Despoina Ntolka, "Exploring honeypot fingerprintability for stealthy attack detection", Diploma Work, School of Electrical and Computer Engineering, Technical University of Crete, Chania, Greece, 2023
https://doi.org/10.26233/heallink.tuc.98376
As the field of cyber security continues to evolve due to escalating security attacks, honeypots are becoming increasingly important. Honeypots are strategic deception systems that emulate real services in order to attract cyber attackers. Apart from capturing malicious users they also study their behavior and reveal their tactics. As a result, cyber experts are informed about the latest attack methodologies and strategies employed by adversaries. However, with every innovative defense strategy comes challenges. One major concern is the ability of attackers to identify honeypots compared to real systems by detecting differences in their behavior and responses. This research focuses on the issue of fingerprintability, and particularly examines weaknesses in low- and medium- interaction honeypots. The reason we choose low- and medium- interaction honeypots is because they are more vulnerable to be compromised than high-interaction ones due to their limited simulation depth. We initially install these honeypots in controlled environments and carefully analyze their behavior considering factors such as ports, banners, and headers. Then we compare them to machines across the World Wide Web with the goal to detect relevant honeypots. The results of these comparisons are concerning as they reveal existing vulnerabilities among honeypots. As we move further these findings become more crucial. With this research we try to help cybersecurity efforts that aim to fix these weaknesses and ensure that honeypots remain reliable defensive tools, even as attackers improve their device discovery skills.