A Taxonomy for Dynamic Honeypot Measures of Effectiveness
This work provides a structured approach for researchers and practitioners in cybersecurity to evaluate and improve dynamic honeypot implementations, though it is incremental as it builds on existing honeypot technology.
The paper addresses the lack of measures to determine the effectiveness of dynamic honeypot implementations, which can lead to poor performance or premature discovery by adversaries, by developing a taxonomy for such measures to quantify effectiveness in fingerprinting, data capture, deception, and monitoring.
Honeypots are computing systems used to capture unauthorized, often malicious, activity. While honeypots can take on a variety of forms, researchers agree the technology is useful for studying adversary behavior, tools, and techniques. Unfortunately, researchers also agree honeypots are difficult to implement and maintain. A lack of measures of effectiveness compounds the implementation issues specifically. In other words, existing research does not provide a set of measures to determine if a honeypot is effective in its implementation. This is problematic because an ineffective implementation may lead to poor performance, inadequate emulation of legitimate services, or even premature discovery by an adversary. Accordingly, we have developed a taxonomy for measures of effectiveness in dynamic honeypot implementations. Our aim is for these measures to be used to quantify a dynamic honeypot's effectiveness in fingerprinting its environment, capturing valid data from adversaries, deceiving adversaries, and intelligently monitoring itself and its surroundings.