A.S. Vishnevsky – Post-graduate Student, Information Security Department, Faculty of Informatics and Control Systems, Bauman Moscow State Technical University

E-mail: andrey.s.vishnevsky@gmail.com

P.G. Klyucharev – Ph.D. (Tech.), Associate Professor, Information Security Department, Faculty of Informatics and Control Systems, Bauman Moscow State Technical University

E-mail: pk.iu8@yandex.ru

The purpose of the article is to develop honeypot behavior algorithm which disguises it as real information resource and determines if an adversary attacks specific person, organization or larger community. Honeypots are information resources designed to collect information about computer attacks. To avoid honeypots adversaries probe information resources using various methods including behavioral approaches and interaction with targeted websites before attacking. Therefore, modern honeypots simulate the behavior of real information resources to attract attacker’s attention as long as possible to monitor techniques and tools of the invader.

In the proposed approach we simulate behavior of the adversary who collects data using open source intelligence techniques. The simulated adversary interacts with our prototype of web-oriented honeypot which recognizes the target of attack. The model includes the most sufficient features of the real attacker: various types of possible targets, iterative approach of gathering open source data and awareness about the existence of honeypots.

The proposed honeypot prototype generates webpages with fictional contacts as decoys. These decoys are changed by the honeypot during the attack. The honeypot behaves according to the designed anticlassification algorithm which changes the classification of the decoys concluded by the attacker from right to wrong. The proposed anticlassification algorithm includes two stages. On the first stage honeypot creates decoys to attract the attacker. On the second stage the deception system leads the adversary on new decoys similar to the first contacted decoy. The goal of the second stage is to recognize which features characterize the target of the attacker, to check do they belong to specific community, defined organization or country.

The changing of decoys classification is shown by simulation of attacker’s and honeypot’s behavior. Models of the adversary and the honeypot based on anticlatssification algorithm are implemented in Python programming language. The adversary mathematical models which imitated open source intelligence approach to gather information about the victims were using neural networks, support vector machine, the k-nearest neighbor model or logistic regression for making decisions about starting the attacks.

The main conclusion is that the proposed honeypot could lead the attacker which uses open-source intelligent techniques to the decoys which were not interesting at the beginning of the attack. This approach is useful for protecting against the attackers who use automation and machine learning for gathering information about the victims and target selection.

Vishnevsky A.S., Klyucharev P.G. Anticlassification algorithm for targeted computer attack detection in web-oriented honeypot. Neurocomputers. 2020. V. 22. № 3. P. 5–17. DOI: 10.18127/j19998554-202003-01

1. Wrightson T. Advanced Persistent Threat Hacking. The Art and science of hacking any organization. USA. McGraw-Hill Education. 2015. 464 p.
2. Allsopp W. Advanced Penetration Testing. Hacking the World’s Most Secure Networks. USA. John Wiley & Sons. Inc. 2017. 288 p.
3. Bazzell M. Hiding from the Internet: Eliminating Personal Online Information. Third edition. USA. CreateSpace Independent Publishing Platform. 2016. 266 p.
4. Open source intelligence tools and resources handbook / Aleksandra Bielska et al. I-Intelligence [Elektronnyy resurs]. — URL: https://www.i-intelligence.eu/wp-content/uploads/2018/06/OSINT_Handbook_June_2018_Final.pdf       (Data     obrashcheniya 29.09.2019)
5. Bazzell M. Open source intelligence techniques: resources for searching and analyzing online information. 6th edition. USA. CreateSpace Independent Publishing Platform. 2018. 575 p.
6. Lesnikov A.N. Syber threat intelligence – proaktivnoye obnaruzheniye ugroz kiberbezopasnosti. Informatsionnaya bezopasnost v bankovsko-finansovoy sfere. Trudy ezhegodnoy mezhdunar. molodezhnoy nauchno-praktich. konf. v ramkakh V Mezhdunarodnogo foruma «Kak popast v pyaterku?». 2018. S. 179-185. (in Russian).
7. Dryannykh Yu.Yu., Zhukov V.G. O neobkhodimosti vnedreniya threat intelligence. Trudy mezhdunar. nauchno-praktich. konf. «Reshetnevskiye chteniya». 2017. S. 398-399. (in Russian).
8. Conti M., Dargahi T., Dehghantanha A. Cyber Threat Intelligence: Challenges and Opportunities. Advances in Information Security. 2018. V. 70. P. 1-6. DOI: 10.1007/978-3-319-73951-9_1
9. Sari A. Context-Aware Intelligent Systems for Fog Computing Environments for Cyber-Threat Intelligence. Fog Computing. 2018. P. 205-225. DOI: 978-3-319-94890-4_10
10. Shemyakhina A.K., Solovyev V.A. Predstavleniye indikatorov komprometatsii v modeli Cyber Kill Chain. Trudy mezhdunar. nauchno-praktich. konf. «Aktualnyye voprosy razvitiya territoriy: teoreticheskiye i prikladnyye aspekty». 2017. C. 237-242. (in Russian).
11. Dion M. Intelligence and Cyber Threat Management. Cybersecurity Best Practices. 2018. P. 363-392. DOI: 10.1007/978-3-65821655-9_27
12. Parrend. P., Navarro. J., Guigou. F. Deruyver A., Collet P. Foundations and applications of artificial Intelligence for zero-day and multi-step attack detection. EURASIP Journal on Information Security. 2018. DOI: 10.1186/s13635-018-0074-y
13. Nawrocki M., Wählisch M., Schmidt T., Keil C., Schönfelder J. A Survey on Honeypot Software and Data Analysis. 2016.
14. Komashinskiy N.A., Kotenko I.V. Analiz podkhodov dlya obnaruzheniya tselevykh atak. Trudy XV Sankt-Peterburgskoy mezhdunar. konf. «Regionalnaya informatika (RI-2016)». 2016. S. 167-168. (in Russian).
15. Li Y., Zhang T., Li X., Li T. A Model of APT Attack Defense Based on Cyber Threat Detection. CNCERT 2018: Cyber Security. 2019. V. 970. P. 122-135. DOI: 10.1007/978-981-13-6621-5_10
16. Komashinskiy N.A., Kotenko I.V. Problemy obnaruzheniya tselenapravlennykh atak (ART) na kriticheski vazhnyye informatsionnyye sistemy. Trudy VII Mezhdunar. nauchno-tekhnich. i nauchno-metodich. konf. «Aktualnyye problemy infotelekommunikatsiy v nauke i obrazovanii». 2018. T. 1. C. 483-488. (in Russian).
17. Chuan B.L.J., Singh M.M., Shariff A.R.M. APTGuard: Advanced Persistent Threat (APT) Detections and Predictions using Android Smartphone. In: Alfred R., Lim Y., Ibrahim A., Anthony P. (eds) Computational Science and Technology. Lecture Notes in Electrical Engineering. 2019. V. 481. P. 545-555. DOI: 10.1007/978-981-13-2622-6_53
18. Uitto J., Rauti S., Laurén S., Leppänen V. A Survey on Anti-honeypot and Anti-introspection Methods. In: Rocha Á., Correia A., Adeli H., Reis L., Costanzo S. (eds) Recent Advances in Information Systems and Technologies. WorldCIST 2017. Advances in Intelligent Systems and Computing. V. 570. Springer. Cham. 2017. DOI:10.1007/978-3-319-56538-5_13
19. Dowling S., Schukat M., Barrett E. Using Reinforcement Learning to Conceal Honeypot Functionality. In: Brefeld U. et al. (eds) Machine Learning and Knowledge Discovery in Databases. ECML PKDD 2018. Lecture Notes in Computer Science. V. 11053. Springer. Cham. 2019. DOI:10.1007/978-3-030-10997-4_21
20. Vishnevsky A.S. A Survey of Game-Theoretic Approaches to Modeling Honeypots. CEUR Workshop Proceedings (Selected Papers of the VIII All-Russian Scientific and Technical Conference on Secure Information Technologies. BIT 2017). 2017. V. 2081. P. 139-142.
21. Fang X., Xu M., Xu S., Zhao P. A deep learning framework for predicting cyber attacks rates. EURASIP Journal on Information Security. 2019. DOI:10.1186/s13635-019-0090-6
22. Yuan X., He P., Zhu Q. Li X. Adversarial Examples: Attacks and Defenses for Deep Learning. IEEE Transactions on Neural Networks and Learning Systems. 2018. DOI: 10.1109/TNNLS.2018.2886017
23. Zhang W.E., Sheng Q.Z., Alhazmi A., Li C. Adversarial Attacks on Deep Learning Models in Natural Language Processing: A Survey. arXiv.org. 2019. URL:https://arxiv.org/abs/1901.06796
24. Finlayson S.G., Chung H.W., Kohane I.S., Beam A.L. Adversarial Attacks Against Medical Deep Learning Systems. arXiv.org. 2018. URL: https://arxiv.org/abs/1804.05296
25. Fadi Y. Using Honeypots in a Decentralized Framework to Defend Against Adversarial Machine-learning Attacks. 2018. DOI: 10.13140/RG.2.2.24596.40321
26. Auernhammer K., Kolagari R.T., Zoppelt M. Attacks on Machine Learning: Lurking Danger for Accountability. Workshop on Artificial Intelligence Safety 2019 co-located with the Thirty-Third AAAI Conference on Artificial Intelligence 2019 (AAAI-19). 2019. URL: http://ceur-ws.org/Vol-2301/paper_2.pdf
27. Qiu S. Liu Q. Zhou S. Wu C. Review of Artificial Intelligence Adversarial Attack and Defense Technologies. Applied Sciences. 2019. 9(5):909. DOI:10.3390/app9050909
28. Vishnevskiy A.S. Analiz atak po elektronnoy pochte. napravlennykh na rossiyskiye organizatsii. Trudy 4-y mezhdunar. nauchnopraktich. konf. nauchnogo otdeleniya №10 Rossiyskoy akademii raketnykh i artilleriyskikh nauk «Voyennaya bezopasnost Rossii: Vzglyad v budushcheye». 2019. T. 1. S. 76-87. (in Russian).
29. Akiyama M., Yagi T., Hariu T., Kadobayashi Y. Honeycirculator: distributing credential honeytoken for introspection of webbased attack cycle. International Journal of Information Security. 2018. V. 17. P. 135-151. DOI:10.1007/S10207-017-0361-5
30. Caldwell T. Evolution of AI bots for real-time adaptive security. RSA Conference 2018. [Elektronnyy resurs] — URL: https://rsaconference.com/writable/presentations/file_upload/mln-r02-evolution-of-ai-bots-for-real-time-adaptive-security.pdf (data obrashcheniya: 28.07.2019).
31. Caldwell T. Evolution of A-Bot Swarming Intelligence with Robots. RSA Conference 2019. [Elektronnyy resurs] — URL: https://rsaconference.com/writable/presentations/file_upload/mbs-t07-evolution-of-ai-bot-swarming-intelligence-withrobots.pdf (data obrashcheniya: 28.07.2019).