Horus: a Sojourn-Centric Dynamic Honeypot

Kyle Hoffpauir, Nathan Markle, Dr. Jason Pittman, Department of Computer Science, High Point University 1 N University Pkwy, High Point, NC 27268

Honeypots are a deceptive technology used to trap capture malicious computing activity. The technology allows researchers and practitioners to study attacker behavior, tools, and techniques so that new defenses can be constructed for computing systems. Existing research reveals a rich history of over three decades in which honeypot technology has evolved from single computers exposed to the internet to advanced machine learning algorithms running against virtualized computing systems. One common thread throughout the literature is how the usefulness of a honeypot is defined, in part, by its ability to fool attackers long enough for meaningful data to be collected. In simple terms, a honeypot is more effective the better it entices an attacker to continue interacting with it. Previously, we identified this concept of sojourn time as a critical honeypot feature, capable of asserting effectiveness when measured. Further, we observed a problem insofar as existing dynamic honeypots are not constructed with features explicitly designed to maximize the duration of interaction. Accordingly, the purpose of this work is to describe the theoretical framework for a dynamic honeypot architecture designed to amplify sojourn time. Employing a grounded theory methodology, we first extracted artifacts relevant to sojourn time from existing literature. These artifacts were coded into a progressive literature search and analysis loop until best practices emerged. Based on those best practices, we devised a feature to load attackers into a honeypot infrastructure which dynamically expands laterally. The lateral expansion is induced when the attacker attempts to locate another system on the same network and results in additional honeypots spawning into position for the attacker to pivot into. The effect is intended to function similarly to a fun-house full of mirrors; trapping attackers in hall of illusions and thus increasing sojourn time.

Additional Abstract Information

Presenters: Kyle Hoffpauir, Nathan Markle

Institution: High Point University

Type: Poster

Subject: Computer Science

Status: Approved

Time and Location

Session: Poster 5
Date/Time: Tue 12:30pm-1:30pm
Session Number: 4001