Adaptive and self-configurable honeypots

Abstract

Honeypot evangelists propagate the message that honeypots are particularly useful for learning from attackers. However, by looking at current honeypots, most of them are statically configured and managed, which requires a priori knowledge about attackers. In this paper we propose a high-interaction honeypot capable of learning from attackers and capable of dynamically changing its behavior using a variant of reinforcement learning. It can strategically block the execution of programs, lure the attacker by substituting programs and insult attackers with the intent of revealing the attacker's nature and ethnic background. We also investigated the fact that attackers could learn to defeat the honeypot and discovered that attacker and honeypot interests sometimes diverge.