Using reinforcement learning to conceal honeypot functionality

Seamus Dowling; Michael Schukat; Enda Barrett

doi:10.1007/978-3-030-10997-4_21

Using reinforcement learning to conceal honeypot functionality

Seamus Dowling
, Michael Schukat
, Enda Barrett

Computer Science

Galway-Mayo Institute of Technology

Research output: Chapter in Book or Conference Publication/Proceeding › Conference Publication › peer-review

25 Citations (Scopus)

Abstract

Automated malware employ honeypot detecting mechanisms within its code. Once honeypot functionality has been exposed, malware such as botnets will cease the attempted compromise. Subsequent malware variants employ similar techniques to evade detection by known honeypots. This reduces the potential size of a captured dataset and subsequent analysis. This paper presents findings on the deployment of a honeypot using reinforcement learning, to conceal functionality. The adaptive honeypot learns the best responses to overcome initial detection attempts by implementing a reward function with the goal of maximising attacker command transitions. The paper demonstrates that the honeypot quickly identifies the best response to overcome initial detection and subsequently increases attack command transitions. It also examines the structure of a captured botnet and charts the learning evolution of the honeypot for repetitive automated malware. Finally it suggests changes to an existing taxonomy governing honeypot development, based on the learning evolution of the adaptive honeypot. Code related to this paper is available at: https://github.com/sosdow/RLHPot.

Original language	English
Title of host publication	Machine Learning and Knowledge Discovery in Databases - European Conference, ECML PKDD 2018, Proceedings
Editors	Ulf Brefeld, Alice Marascu, Fabio Pinelli, Edward Curry, Brian MacNamee, Neil Hurley, Elizabeth Daly, Michele Berlingerio
Publisher	Springer-Verlag
Pages	341-355
Number of pages	15
ISBN (Print)	9783030109967
DOIs	https://doi.org/10.1007/978-3-030-10997-4_21
Publication status	Published - 2019
Event	European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, ECML-PKDD 2018 - Dublin, Ireland Duration: 10 Sep 2018 → 14 Sep 2018

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11053 LNAI
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, ECML-PKDD 2018
Country/Territory	Ireland
City	Dublin
Period	10/09/18 → 14/09/18

Keywords

Adaptive
Honeypot
Reinforcement learning

Access to Document

10.1007/978-3-030-10997-4_21

Cite this

Dowling, S., Schukat, M., & Barrett, E. (2019). Using reinforcement learning to conceal honeypot functionality. In U. Brefeld, A. Marascu, F. Pinelli, E. Curry, B. MacNamee, N. Hurley, E. Daly, & M. Berlingerio (Eds.), Machine Learning and Knowledge Discovery in Databases - European Conference, ECML PKDD 2018, Proceedings (pp. 341-355). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11053 LNAI). Springer-Verlag. https://doi.org/10.1007/978-3-030-10997-4_21

Dowling, Seamus ; Schukat, Michael ; Barrett, Enda. / Using reinforcement learning to conceal honeypot functionality. Machine Learning and Knowledge Discovery in Databases - European Conference, ECML PKDD 2018, Proceedings. editor / Ulf Brefeld ; Alice Marascu ; Fabio Pinelli ; Edward Curry ; Brian MacNamee ; Neil Hurley ; Elizabeth Daly ; Michele Berlingerio. Springer-Verlag, 2019. pp. 341-355 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{83cf25f930e2485cbd77ad17f502a620,

title = "Using reinforcement learning to conceal honeypot functionality",

abstract = "Automated malware employ honeypot detecting mechanisms within its code. Once honeypot functionality has been exposed, malware such as botnets will cease the attempted compromise. Subsequent malware variants employ similar techniques to evade detection by known honeypots. This reduces the potential size of a captured dataset and subsequent analysis. This paper presents findings on the deployment of a honeypot using reinforcement learning, to conceal functionality. The adaptive honeypot learns the best responses to overcome initial detection attempts by implementing a reward function with the goal of maximising attacker command transitions. The paper demonstrates that the honeypot quickly identifies the best response to overcome initial detection and subsequently increases attack command transitions. It also examines the structure of a captured botnet and charts the learning evolution of the honeypot for repetitive automated malware. Finally it suggests changes to an existing taxonomy governing honeypot development, based on the learning evolution of the adaptive honeypot. Code related to this paper is available at: https://github.com/sosdow/RLHPot.",

keywords = "Adaptive, Honeypot, Reinforcement learning",

author = "Seamus Dowling and Michael Schukat and Enda Barrett",

note = "Publisher Copyright: {\textcopyright} 2019, Springer Nature Switzerland AG.; European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, ECML-PKDD 2018 ; Conference date: 10-09-2018 Through 14-09-2018",

year = "2019",

doi = "10.1007/978-3-030-10997-4\_21",

language = "English",

isbn = "9783030109967",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer-Verlag",

pages = "341--355",

editor = "Ulf Brefeld and Alice Marascu and Fabio Pinelli and Edward Curry and Brian MacNamee and Neil Hurley and Elizabeth Daly and Michele Berlingerio",

booktitle = "Machine Learning and Knowledge Discovery in Databases - European Conference, ECML PKDD 2018, Proceedings",

}

Dowling, S, Schukat, M & Barrett, E 2019, Using reinforcement learning to conceal honeypot functionality. in U Brefeld, A Marascu, F Pinelli, E Curry, B MacNamee, N Hurley, E Daly & M Berlingerio (eds), Machine Learning and Knowledge Discovery in Databases - European Conference, ECML PKDD 2018, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11053 LNAI, Springer-Verlag, pp. 341-355, European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, ECML-PKDD 2018, Dublin, Ireland, 10/09/18. https://doi.org/10.1007/978-3-030-10997-4_21

Using reinforcement learning to conceal honeypot functionality. / Dowling, Seamus; Schukat, Michael ; Barrett, Enda.
Machine Learning and Knowledge Discovery in Databases - European Conference, ECML PKDD 2018, Proceedings. ed. / Ulf Brefeld; Alice Marascu; Fabio Pinelli; Edward Curry; Brian MacNamee; Neil Hurley; Elizabeth Daly; Michele Berlingerio. Springer-Verlag, 2019. p. 341-355 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11053 LNAI).

Research output: Chapter in Book or Conference Publication/Proceeding › Conference Publication › peer-review

TY - GEN

T1 - Using reinforcement learning to conceal honeypot functionality

AU - Dowling, Seamus

AU - Schukat, Michael

AU - Barrett, Enda

PY - 2019

Y1 - 2019

N2 - Automated malware employ honeypot detecting mechanisms within its code. Once honeypot functionality has been exposed, malware such as botnets will cease the attempted compromise. Subsequent malware variants employ similar techniques to evade detection by known honeypots. This reduces the potential size of a captured dataset and subsequent analysis. This paper presents findings on the deployment of a honeypot using reinforcement learning, to conceal functionality. The adaptive honeypot learns the best responses to overcome initial detection attempts by implementing a reward function with the goal of maximising attacker command transitions. The paper demonstrates that the honeypot quickly identifies the best response to overcome initial detection and subsequently increases attack command transitions. It also examines the structure of a captured botnet and charts the learning evolution of the honeypot for repetitive automated malware. Finally it suggests changes to an existing taxonomy governing honeypot development, based on the learning evolution of the adaptive honeypot. Code related to this paper is available at: https://github.com/sosdow/RLHPot.

AB - Automated malware employ honeypot detecting mechanisms within its code. Once honeypot functionality has been exposed, malware such as botnets will cease the attempted compromise. Subsequent malware variants employ similar techniques to evade detection by known honeypots. This reduces the potential size of a captured dataset and subsequent analysis. This paper presents findings on the deployment of a honeypot using reinforcement learning, to conceal functionality. The adaptive honeypot learns the best responses to overcome initial detection attempts by implementing a reward function with the goal of maximising attacker command transitions. The paper demonstrates that the honeypot quickly identifies the best response to overcome initial detection and subsequently increases attack command transitions. It also examines the structure of a captured botnet and charts the learning evolution of the honeypot for repetitive automated malware. Finally it suggests changes to an existing taxonomy governing honeypot development, based on the learning evolution of the adaptive honeypot. Code related to this paper is available at: https://github.com/sosdow/RLHPot.

KW - Adaptive

KW - Honeypot

KW - Reinforcement learning

UR - https://www.scopus.com/pages/publications/85061155797

U2 - 10.1007/978-3-030-10997-4_21

DO - 10.1007/978-3-030-10997-4_21

M3 - Conference Publication

AN - SCOPUS:85061155797

SN - 9783030109967

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 341

EP - 355

BT - Machine Learning and Knowledge Discovery in Databases - European Conference, ECML PKDD 2018, Proceedings

A2 - Brefeld, Ulf

A2 - Marascu, Alice

A2 - Pinelli, Fabio

A2 - Curry, Edward

A2 - MacNamee, Brian

A2 - Hurley, Neil

A2 - Daly, Elizabeth

A2 - Berlingerio, Michele

PB - Springer-Verlag

T2 - European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, ECML-PKDD 2018

Y2 - 10 September 2018 through 14 September 2018

ER -

Dowling S, Schukat M , Barrett E. Using reinforcement learning to conceal honeypot functionality. In Brefeld U, Marascu A, Pinelli F, Curry E, MacNamee B, Hurley N, Daly E, Berlingerio M, editors, Machine Learning and Knowledge Discovery in Databases - European Conference, ECML PKDD 2018, Proceedings. Springer-Verlag. 2019. p. 341-355. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-10997-4_21

Using reinforcement learning to conceal honeypot functionality

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this