Visible to the public Biblio

Filters: Keyword is honeypot  [Clear All Filters]
Liu, Songsong, Feng, Pengbin, Sun, Kun.  2021.  HoneyBog: A Hybrid Webshell Honeypot Framework against Command Injection. 2021 IEEE Conference on Communications and Network Security (CNS). :218—226.
Web server is an appealing target for attackers since it may be exploited to gain access to an organization’s internal network. After compromising a web server, the attacker can construct a webshell to maintain a long-term and stealthy access for further attacks. Among all webshell-based attacks, command injection is a powerful attack that can be launched to steal sensitive data from the web server or compromising other computers in the network. To monitor and analyze webshell-based command injection, we develop a hybrid webshell honeypot framework called HoneyBog, which intercepts and redirects malicious injected commands from the front-end honeypot to the high-fidelity back-end honeypot for execution. HoneyBog can achieve two advantages by using the client-server honeypot architecture. First, since the webshell-based injected commands are transferred from the compromised web server to a remote constrained execution environment, we can prevent the attacker from launching further attacks in the protected network. Second, it facilitates the centralized management of high-fidelity honeypots for remote honeypot service providers. Moreover, we increase the system fidelity of HoneyBog by synchronizing the website files between the front-end and back-end honeypots. We implement a prototype of HoneyBog using PHP and the Apache web server. Our experiments on 260 PHP webshells show that HoneyBog can effectively intercept and redirect injected commands with a low performance overhead.
Chin, Kota, Omote, Kazumasa.  2021.  Analysis of Attack Activities for Honeypots Installation in Ethereum Network. 2021 IEEE International Conference on Blockchain (Blockchain). :440–447.
In recent years, blockchain-based cryptocurren-cies have attracted much attention. Attacks targeting cryptocurrencies and related services directly profit an attacker if successful. Related studies have reported attacks targeting configuration-vulnerable nodes in Ethereum using a method called honeypots to observe malicious user attacks. They have analyzed 380 million observed requests and showed that attacks had to that point taken at least 4193 Ether. However, long-term observations using honeypots are difficult because the cost of maintaining honeypots is high. In this study, we analyze the behavior of malicious users using our honeypot system. More precisely, we clarify the pre-investigation that a malicious user performs before attacks. We show that the cost of maintaining a honeypot can be reduced. For example, honeypots need to belong in Ethereum's P2P network but not to the mainnet. Further, if they belong to the testnet, the cost of storage space can be reduced.
Javid, Farshad, Lighvan, Mina Zolfy.  2021.  Honeypots Vulnerabilities to Backdoor Attack. 2021 International Conference on Information Security and Cryptology (ISCTURKEY). :161–166.
Honeypots are widely used to increase the security of systems and networks, but they only observe the activities that are done against them. A honeypot will not be able to detect an exploit in another system unless it interacts directly with it. In addition to the weakness caused by the normal behavior of honeypots, our research shows that honeypots may succumb to back door attacks. To prove this claim, a backdoor attack is performed on the popular Honeypot system. Experimental results show that the Kfsensor Honeypot is bypassed using a backdoor attack, and network protection is disabled even with the Honeypot enabled.
Obaidat, Muath, Brown, Joseph, Alnusair, Awny.  2021.  Blind Attack Flaws in Adaptive Honeypot Strategies. 2021 IEEE World AI IoT Congress (AIIoT). :0491–0496.
Adaptive honeypots are being widely proposed as a more powerful alternative to the traditional honeypot model. Just as with typical honeypots, however, one of the most important concerns of an adaptive honeypot is environment deception in order to make sure an adversary cannot fingerprint the honeypot. The threat of fingerprinting hints at a greater underlying concern, however; this being that honeypots are only effective because an adversary does not know that the environment on which they are operating is a honeypot. What has not been widely discussed in the context of adaptive honeypots is that they actually have an inherently increased level of susceptibility to this threat. Honeypots not only bear increased risks when an adversary knows they are a honeypot rather than a native system, but they are only effective as adaptable entities if one does not know that the honeypot environment they are operating on is adaptive as wekk. Thus, if adaptive honeypots become commonplace - or, instead, if attackers even have an inkling that an adaptive honeypot may exist on any given network, a new attack which could develop is a “blind confusion attack”; a form of connection which simply makes an assumption all environments are adaptive honeypots, and instead of attempting to perform a malicious strike on a given entity, opts to perform non-malicious behavior in specified and/or random patterns to confuse an adaptive network's learning.
Yamamoto, Moeka, Kakei, Shohei, Saito, Shoichi.  2021.  FirmPot: A Framework for Intelligent-Interaction Honeypots Using Firmware of IoT Devices. 2021 Ninth International Symposium on Computing and Networking Workshops (CANDARW). :405–411.
IoT honeypots that mimic the behavior of IoT devices for threat analysis are becoming increasingly important. Existing honeypot systems use devices with a specific version of firmware installed to monitor cyber attacks. However, honeypots frequently receive requests targeting devices and firmware that are different from themselves. When honeypots return an error response to such a request, the attack is terminated, and the monitoring fails.To solve this problem, we introduce FirmPot, a framework that automatically generates intelligent-interaction honeypots using firmware. This framework has a firmware emulator optimized for honeypot generation and learns the behavior of embedded applications by using machine learning. The generated honeypots continue to interact with attackers by a mechanism that returns the best from the emulated responses to the attack request instead of an error response.We experimented on embedded web applications of wireless routers based on the open-source OpenWrt. As a result, our framework generated honeypots that mimicked the embedded web applications of eight vendors and ten different CPU architectures. Furthermore, our approach to the interaction improved the session length with attackers compared to existing ones.
You, Jianzhou, Lv, Shichao, Sun, Yue, Wen, Hui, Sun, Limin.  2021.  HoneyVP: A Cost-Effective Hybrid Honeypot Architecture for Industrial Control Systems. ICC 2021 - IEEE International Conference on Communications. :1–6.
As a decoy for hackers, honeypots have been proved to be a very valuable tool for collecting real data. However, due to closed source and vendor-specific firmware, there are significant limitations in cost for researchers to design an easy-to-use and high-interaction honeypot for industrial control systems (ICSs). To solve this problem, it’s necessary to find a cost-effective solution. In this paper, we propose a novel honeypot architecture termed HoneyVP to support a semi-virtual and semi-physical honeypot design and implementation to enable high cost performance. Specially, we first analyze cyber-attacks on ICS devices in view of different interaction levels. Then, in order to deal with these attacks, our HoneyVP architecture clearly defines three basic independent and cooperative components, namely, the virtual component, the physical component, and the coordinator. Finally, a local-remote cooperative ICS honeypot system is implemented to validate its feasibility and effectiveness. Our experimental results show the advantages of using the proposed architecture compared with the previous honeypot solutions. HoneyVP provides a cost-effective solution for ICS security researchers, making ICS honeypots more attractive and making it possible to capture physical interactions.
Sethi, Tanmay, Mathew, Rejo.  2021.  A Study on Advancement in Honeypot based Network Security Model. 2021 Third International Conference on Intelligent Communication Technologies and Virtual Mobile Networks (ICICV). :94–97.
Throughout the years, honeypots have been very useful in tracking down attackers and preventing different types of cyber attacks on a very large scale. It's been almost 3 decades since the discover of honeypots and still more than 80% of the companies rely on this system because of intrusion detection features and low false positive rate. But with time, the attackers tend to start discovering loopholes in the system. Hence it is very important to be up to date with the technology when it comes to protecting a computing device from the emerging cyber attacks. Timely advancements in the security model provided by the honeypots helps in a more efficient use of the resource and also leads to better innovations in that field. The following paper reviews different methods of honeypot network and also gives an insight about the problems that those techniques can face along with their solution. Further it also gives the detail about the most preferred solution among all of the listed techniques in the paper.
Saputro, Elang Dwi, Purwanto, Yudha, Ruriawan, Muhammad Faris.  2021.  Medium Interaction Honeypot Infrastructure on The Internet of Things. 2020 IEEE International Conference on Internet of Things and Intelligence System (IoTaIS). :98–102.
New technologies from day to day are submitted with many vulnerabilities that can make data exploitation. Nowadays, IoT is a target for Cybercrime attacks as it is one of the popular platforms in the century. This research address the IoT security problem by carried a medium-interaction honeypot. Honeypot is one of the solutions that can be done because it is a system feed for the introduction of attacks and fraudulent devices. This research has created a medium interaction honeypot using Cowrie, which is used to maintain the Internet of Things device from malware attacks or even attack patterns and collect information about the attacker's machine. From the result analysis, the honeypot can record all trials and attack activities, with CPU loads averagely below 6,3%.
Başer, Melike, Güven, Ebu Yusuf, Aydın, Muhammed Ali.  2021.  SSH and Telnet Protocols Attack Analysis Using Honeypot Technique: Analysis of SSH AND ℡NET Honeypot. 2021 6th International Conference on Computer Science and Engineering (UBMK). :806–811.
Generally, the defense measures taken against new cyber-attack methods are insufficient for cybersecurity risk management. Contrary to classical attack methods, the existence of undiscovered attack types called’ zero-day attacks’ can invalidate the actions taken. It is possible with honeypot systems to implement new security measures by recording the attacker’s behavior. The purpose of the honeypot is to learn about the methods and tools used by the attacker or malicious activity. In particular, it allows us to discover zero-day attack types and develop new defense methods for them. Attackers have made protocols such as SSH (Secure Shell) and Telnet, which are widely used for remote access to devices, primary targets. In this study, SSHTelnet honeypot was established using Cowrie software. Attackers attempted to connect, and attackers record their activity after providing access. These collected attacker log records and files uploaded to the system are published on Github to other researchers1. We shared the observations and analysis results of attacks on SSH and Telnet protocols with honeypot.
Limouchi, Elnaz, Mahgoub, Imad.  2021.  Reinforcement Learning-assisted Threshold Optimization for Dynamic Honeypot Adaptation to Enhance IoBT Networks Security. 2021 IEEE Symposium Series on Computational Intelligence (SSCI). :1–7.
Internet of Battlefield Things (IoBT) is the application of Internet of Things (IoT) to a battlefield environment. IoBT networks operate in difficult conditions due to high mobility and unpredictable nature of battle fields and securing them is a challenge. There is increasing interest to use deception techniques to enhance the security of IoBT networks. A honeypot is a system installed on a network as a trap to attract the attention of an attacker and it does not store any valuable data. In this work, we introduce IoBT dual sensor gateways. We propose a Reinforcement Learning (RL)-assisted scheme, in which the IoBT dual sensor gateways intelligently switch between honeypot and real function based on a threshold. The optimal threshold is determined using reinforcement learning approach that adapts to nodes reputation. To focus on the impact of the mobile and uncertain behavior of IoBT networks on the proposed scheme, we consider the nodes as moving vehicles. We statistically analyze the results of our RL-based scheme obtained using ns-3 network simulation, and optimize value of the threshold.
Adarsh, S, Jain, Kurunandan.  2021.  Capturing Attacker Identity with Biteback Honeypot. 2021 International Conference on System, Computation, Automation and Networking (ICSCAN). :1–7.
Cyber attacks are increasing at a rapid pace targeting financial institutions and the corporate sector, especially during pandemics such as COVID-19. Honeypots are implemented in data centers and servers, to capture these types of attacks and malicious activities. In this work, an experimental prototype is created simulating the attacker and victim environments and the results are consolidated. Attacker information is extracted using the Meterpreter framework and uses reverse TCP for capturing the data. Normal honeypots does not capture an attacker and his identity. Information such as user ID, Internet Protocol(IP) address, proxy servers, incoming and outgoing traffic, webcam snapshot, Media Access Control(MAC) address, operating system architecture, and router information of the attacker such as ARP cache can be extracted by this honeypot with "biteback" feature.
Ba\c ser, Melike, Güven, Ebu Yusuf, Aydın, Muhammed Ali.  2021.  SSH and Telnet Protocols Attack Analysis Using Honeypot Technique : *Analysis of SSH AND ℡NET Honeypot. 2021 6th International Conference on Computer Science and Engineering (UBMK). :806–811.
Generally, the defense measures taken against new cyber-attack methods are insufficient for cybersecurity risk management. Contrary to classical attack methods, the existence of undiscovered attack types called' zero-day attacks' can invalidate the actions taken. It is possible with honeypot systems to implement new security measures by recording the attacker's behavior. The purpose of the honeypot is to learn about the methods and tools used by the attacker or malicious activity. In particular, it allows us to discover zero-day attack types and develop new defense methods for them. Attackers have made protocols such as SSH (Secure Shell) and Telnet, which are widely used for remote access to devices, primary targets. In this study, SSHTelnet honeypot was established using Cowrie software. Attackers attempted to connect, and attackers record their activity after providing access. These collected attacker log records and files uploaded to the system are published on Github to other researchers1. We shared the observations and analysis results of attacks on SSH and Telnet protocols with honeypot.
Chamotra, Saurabh, Barbhuiya, Ferdous Ahmed.  2020.  Analysis and Modelling of Multi-Stage Attacks. 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). :1268–1275.
Honeypots are the information system resources used for capturing and analysis of cyber attacks. Highinteraction Honeypots are capable of capturing attacks in their totality and hence are an ideal choice for capturing multi-stage cyber attacks. The term multi-stage attack is an abstraction that refers to a class of cyber attacks consisting of multiple attack stages. These attack stages are executed either by malicious codes, scripts or sometimes even inbuilt system tools. In the work presented in this paper we have proposed a framework for capturing, analysis and modelling of multi-stage cyber attacks. The objective of our work is to devise an effective mechanism for the classification of multi-stage cyber attacks. The proposed framework comprise of a network of high interaction honeypots augmented with an attack analysis engine. The analysis engine performs rule based labeling of captured honeypot data. The labeling engine labels the attack data as generic events. These events are further fused to generate attack graphs. The hence generated attack graphs are used to characterize and later classify the multi-stage cyber attacks.
Banday, M. T., Sheikh, S. A..  2020.  Improving Security Control of Text-Based CAPTCHA Challenges using Honeypot and Timestamping. 2020 Fourth International Conference on Computing Methodologies and Communication (ICCMC). :704—708.

The resistance to attacks aimed to break CAPTCHA challenges and the effectiveness, efficiency and satisfaction of human users in solving them called usability are the two major concerns while designing CAPTCHA schemes. User-friendliness, universality, and accessibility are related dimensions of usability, which must also be addressed adequately. With recent advances in segmentation and optical character recognition techniques, complex distortions, degradations and transformations are added to text-based CAPTCHA challenges resulting in their reduced usability. The extent of these deformations can be decreased if some additional security mechanism is incorporated in such challenges. This paper proposes an additional security mechanism that can add an extra layer of protection to any text-based CAPTCHA challenge, making it more challenging for bots and scripts that might be used to attack websites and web applications. It proposes the use of hidden text-boxes for user entry of CAPTCHA string which serves as honeypots for bots and automated scripts. The honeypot technique is used to trick bots and automated scripts into filling up input fields which legitimate human users cannot fill in. The paper reports implementation of honeypot technique and results of tests carried out over three months during which form submissions were logged for analysis. The results demonstrated great effectiveness of honeypots technique to improve security control and usability of text-based CAPTCHA challenges.

Wang, B., Dou, Y., Sang, Y., Zhang, Y., Huang, J..  2020.  IoTCMal: Towards A Hybrid IoT Honeypot for Capturing and Analyzing Malware. ICC 2020 - 2020 IEEE International Conference on Communications (ICC). :1—7.

Nowadays, the emerging Internet-of-Things (IoT) emphasize the need for the security of network-connected devices. Additionally, there are two types of services in IoT devices that are easily exploited by attackers, weak authentication services (e.g., SSH/Telnet) and exploited services using command injection. Based on this observation, we propose IoTCMal, a hybrid IoT honeypot framework for capturing more comprehensive malicious samples aiming at IoT devices. The key novelty of IoTC-MAL is three-fold: (i) it provides a high-interactive component with common vulnerable service in real IoT device by utilizing traffic forwarding technique; (ii) it also contains a low-interactive component with Telnet/SSH service by running in virtual environment. (iii) Distinct from traditional low-interactive IoT honeypots[1], which only analyze family categories of malicious samples, IoTCMal primarily focuses on homology analysis of malicious samples. We deployed IoTCMal on 36 VPS1 instances distributed in 13 cities of 6 countries. By analyzing the malware binaries captured from IoTCMal, we discover 8 malware families controlled by at least 11 groups of attackers, which mainly launched DDoS attacks and digital currency mining. Among them, about 60% of the captured malicious samples ran in ARM or MIPs architectures, which are widely used in IoT devices.

Lingenfelter, B., Vakilinia, I., Sengupta, S..  2020.  Analyzing Variation Among IoT Botnets Using Medium Interaction Honeypots. 2020 10th Annual Computing and Communication Workshop and Conference (CCWC). :0761—0767.

Through analysis of sessions in which files were created and downloaded on three Cowrie SSH/Telnet honeypots, we find that IoT botnets are by far the most common source of malware on connected systems with weak credentials. We detail our honeypot configuration and describe a simple method for listing near-identical malicious login sessions using edit distance. A large number of IoT botnets attack our honeypots, but the malicious sessions which download botnet software to the honeypot are almost all nearly identical to one of two common attack patterns. It is apparent that the Mirai worm is still the dominant botnet software, but has been expanded and modified by other hackers. We also find that the same loader devices deploy several different botnet malware strains to the honeypot over the course of a 40 day period, suggesting multiple botnet deployments from the same source. We conclude that Mirai continues to be adapted but can be effectively tracked using medium interaction honeypots such as Cowrie.

Jeong, J. H., Choi, S. G..  2020.  Hybrid System to Minimize Damage by Zero-Day Attack based on NIDPS and HoneyPot. 2020 International Conference on Information and Communication Technology Convergence (ICTC). :1650—1652.

This paper presents hybrid system to minimize damage by zero-day attack. Proposed system consists of signature-based NIDPS, honeypot and temporary queue. When proposed system receives packet from external network, packet which is known for attack packet is dropped by signature-based NIDPS. Passed packets are redirected to honeypot, because proposed system assumes that all packets which pass NIDPS have possibility of zero-day attack. Redirected packet is stored in temporary queue and if the packet has possibility of zero-day attack, honeypot extracts signature of the packet. Proposed system creates rule that match rule format of NIDPS based on extracted signatures and updates the rule. After the rule update is completed, temporary queue sends stored packet to NIDPS then packet with risk of attack can be dropped. Proposed system can reduce time to create and apply rule which can respond to unknown attack packets. Also, it can drop packets that have risk of zero-day attack in real time.

Ceron, J. M., Scholten, C., Pras, A., Santanna, J..  2020.  MikroTik Devices Landscape, Realistic Honeypots, and Automated Attack Classification. NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium. :1—9.

In 2018, several malware campaigns targeted and succeed to infect millions of low-cost routers (malwares e.g., VPN-Filter, Navidade, and SonarDNS). These routers were used, then, for all sort of cybercrimes: from DDoS attacks to ransomware. MikroTik routers are a peculiar example of low-cost routers. These routers are used to provide both last mile access to home users and are used in core network infrastructure. Half of the core routers used in one of the biggest Internet exchanges in the world are MikroTik devices. The problem is that vulnerable firmwares (RouterOS) used in homeusers houses are also used in core networks. In this paper, we are the first to quantify the problem that infecting MikroTik devices would pose to the Internet. Based on more than 4 TB of data, we reveal more than 4 million MikroTik devices in the world. Then, we propose an easy-to-deploy MikroTik honeypot and collect more than 17 millions packets, in 45 days, from sensors deployed in Australia, Brazil, China, India, Netherlands, and the United States. Finally, we use the collected data from our honeypots to automatically classify and assess attacks tailored to MikroTik devices. All our source-codes and analysis are publicly available. We believe that our honeypots and our findings in this paper foster security improvements in MikroTik devices worldwide.

Pashaei, A., Akbari, M. E., Lighvan, M. Z., Teymorzade, H. Ali.  2020.  Improving the IDS Performance through Early Detection Approach in Local Area Networks Using Industrial Control Systems of Honeypot. 2020 IEEE International Conference on Environment and Electrical Engineering and 2020 IEEE Industrial and Commercial Power Systems Europe (EEEIC / I CPS Europe). :1—5.

The security of Industrial Control system (ICS) of cybersecurity networks ensures that control equipment fails and that regular procedures are available at its control facilities and internal industrial network. For this reason, it is essential to improve the security of industrial control facility networks continuously. Since network security is threatening, industrial installations are irreparable and perhaps environmentally hazardous. In this study, the industrialized Early Intrusion Detection System (EIDS) was used to modify the Intrusion Detection System (IDS) method. The industrial EIDS was implemented using routers, IDS Snort, Industrial honeypot, and Iptables MikroTik. EIDS successfully simulated and implemented instructions written in IDS, Iptables router, and Honeypots. Accordingly, the attacker's information was displayed on the monitoring page, which had been designed for the ICS. The EIDS provides cybersecurity and industrial network systems against vulnerabilities and alerts industrial network security heads in the shortest possible time.

Nursetyo, Arif, Ignatius Moses Setiadi, De Rosal, Rachmawanto, Eko Hari, Sari, Christy Atika.  2019.  Website and Network Security Techniques against Brute Force Attacks using Honeypot. 2019 Fourth International Conference on Informatics and Computing (ICIC). :1—6.
The development of the internet and the web makes human activities more practical, comfortable, and inexpensive. So that the use of the internet and websites is increasing in various ways. Public networks make the security of websites vulnerable to attack. This research proposes a Honeypot for server security against attackers who want to steal data by carrying out a brute force attack. In this research, Honeypot is integrated on the server to protect the server by creating a shadow server. This server is responsible for tricking the attacker into not being able to enter the original server. Brute force attacks tested using Medusa tools. With the application of Honeypot on the server, it is proven that the server can be secured from the attacker. Even the log of activities carried out by the attacker in the shadow server is stored in the Kippo log activities.
Rahman, Md. Mahmudur, Roy, Shanto, Yousuf, Mohammad Abu.  2019.  DDoS Mitigation and Intrusion Prevention in Content Delivery Networks using Distributed Virtual Honeypots. 2019 1st International Conference on Advances in Science, Engineering and Robotics Technology (ICASERT). :1–6.

Content Delivery Networks(CDN) is a standout amongst the most encouraging innovations that upgrade performance for its clients' websites by diverting web demands from browsers to topographically dispersed CDN surrogate nodes. However, due to the variable nature of CDN, it suffers from various security and resource allocation issues. The most common attack which is used to bring down a whole network as well as CDN without even finding a loophole in the security is DDoS. In this proposal, we proposed a distributed virtual honeypot model for diminishing DDoS attacks and prevent intrusion in securing CDN. Honeypots are specially utilized to imitate the primary server with the goal that the attack is alleviated to the fake rather than the main server. Our proposed layer based model utilizes honeypot to be more effective reducing the cost of the system as well as maintaining the smooth delivery in geographically dispersed servers without performance degradation.

Luo, Xupeng, Yan, Qiao, Wang, Mingde, Huang, Wenyao.  2019.  Using MTD and SDN-based Honeypots to Defend DDoS Attacks in IoT. 2019 Computing, Communications and IoT Applications (ComComAp). :392–395.
With the rapid development of Internet of Things (IoT), distributed denial of service (DDoS) attacks become the important security threat of the IoT. Characteristics of IoT, such as large quantities and simple function, which have easily caused the IoT devices or servers to be attacked and be turned into botnets for launching DDoS attacks. In this paper, we use software-defined networking (SDN) to develop moving target defense (MTD) architecture that increases uncertainty because of ever changing attack surface. In addition, we deploy SDN-based honeypots to mimic IoT devices, luring attackers and malwares. Finally, experimental results show that combination of MTD and SDN-based honeypots can effectively hide network asset from scanner and defend against DDoS attacks in IoT.
Surnin, Oleg, Hussain, Fatima, Hussain, Rasheed, Ostrovskaya, Svetlana, Polovinkin, Andrey, Lee, JooYoung, Fernando, Xavier.  2019.  Probabilistic Estimation of Honeypot Detection in Internet of Things Environment. 2019 International Conference on Computing, Networking and Communications (ICNC). :191–196.
With the emergence of the Internet of Things (IoT) and the increasing number of resource-constrained interconnected smart devices, there is a noticeable increase in the number of cyber security crimes. In the face of the possible attacks on IoT networks such as network intrusion, denial of service, spoofing and so on, there is a need to develop efficient methods to locate vulnerabilities and mitigate attacks in IoT networks. Without loss of generality, we consider only intrusion-related threats to IoT. A honeypot is a system used to understand the potential dynamic threats and act as a proactive measure to detect any intrusion into the network. It is used as a trap for intruders to control unauthorized access to the network by analyzing malicious traffic. However, a sophisticated attacker can detect the presence of a honeypot and abort the intrusion mission. Therefore it is essential for honeypots to be undetectable. In this paper, we study and analyze possible techniques for SSH and telnet honeypot detection. Moreover, we propose a new methodology for probabilistic estimation of honeypot detection and an automated software implemented this methodology.
Vishwakarma, Ruchi, Jain, Ankit Kumar.  2019.  A Honeypot with Machine Learning based Detection Framework for defending IoT based Botnet DDoS Attacks. 2019 3rd International Conference on Trends in Electronics and Informatics (ICOEI). :1019–1024.

With the tremendous growth of IoT botnet DDoS attacks in recent years, IoT security has now become one of the most concerned topics in the field of network security. A lot of security approaches have been proposed in the area, but they still lack in terms of dealing with newer emerging variants of IoT malware, known as Zero-Day Attacks. In this paper, we present a honeypot-based approach which uses machine learning techniques for malware detection. The IoT honeypot generated data is used as a dataset for the effective and dynamic training of a machine learning model. The approach can be taken as a productive outset towards combatting Zero-Day DDoS Attacks which now has emerged as an open challenge in defending IoT against DDoS Attacks.

Park, Byungju, Dang, Sa Pham, Noh, Sichul, Yi, Junmin, Park, Minho.  2019.  Dynamic Virtual Network Honeypot. 2019 International Conference on Information and Communication Technology Convergence (ICTC). :375–377.
A honeypot system is used to trapping hackers, track and analyze new hacking methods. However, it does not only take time for construction and deployment but also costs for maintenance because these systems are always online even when there is no attack. Since the main purpose of honeypot systems is to collect more and more attack trafc if possible, the limitation of system capacity is also a major problem. In this paper, we propose Dynamic Virtual Network Honeypot (DVNH) which leverages emerging technologies, Network Function Virtualization and Software-Defined Networking. DVNH redirects the attack to the honeypot system thereby protects the targeted system. Our experiments show that DVNH enables efficient resource usage and dynamic provision of the Honeypot system.