Honeyfile Camouflage: Hiding Fake Files in Plain Sight

Roelien C. Timmer; David Liebowitz; Surya Nepal; Salil S. Kanhere

arXiv:2405.04758·cs.CR·May 13, 2024

Honeyfile Camouflage: Hiding Fake Files in Plain Sight

Roelien C. Timmer, David Liebowitz, Surya Nepal, Salil S. Kanhere

PDF

TL;DR

This paper introduces two new metrics for camouflaging honeyfile names using semantic vector space analysis, enhancing their ability to blend in with real files and improve honeypot effectiveness.

Contribution

It proposes novel cosine distance-based metrics for filename camouflage, validated through evaluation on a large software repository dataset.

Findings

01

Both metrics perform well in camouflaging honeyfiles.

02

Clustering with mixture fitting slightly outperforms simple averaging.

03

The methods improve honeyfile stealth in real-world datasets.

Abstract

Honeyfiles are a particularly useful type of honeypot: fake files deployed to detect and infer information from malicious behaviour. This paper considers the challenge of naming honeyfiles so they are camouflaged when placed amongst real files in a file system. Based on cosine distances in semantic vector spaces, we develop two metrics for filename camouflage: one based on simple averaging and one on clustering with mixture fitting. We evaluate and compare the metrics, showing that both perform well on a publicly available GitHub software repository dataset.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.