Towards Building a Scalable and Believable Hybrid Honeypot Framework



Journal Title

Journal ISSN

Volume Title



A honeypot is an effective tool to learn new attacking vectors and strategies from attackers or malware, and it has been adopted and deployed in production systems. Meanwhile, the distributed hybrid honeypot system has emerged as a new trend to achieve better scalability by improving the deployment, management, and security of honeypot systems. In practice, attackers are always well-motivated to detect whether the victim machine is a honeypot. Lack of real network activities, no believable user activities, and network context inconsistency during the exploitation are the main indicators of the honeypot to attackers. As a response to these challenges, this dissertation explores how to construct distributed hybrid honeypot systems to improve scalability and believability.In the first work, we develop a hybrid webshell honeypot framework called HoneyBog to monitor and analyze webshell-based command injection. It intercepts and redirects malicious injected commands from the front-end honeypot to the high-fidelity back-end honeypot for execution. HoneyBog can achieve two advantages by using the client-server honeypot architecture. First, since the webshell-based injected commands are transferred from the compromised web server to a remote constrained execution environment, we can prevent the attacker from launching further attacks in the protected network. Second, it facilitates the centralized management of high-fidelity honeypots for remote honeypot service providers. Moreover, we increase the system fidelity of HoneyBog by synchronizing the website files between the front-end and back-end honeypots. In the second work, we uncover that all existing distributed honeypot systems suffer from one type of anti-honeypot technique called network context cross-checking (NC3) that enables attackers to detect network context inconsistencies before and after breaking into a targeted system. We perform a systematic study of NC3 and identify nine types of network context artifacts that may be leveraged by attackers to identify distributed honeypot systems. As a countermeasure, we propose HoneyPortal, a stealthy traffic redirection framework to defend against the \Attack{} attack. The basic idea is to project a remote honeypot into the protected local network as a believable host machine. In the third work, we design an emulation-based system called UBER to enhance malware analysis sandboxes. The core idea is to generate realistic system artifacts based on automatically derived user profile models. We solve two major challenges. First, we generate authentic system artifacts continuously to emulate the real-user behaviors. Second, we integrate the generated artifacts stealthily to hide the trace of the emulation. In the fourth work, we propose HoneyMustard, a real-time application-level user behavior emulation framework to enhance the fidelity of the honeypot. HoneyMustard leverages computer vision techniques to emulate GUI-based user activities in the honeypot via a remote desktop connection, achieving both believable and stealthy design goals. The emulated user activities are generated from the collected user operations from real user activities or application user manuals, which ensures attackers can observe logical and believable activities at the application level. Since attackers can only observe a remote desktop connection during the emulation, HoneyMustard can conceal the emulator as a normal service to achieve real-time emulation without being detected.



Command Injection, Honeypot Detection, Hybrid Distributed Honeypot, Network Context Inconsistency, System Artifacts, User Behavior Emulation