Gotta catch 'em all: a Multistage Framework for honeypot fingerprinting

Srinivasa, Shreyas; Pedersen, Jens Myrup; Vasilomanolakis, Emmanouil

doi:10.48550/arxiv.2109.10652

Cited by 1 publication

(2 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In another work by Srinivasa et al, a framework for fingerprinting different honeypots is proposed. The utilized techniques include so-called probe-based fingerprinting (such as port-scans or banner-checks), and metascan-based fingerprinting (e.g., using data from the Shodan API) [22].…”

Section: Honeypot Fingerprintingmentioning

confidence: 99%

See 1 more Smart Citation

Honeysweeper: Towards Stealthy Honeytoken Fingerprinting Techniques

et al. 2022

View full text Add to dashboard Cite

The increased number of data breaches and sophisticated attacks have created a need for early detection mechanisms. Reports indicate that it may take up to 200 days to identify a data breach and entail average costs of up to $4.85 million. To cope with cyber-deception approaches like honeypots have been used for proactive attack detection and as a source of data for threat analysis. Honeytokens are a subset of honeypots that aim at creating deceptive layers for digital entities in the form of files and folders. Honeytokens are an important tool in the proactive identification of data breaches and intrusion detection as they raise an alert the moment a deceptive entity is accessed. In such deceptionbased defensive tools, it is key that the adversary does not detect the presence of deception. However, recent research shows that honeypots and honeytokens may be fingerprinted by adversaries. Honeytoken fingerprinting is the process of detecting the presence of honeytokens in a system without triggering an alert. In this work, we explore potential fingerprinting attacks against the most common open-source honeytokens. Our findings suggest that an advanced attacker can identify the majority of honeytokens without triggering an alert. Furthermore, we propose methods that help in improving the deception layer, the information received from the alerts, and the design of honeytokens.

show abstract

Section: Honeypot Fingerprintingmentioning

confidence: 99%

“…As the name implies, interaction refers to how much capabilities are offered to the adversary. The process of discovering the existence of a honeypot in a system is known as honeypot fingerprinting [26,22]. The drawback of many honeypots is that their emulation of systems/protocols exposes some artifacts that attackers can detect.…”

Section: Introductionmentioning

confidence: 99%