Delivering Honeypots as a Service

Abstract

The effect of honeypots in slowing down attacks and collecting their signatures is well-known. Despite their known effectiveness, these technologies have remained underutilized, especially by small and medium-sized enterprises, because internal hosting and configuration of honeypots requires extensive expertise and infrastructure, which is unjustifiably expensive especially for small or medium-sized enterprises. In this paper, we propose a novel security approach that enables a security service provider to offer honeypot-as-a-service (HaaS) to customer enterprises. The HaaS service is offered by a plug-and-play gateway and incorporates a network of moving high-interaction honeypots into unused address space of client enterprises. These honeypots are configured tailored to the mission and type of services offered by the customer enterprise to blend in the surrounding network for maximum believability while looking vulnerable enough to engage potential attackers. As a contribution, we formulate and solve the problem of strategic configuration planning of a group of honeypots for a given input network. We also provide the necessary infrastructure and mechanisms for realizing the model and offering it to client enterprises without affecting their regular operations. Using experimental and analytical modeling, we evaluate our approach and show its robustness against honeypot mapping attacks, and its effectiveness in slowing down large-scale cyber intrusion attacks on enterprise networks.