Secure (S)Hell: Introducing an SSH Deception Proxy Framework
This addresses network security challenges for system administrators by providing a more flexible deception method, though it is incremental as it builds on existing honeypot and decoy approaches.
The paper tackles the problem of attackers avoiding honeypots by proposing a framework that introduces decoy elements via an SSH proxy, enabling on-the-fly deployment without modifying the protected host system, thereby increasing attacker uncertainty and difficulty.
Deceiving an attacker in the network security domain is a well established approach, mainly achieved through deployment of honeypots consisting of open network ports with the sole purpose of raising an alert on a connection. With attackers becoming more careful to avoid honeypots, other decoy elements on real host systems continue to create uncertainty for attackers. This uncertainty makes an attack more difficult, as an attacker cannot be sure whether the system does contain deceptive elements or not. Consequently, each action of an attacker could lead to the discovery. In this paper a framework is proposed for placing decoy elements through an SSH proxy, allowing to deploy decoy elements on-the-fly without the need for a modification of the protected host system.