dc.description.abstract | Due to the increase of information security issue recent years, defense measures have been developed in full swing. Honeypot is one of the most common defense mechanisms, which confuse attacker’s attention and collect information from attacker. In addition to the various type of commercial honeypots, open source honeypot are also the choice of users. More interaction honeypots will increase the difficulty of identify by attacker, but resource usage will increase when using more interaction honeypot. And the cost will affect the user’s willingness to use high interaction honeypots. How to reduce the cost in high interaction honeypot is an important issue.
This paper propose a new deployment of hybrid honeypots called Transformation And Natural Semblance Honeypots(TransPot) to reduce high interaction honeypot memory by decrease high interaction honeypot deploy time. This framework uses two types of interactive honeypots: Low Interaction Honeypot and High Interaction Honeypot. Since the Low Interaction Honeypot requires fewer resources, it is primarily used during system idle time, with the High Interaction Honeypot being deployed only when necessary, to minimize the overall average resource usage of the system.
In additional, this framework uses and compare multiple traffic classification models based on machine learning algorithm to classify the traffic received by the honeypots. Based on the results of the traffic classification model, two transformation modes are purposed: Dynamic Switch and Predict Switch. The former aims to minimize the deployment time of the High Interaction Honeypot, while the latter predicts the next honeypot for the subsequent time period using Moving Average to calculate the trend of traffic changes. By making predictions in advance, the delay or connection interruption caused by honeypot transitions is reduced, thus decreasing the likelihood of attackers identifying the honeypots. Deployed in a Kubernetes environment, this framework not only reduces the resource consumption of honeypot deployment itself but also decreases the dependence on the environment, increasing portability and enabling easy replacement of the honeypot framework.
Experimental results demonstrate that this architecture effectively reduces the size of honeypot deployments. Low Interaction Honeypot deployment can reduce memory usage by approximately 57.59%, while High Interaction Honeypot deployment can reduce memory usage by approximately 36.37%. The binary classification models built using various machine learning methods can achieve a maximum accuracy of 100%., confirming its effectiveness in distinguishing traffic generated by common scanning tools. Furthermore, the introduced Dynamic Switch mechanism can save unnecessary deployment time of the High Interaction Honeypot based on the network′s traffic conditions and parameter adjustments. In the proposed Predict Switch mechanism, the TEMA and CMA Moving Average lines are shown to identify potential traffic growth trends. This paper demonstrates the feasibility of deploying hybrid honeypots in a microservices environment, maximizing memory usage, and presents relevant transformation methods and strategies | en_US |