A Taxonomy for Dynamic Honeypot Measures of Effectiveness

TL;DR

This paper introduces a taxonomy of effectiveness measures for dynamic honeypots to improve their implementation, evaluation, and ability to deceive adversaries and accurately capture malicious activity.

Contribution

The paper presents a novel taxonomy for assessing the effectiveness of dynamic honeypots, addressing a gap in measurement methods for honeypot performance and deception capabilities.

Findings

Provides a structured taxonomy for honeypot effectiveness measures

Facilitates better evaluation and comparison of honeypot implementations

Aims to improve honeypot design and deployment strategies

Abstract

Honeypots are computing systems used to capture unauthorized, often malicious, activity. While honeypots can take on a variety of forms, researchers agree the technology is useful for studying adversary behavior, tools, and techniques. Unfortunately, researchers also agree honeypots are difficult to implement and maintain. A lack of measures of effectiveness compounds the implementation issues specifically. In other words, existing research does not provide a set of measures to determine if a honeypot is effective in its implementation. This is problematic because an ineffective implementation may lead to poor performance, inadequate emulation of legitimate services, or even premature discovery by an adversary. Accordingly, we have developed a taxonomy for measures of effectiveness in dynamic honeypot implementations. Our aim is for these measures to be used to quantify a dynamic honeypot's effectiveness in fingerprinting its environment, capturing valid data from adversaries, deceiving adversaries, and intelligently monitoring itself and its surroundings.