infrastructure. All of these details must be defined prior to the study execution to maintain the robustness of the trial.
In this section, we review each method for comparison to our AD before using them in a honeypot study (Section 4). The pseudo code for the traditional observational study (vanilla), RCT, and our AD are presented in Methods 1, 2, and 3, respectively. See Appendix A for the definitions of the functions. The highlighting indicates the similar lines between the algorithms. Notably, the RCT and AD trials are split into stages with early stopping - shown as the loops on line 2 in both Methods 2 and 3, highlighted in pink. Each stage deploys some proportion of control and corrupted systems, waits for the stage duration, saves the logs, cleans up the deployment and reviews the logs from the stage to see if an endpoint condition has been reached. The diference between the standard RCT and our AD is what occurs during the interim update. 1We chose corruption to remove the benevolent intentions frequently afiliated with “treatment” from healthcare settings. A reminder that the translations for other clinical trial terms can be found in Table 1. Method 1 Vanilla Observational Study Input: Budget , Trial Duration (in hours) Ensure: , > 0 1: = GetNumToDeploy(, ) 2: /* Start Trial */ 3: Deploy(control = 0, corrupted = ) 4: Wait() 5: = SaveLogs() 6: CleanUp()
Input: Budget , alpha , beta , Number of Stages ,
Stage duration (hours), proportions of interesting events happening in control 1, proportions of interesting events happening in corrupted 2 Ensure: , , > 0 ; 0.0 < , < 1.0 1: 1, 2 = PowerAnalysis( 1, 2, , ) 2: for = 0; < ; +=1 do 3: /* Start Stage of Trial: 1 == 2 */ 4: Deploy(control = 1, corrupted = 2) 5: Wait() 6: = SaveLogs() 7: CleanUp() 8: total+ = 1 + 2 9: if isEarlyStop(, , total) then 10: = 11: end if 12: end for
The vanilla deployment (Method 1) takes a given budget and the maximum trial duration2 to determine the maximum number of devices that can be observed within this study - noted as GetNumToDeploy( , ) on line 1. Then altered devices are then deployed for observation during the “trial”; no control devices are present.
In contrast, the RCT (Method 2) and AD (Method 3) account for the risk of error into
selecting how many devices to study using power analysis3. We pass four parameters into
the power analysis equation from HECT [
total number total of devices needed to deploy in each stage. We equally split this value for RCT and the initial stage of AD. After the first stage of AD, we use the updated rates from the prior stage to weight the split of total, adapting the allocation of resources mid-trial.
Based on the responses seen in the previous stage within an AD trial, trialists can use interim analysis to make pre-defined changes that will not invalidate or weaken the power of a study. Our AD updates the next population counts for control and corrupted. To not risk weakening the power of our study, we apply this update indirectly between stages through the assumed rates of incidence ( 1 and 2).
From the logs we have a complete view into the events of interest for the study. Our AD
method assumes that each participant will have at most one event of interest before terminating
the system, removing it from the trial. In the case of honeypots, this would be to protect the
honeypot from becoming a launchpad or providing free resources to attackers. To calculate the
likelihood of an event of interest occurring, i.e., the rate of incidence within a group, we use a
Kaplan-Meier (KM) Function, a popular approach for survival analysis within healthcare
applications[
During a stage, the KM function is updates the likelihood upon every event of interest recorded. At = 0 , all participants are at risk and () = 1 . The remaining time steps update following this: where is the current number of participants at risk and +1 is the number of participants that have seen events of interest since . The diference ( − +1 ) is not always one. If we know exactly when all participants see an event of interest, the KM function is calculated when an infection is recorded. In trials without this ability, a time interval must be set to check with the participants (e.g., every hour or half-hour) to collect data and see if an event has been recorded.
We demonstrate the capabilities of our AD for intrusion data collection in a sample study using
honeypots. Our method can be applied in other intrusion data collections, but we chose one
to illustrate its specific capabilities. In this study we analyze the risk of an ssh vulnerability
within misconfigured cloud servers. This scenario is based on the BETH dataset used as a pilot
study for our trials [
This study includes Methods 1, 2, and 3 in separate trials, each attempting to collect evidence of the corruption’s impact. Our budget restricts each trial to a maximum of 200 honeypots (approximately $650USD) over 12 hours. As recommended in Section 3, this threshold is noted as the first of our early stopping criteria. Based on the pilot study, we assume an initial rate of incidence in the control to be 0.01 and in the corrupted to be 0.4. We ensure the study only considers strong evidence by limiting the chance of error4, setting = 0.05 and = 0.10 . The remaining details for our honeypot studies are summarized in our Study Synopsis (Section 4.1). We then review the results of the study in Section 4.2.
Following the guidance issued for clinical trials [
Endpoints : (a) The maximum number of honeypots that can be recruited into the study is 200.
(b) The total number of honeypots allocated in the corruption group is below 10 (indicating
the event of interest is not recorded frequently enough to study in this duration) (c) The
number of honeypots allocated is identical to the last stage of the AD trial, indicating
strong evidence has been collected regarding the current rates of incidence.
Study Population : Cloud-based honeypots monitored with a kernel-level sensor recording all
create, clone, and kill system calls. Each honeypot runs with 1 vCPU, 32GB memory, and
Ubuntu 20.04. There are no additional programs or fake activity and no active connection
between honeypots. They are all hosted by the same large-scale cloud provider within
the U.S. that instantiates identical servers with unique, randomly assigned IP addresses
upon request. The IP address ranges are based on the requested region; our study only
considers four regions within the U.S.: east-1, east-2, west-1, and west-2.
Study Corruption and Control : The corruption is an ssh vulnerability that accepts any
password for four fake user accounts mimicking IT support accounts on industrial
infrastructure: user, administrator, serv, and support. This corruption is an exaggerated
version of a common misconfiguration seen in cloud servers [
Event of Interest : We record an event when a user login is seen in one of the four user accounts. Because we never login or generate fake calls to login, any user login seen is considered malicious.
Measuring Corruption Efect : This study assumes a binary state model to describe each honeypot as whether an intrusion has or has not occurred. The state of the honeypot is 4It is generally accepted in healthcare settings to set = 0.05 and power = 80% (meaning = 0.2 ). We assume a power of 90% ( = 10% ) because we know there is a large diference between the control and the corrupted. determined by real-time monitoring of the logs to deal with ethical issues that may arise from purposefully exposing compute to adversaries. An exploit is assumed to not have occurred until this event is seen.
To prevent providing free resources to the attacker or opportunities to launch further attacks, we terminate the instances upon recording an event of interest. Although this limits the data we acquire from the study, it satisfies our objectives in recording events of interest. This can be re-evaluated in alternative studies based on new objectives.
Each honeypot functions independently with no communication between the honeypots in the same trial. Their logs are aggregated on a central queuing system within their region (for their trial) and downloaded before termination. Because we use kernel-level sensors, our implementation can be easily extended for other objectives and vulnerabilities.
The total number of honeypots deployed and attacks recorded is shown in Table 2. As expected, the AD trial deployed the fewest honeypots overall while recording more attacks than RCT. The AD trial recorded around 36% of the total attacks seen in the vanilla trial, which saw the highest number of intrusions. This is because the vanilla trial did not deploy any control honeypots, which had a small rate of incidence. However, by not including a control group, it does not account for potential bias in the corruption implementation, preventing it from confidently identifying the causal relationship of the corruption’s efect. Even so, the data collected could still be used with the rigorous documentation stating the assumptions made in the study. This (a) RCT by Region (b) RCT by Stage enables other researchers to review it independently and determine if the study’s findings are relevant for their environments.
From the trials with a control group, it is clear that the corruption causes an increase in exploitation rate. As can be seen in the trial summary in Table 3, more control honeypots were exploited than expected in the AD trial, causing a disparity between our initial assumption ( 1 = 1%) and the results from the first stage (marginalized 1 = 15%). This caused our AD method to reallocate resources, requesting more honeypots to accommodate for error in the initial assumptions without triggering an endpoint or requiring the study to be reevaluated. After the second stage of the AD trial concluded with no exploits in the control group, the control arm was dropped, confirming that the corruption led to more infections.
We could have ended the AD trial after the first stage (saving 66% of the trial’s budget) if Endpoint (b) included the control group in the group size minimum. This was not done because of the second objective to collect intrusion data. Even with the larger request in stage two, the AD trial requested fewer honeypots than both the vanilla trial and the RCT. The stages within the trial also limited the time a honeypot was online, preventing adversaries for extended time to develop a signature for our trap.
Although there was an exponential rate of exploit across the trials, we noticed signs of instability in the four-hour stages, where some regions were observed to have diferent exploitation rates. This was especially apparent by comparing their respective survival curves by the regions and stages within the RCT trial, shown in Figure 1a and Figure 1b. Around 60-120 minutes into the stage, the rate of infection in the regions diverges as though us-west-1 was hit first, then us-east-2, us-west-2, and us-east-1, respectively. From the IP addresses of the hosts, there is no obvious indication of sequential IP scanning. This instability is another result of this study so future work can note the impact of smaller time windows. Because this was unanticipated at the start of this study and not a prior listed early stopping criterion, future work will include it to provide an opportunity for the trialists to discuss whether the trial should continue.
Our work is the first to apply an adaptive experimental study in intrusion data collection and discuss the benefits of collecting counterfactual information with a control group. We provide general details on running an experimental study with necessary factors to document prior to conducting the study. Our AD method extends this by optimizing resource allocation based on events seen at every stage, ensuring the statistical confidence through power analysis based on updated exploitation likelihoods with the assumption that an event only occurs once per participant. Because the interventional data collected contains true relations between features known through experimentation, future statistical models trained with this data are given higher confidence in learning general trends. This method is especially applicable for security studies seeking to identify causal relations between a corruption and automated attacks in the wild.
We then implemented our method in a honeypot study, confirming that the corruption (an ssh vulnerability) increased the infection rate of misconfigured cloud servers. This study also found that while recording more intrusions in observational studies (i.e., in the vanilla trial), the presence of the control group (as in RCT and AD) enables us to identify the corruption efect. Our AD shows it is capable of confirming corruption efect than RCT, requiring only 33% of the total trial duration to conclude corruption efect and using 17% fewer honeypots to see 19% more attacks. Prior to conducting the study, we knew the corruption would increase infection rate because attackers were provided more options for password entry, including the control’s “password” for the same user accounts. Had the diference due to the corruption been less apparent (e.g., in altering multiple points of entry or limiting sequences of vulnerability exploits), our study would have taken more time and resources to collect evidence.
Future work should consider implementing multiple vulnerabilities to study the interaction
of corruptions. For example, one could add vulnerable applications within the honeypots to
either study the scanning and exploit of multiple existing programs or tracing the sequence of
exploits from the ssh vulnerability to a vulnerable application. This would require introducing
a new methodology that can simultaneously consider multiple treatment arms, such as
REMAPCAP [
Thanks to our reviewers and colleagues for their feedback. We also thank the AI for Cyber Defence leads and causal colleagues at The Alan Turing Institute, whose interest in our work was great encouragement. Finally, thank you to the CAMLIS organizers for running a fantastic conference this year, providing a platform for many researchers to provide excited and honest feedback on our work. [17] C. van Werkhoven, S. Harbarth, M. Bonten, Adaptive designs in clinical trials in critically ill patients: principles, advantages and pitfalls, Intensive Care Medicine 45 (2019) 678–682. [18] N. Stallard, L. Hampson, N. Benda, W. Brannath, T. Burnett, T. Friede, P. K. Kimani, F. Koenig, J. Krisam, P. Mozgunov, et al., Eficient adaptive designs for clinical trials of interventions for covid-19, Statistics in Biopharmaceutical Research 12 (2020) 483–497. [19] P. Pallmann, A. W. Bedding, B. Choodari-Oskooei, M. Dimairo, L. Flight, L. V. Hampson, J. Holmes, A. P. Mander, L. Odondi, M. R. Sydes, et al., Adaptive designs in clinical trials: why use them, and how to run and report them, BMC medicine 16 (2018) 1–15. [20] N. Provos, T. Holz, Virtual honeypots: from botnet tracking to intrusion detection, Pearson
Education, 2007. [21] V. Nicomette, M. Kaâniche, E. Alata, M. Herrb, Set-up and deployment of a high-interaction honeypot: experiment and lessons learned, Journal in computer virology 7 (2011) 143–157. [22] E. Alata, V. Nicomette, M. Kaâniche, M. Dacier, M. Herrb, Lessons learned from the deployment of a high-interaction honeypot, in: 2006 Sixth European Dependable Computing Conference, IEEE, 2006, pp. 39–46. [23] S. K. Brew, E. Ahene, Threat landscape across multiple cloud service providers using honeypots as an attack source, in: Frontiers in Cyber Security: 5th International Conference, FCS 2022, Kumasi, Ghana, December 13–15, 2022, Proceedings, Springer, 2022, pp. 163–179. [24] S. Machmeier, Honeypot implementation in a cloud environment, arXiv preprint arXiv:2301.00710 (2023). [25] C. Kelly, N. Pitropakis, A. Mylonas, S. McKeown, W. J. Buchanan, A comparative analysis of honeypots on diferent cloud platforms, Sensors 21 (2021) 2433. [26] S. Peisert, M. Bishop, How to design computer security experiments, in: L. Futcher, R. Dodge (Eds.), Fifth World Conference on Information Security Education, Springer US, New York, NY, 2007, pp. 141–148. [27] O. for Health Improvement, Disparities, Randomised controlled trial: comparative studies, GOV.UK (2021). URL: https://www.gov.uk/guidance/ randomised-controlled-trial-comparative-studies. [28] E. Hariton, J. J. Locascio, Randomised controlled trials—the gold standard for efectiveness research, BJOG: an international journal of obstetrics and gynaecology 125 (2018) 1716. [29] K. Gupta, J. Attri, A. Singh, H. Kaur, G. Kaur, et al., Basic concepts for sample size calculation: critical step for any clinical trials!, Saudi journal of anaesthesia 10 (2016) 328. [30] G. A. Van Norman, Drugs, devices, and the fda: Part 1: An overview of approval processes for drugs, JACC: Basic to Translational Science 1 (2016) 170–179. URL: https://www.sciencedirect.com/science/article/pii/S2452302X1600036X. doi:https://doi. org/10.1016/j.jacbts.2016.03.002. [31] J. Wason, Improving the eficiency of clinical trials with adaptive designs, Research Design Service Blog (2019). URL: https://www.rdsblog.org.uk/ improving-the-efficiency-of-clinical-trials-with-adaptive-designs. [32] B. Franklin, The digital forecast: 40-plus cloud computing stats and trends to know in 2023, Google Cloud (2023). URL: https://cloud.google.com/blog/transform/ top-cloud-computing-trends-facts-statistics-2023. [33] L. Martin, M. Hutchens, C. Hawkins, A. Radnov, How much do clinical trails cost?, Nature
Deploy(control= 1, corrupted= 2): Given the number of devices to observe in each group of the study ( 1 control devices and 2 corrupted devices), deploy them and record logs from all devices in a centralized location.
Wait( ): Wait the length of time specified by .
L = SaveLogs(): Fetch logs and return them to be stored in variable
CleanUp(): Shut down devices and clean up any infrastructure not kept at the end of the trial or stage.
GetNumToDeploy( , ): Given budget and the maximum trial duration , it returns the maximum number of devices that can be observed within this study.
isEarlyStop(L): Given the logs collected from the last stage, determine if the pre-specified early stopping conditions have been met and the trial must immediately terminate.
PowerAnalysis( 1, 2, , ): See Section A.1
SurvivalAnalysis(L): See Section A.2
We denote the trial as robust when it follows a strict calculation of the sample size to be deployed
accounts for type I and type II error in the data. For this paper, we follow the equation from
HECT [
The inverse (1 − ) is known as the power of the study. In this study,6 we assume a power of 90% ( = 10% ) because we know there is a large diference between the control and the corrupted.
In the medical adaptive design, the KM-provided likelihoods would directly form the new 1 and 2. This would encourage the model to decrease the number of death events seen within the trial, which would make sense in a healthcare setting. However, we wish to increase the number of death events seen so we invert the likelihoods from the KM, which we call the risk rates (RRs). The RRs are marginalised and passed to Equation 2 to get our new . Unlike the RCT allocation of honeypots (equally splitting between control and corrupted), AD uses the RRs to weight the allocation so regions and corruption assignment with higher RR are given more honeypots in the following stage. This is repeated at every interim analysis for the duration of the trial.
We assume in our AD study that each participant will have at most one event of interest before
terminating the system, protecting it from becoming a launchpad or providing free resources
to attackers. The events of interest are parsed out and passed to a survival function which
calculates the likelihood of surviving, i.e., for a system to not see the event of interest. We chose
to use a Kaplan-Meier (KM) Function, a popular approach for survival analysis [
6Generally accepted in clinical studies as = 80%
which means = 20% . +1 is the current number of participants at risk +1 is the number of participants that have seen events of interest since If we have full information on when all participants within the study see an event of interest, the KM function is calculated when an infection is recorded. In clinical trials without full information on their patients, a time interval is set to check in with the patient (e.g. every month or year) to collect data and see if they are alive.