Jun 09, 2018
Game Theoretic Model of Strategic HoneypotAllocation in Computer Networks
Radek Pbil1, Viliam Lisy1, Christopher Kiekintveld2, Branislav Bosansky1,and Michal Pechoucek1
1 Agent Technology Center, Department of Computer Science and EngineeringFaculty of Electrical Engineering, Czech Technical University in Prague
Czech Republic2 University of Texas, El Paso, Texas, United States of America
Abstract A honeypot is a decoy computer system used in network se-curity to waste the time and resources of attackers and to analyze theirbehaviors. While there has been significant research on how to designhoneypot systems, less is known about how to use honeypots strategic-ally in network defense. We develop game-theoretic models that provideinsight into how honeypots can be used to maximal effect to deceive anddelay potential attackers. Our model generalizes previous work on decep-tion games for honeypots by introducing differential values for networkservices and honeypot systems. We also introduce an extension that al-lows attackers to systematically probe multiple systems on a network todetermine which ones are likely to be real systems (and not honeypots)before launching an attack. We provide linear programs for solving in-stances of these games, and analyze the properties of optimal solutions,leading to faster calculations. We present an empirical study of the mod-els to better understand strategic issues related to honeypots.
We increasingly depend on information technology and computer networks todeliver vital information and services. Protecting these systems and the inform-ation they contain is a growing priority, even as they become more attractivetargets for criminal activity. Cybercriminals are highly motivated and devotelarge efforts to launching sophisticated attacks, requiring network administratorsto adopt increasingly sophisticated countermeasures to protect their networks.Honeypots are one of these countermeasures that provides a unique set of be-nefits for network defense. Falling costs for deploying honeypots and improvedvirtualization technologies are likely to lead to increased use of honeypots, in-cluding systems with many honeypots on a single network.
A honeypot is a computer system placed on a network explicitly in orderto attract the attention of an attacker. It does not store any valuable data andit thoroughly logs everything that happens in the system. Honeypots help toincrease the security of computer systems in two ways : (1) The presenceof honeypots wastes the attackers time and resources. The effort an attacker
spends to compromise the honeypot and learn that it does not contain anyuseful information directly takes away time and resources that could be used tocompromise valuable machines. (2) Moreover, once the attacker compromises ahoneypot, the network administrator can analyze all of the attackers actionsin great detail, and use the information obtained to better protect the network.For example, specific security holes used in an attack can be patched, and newattack signatures added to antivirus and intrusion detection systems. Attackson honeypots can also serve as an early warning system for administrators,providing more time to react to attacks in progress.
For these reasons, the network administrators using honeypots try to maxim-ize the probability that the attacker attacks a honeypot and not a real service.However, with an increasing use of this technology, attackers have started toconsider the existence of honeypots during their attacks and take steps to avoidattacking them. For example, once they gain access to a system, they can usemultitude of methods to probe the system and rule out the possibility that theyare in a honeypot before they continue with their attack (e.g., ). To be effectiveagainst more sophisticated attackers, honeypots must be sufficiently disguisedthat they are not obvious (i.e., they cannot simply present the most vulnerablepossible target). These considerations lead us to consider honeypots from an ad-versarial perspective, where network administrators reason about the strategiesof the attackers and vice versa.
Game theory is a formal framework developed to analyze interactions betweenmultiple decision makers. In this paper, we present two novel game-theoreticmodels of adding honeypots to a network and the following target selection bythe attacker. The first model combines a resource allocation game and a decep-tion game, and is designed to answer basic question about how many honeypotsa defender should use, and how they should be configured. In particular, we con-sider the possibility that honeypots can be configured to look like real targets ofvarying importance, offering new ways to deceive an attacker. The second modelextends the first one to add the capability for an attacker to strategically probetargets before launching an attack to determine whether they are likely to behoneypots or real machines. Both models are formulated as zero-sum extensive-form imperfect-information games, and we provide linear programs for comput-ing the optimal strategies of the players (i.e., the network administrator and theattacker) in both cases.
We solve the linear programs using a state of the art optimization toolkit(CPLEX ). This provides greater scalability than previous models [3,4] that weresolved using Gambit, allowing us to analyze the models in greater detail. Theseprevious models found simple uniform randomization strategies to be optimalfor honeypot placement. However, our models show richer and more complexstrategies are necessary when we generalize the assumptions to include non-uniform machine values and sophisticated attackers with probing capabilities.Our experimental results show that the game-theoretic strategies are signific-antly better in reducing the expected harm of the attacks and they allow usinga larger numbers of honeypots more efficiently than two heuristic approaches.
We also test our strategies against simple heuristic attackers, in addition to op-timal ones. Based on the analysis of the optimal game-theoretic strategies, weprovide recommendations to the network administrators applying honeypots intheir networks.
The next section explains the relation of the presented research to the previ-ous work. In Section 3, we introduce the basic model without probing, we analyzeits properties and present the solution LP. In Section 4, we introduce the pos-sibility of probing. The experimental evaluation of both models is presented inSection 5 and we conclude the paper in Section 6.
2 Related Work
Many software packages for creating honeypots and analyzing attackers behaviorare available through the honeynet project website3. This paper does not focuson the technical aspects of creating honeypots, so we do not review this lineof research here. An extensive introduction to the practices and technologicalchallenges of applying honeypots is available in . We focus our review on moreclosely related work that applies game theory to honeypots.
2.1 Honeypots and Game Theory
There are relatively few papers that explore the use of game theory for hon-eypots. The existing work can be divided into two categories. One models theinteraction within a honeypot during an ongoing attack. The other models thesituation before the actual attack, when the attacker selects a target.
In the first category, game theory is used to optimize the information learnedabout the attackers strategies by modeling the progress of the attack. In thework  the authors give the defender a possibility to block the action, or letit be executed, while the attacker can either retry, continue, or stop the attack.In  the defender models the attack as a movement on a graph and tries tomake some of the nodes more desirable for the attacker by using a multi-agentlearning.
The approach presented in this paper belongs to the second category, in whichthe game theory is used to optimize the probability that the attacker will attacka honeypot and not a real system. In , the authors model situations similar tothe ones we model in this paper. However, their model is simpler and results insimple, uniform strategies. They analyze the problem of allocating the real serv-ers and honeypots to the space of IP addresses. However, the attacker cannotdistinguish between individual servers and honeypots, so the only meaningfulstrategy the attacker can use is to attack a random server. Only if the defendergives the attacker some hint based on the address of the servers, e.g., by assign-ing the honeypots to the lowest IP addresses, a rational attacker can deviatefrom a random strategy. Therefore, a rational defender also allocates addresses
randomly. In reality, however, not all computers in the network are identical tothe attacker. In our model, we consider the importance of the computers, whichmake the optimal strategies non-trivial and much harder to compute.
In the second part of  as well as in , the authors give the attacker theoption of probing the servers before the attack. The results of the probes detectwhether the server is real or a honeypot, but they assume that the result isfully determined by the defender. This implies that the probe results are onlyuseful if the defender voluntarily discloses some information to the attacker. Arational defender uses uniform random probe results and the attacker ignoresthem. A more realistic assumption is that the defender can successfully deceivethe attacker only with certain probability. Otherwise, his probe will identify thereal nature of the server. In this paper, we consider this generalization and itsresults to non-trivial strategies for both players.
2.2 Related Game Theoretic Models
The game theoretic models presented in this pa