Towards a moving target defense based on stochastic games and honeypots

IF 6.8 1区计算机科学 0 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information Sciences Pub Date : 2025-07-15 DOI:10.1016/j.ins.2025.122488

Di Li , Shirui Tian , Wenqiang Jin , Jiwu Peng , Mingxing Duan

{"title":"Towards a moving target defense based on stochastic games and honeypots","authors":"Di Li , Shirui Tian , Wenqiang Jin , Jiwu Peng , Mingxing Duan","doi":"10.1016/j.ins.2025.122488","DOIUrl":null,"url":null,"abstract":"<div><div>Honeypots, which serve as active defense mechanisms, have historically played pivotal roles in cyberspace offensive and defensive countermeasure scenarios. However, with the advancement of honeypot recognition technologies, their effectiveness in real-world network defense has gradually diminished. In response, moving target defense (MTD) has recently solidified its position as a proactive cybersecurity strategy and a critical research frontier. MTD leverages heterogeneous, redundant deployments of service resources and randomization techniques to disrupt attack methods. However, despite their advantages, MTD systems face challenges related to high resource consumption. To address these limitations, we propose a moving target defense based on stochastic games and honeypots (GH-MTD) framework. This framework consists of four key modules: traffic detection, gaming, MTD, and honeynet. Firstly, malicious traffic is identified through a deep learning-based detection method. Secondly, a zero-sum game model is constructed to capture the decision-making dynamics between defenders and attackers in the context of moving target defense. Subsequently, a cross-scenario adaptive MTD module is designed to route different types of traffic to corresponding virtual server groups. Finally, a honeypot module is implemented to capture and analyze the specific attack behaviors of malicious actors. By integrating honeynet probes with real services and employing attack behavior analysis alongside internet protocol (IP) address redirection techniques, the GH-MTD system achieves a defense response that is both cost efficient and highly effective. Empirical evaluation reveals a 5.5-fold enhancement in attack diversion probability through benchmarking with service-oriented MTD architectures, while the capture rate surpasses that of conventional honeypots by 3.4 times. Particularly against real attackers, GH-MTD exhibits 5.6 times more captured packets and extends the time consumed by attackers by 1.5 times over that of standalone honeypots. In our experiments, we evaluate the architecture's performance against various attack methods, including automated scripts, manual attacks, and assaults by high-level penetration testers. The results demonstrate that the GH-MTD architecture performs exceptionally well, particularly in mitigating and countering advanced, sophisticated attacks, thereby demonstrating its effectiveness in modern network defense strategies.</div></div>","PeriodicalId":51063,"journal":{"name":"Information Sciences","volume":"720 ","pages":"Article 122488"},"PeriodicalIF":6.8000,"publicationDate":"2025-07-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Sciences","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0020025525006206","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"0","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Honeypots, which serve as active defense mechanisms, have historically played pivotal roles in cyberspace offensive and defensive countermeasure scenarios. However, with the advancement of honeypot recognition technologies, their effectiveness in real-world network defense has gradually diminished. In response, moving target defense (MTD) has recently solidified its position as a proactive cybersecurity strategy and a critical research frontier. MTD leverages heterogeneous, redundant deployments of service resources and randomization techniques to disrupt attack methods. However, despite their advantages, MTD systems face challenges related to high resource consumption. To address these limitations, we propose a moving target defense based on stochastic games and honeypots (GH-MTD) framework. This framework consists of four key modules: traffic detection, gaming, MTD, and honeynet. Firstly, malicious traffic is identified through a deep learning-based detection method. Secondly, a zero-sum game model is constructed to capture the decision-making dynamics between defenders and attackers in the context of moving target defense. Subsequently, a cross-scenario adaptive MTD module is designed to route different types of traffic to corresponding virtual server groups. Finally, a honeypot module is implemented to capture and analyze the specific attack behaviors of malicious actors. By integrating honeynet probes with real services and employing attack behavior analysis alongside internet protocol (IP) address redirection techniques, the GH-MTD system achieves a defense response that is both cost efficient and highly effective. Empirical evaluation reveals a 5.5-fold enhancement in attack diversion probability through benchmarking with service-oriented MTD architectures, while the capture rate surpasses that of conventional honeypots by 3.4 times. Particularly against real attackers, GH-MTD exhibits 5.6 times more captured packets and extends the time consumed by attackers by 1.5 times over that of standalone honeypots. In our experiments, we evaluate the architecture's performance against various attack methods, including automated scripts, manual attacks, and assaults by high-level penetration testers. The results demonstrate that the GH-MTD architecture performs exceptionally well, particularly in mitigating and countering advanced, sophisticated attacks, thereby demonstrating its effectiveness in modern network defense strategies.

查看原文本刊更多论文

基于随机博弈和蜜罐的移动目标防御

蜜罐作为一种主动防御机制，历来在网络空间攻防对抗场景中发挥着举足轻重的作用。然而，随着蜜罐识别技术的发展，其在现实网络防御中的有效性逐渐降低。作为回应，移动目标防御（MTD）最近巩固了其作为主动网络安全战略和关键研究前沿的地位。MTD利用服务资源的异构、冗余部署和随机化技术来破坏攻击方法。然而，尽管MTD系统具有优势，但仍面临着与高资源消耗相关的挑战。为了解决这些限制，我们提出了一种基于随机博弈和蜜罐的移动目标防御（GH-MTD）框架。该框架由四个关键模块组成：流量检测、博弈、MTD和蜜网。首先，通过基于深度学习的检测方法识别恶意流量。其次，构建零和博弈模型，捕捉移动目标防御情境下防御者与攻击者的决策动态。随后，设计了一个跨场景自适应MTD模块，将不同类型的流量路由到相应的虚拟服务器组。最后，实现了蜜罐模块来捕获和分析恶意行为者的具体攻击行为。通过将蜜网探测与真实服务集成，并采用攻击行为分析以及互联网协议（IP）地址重定向技术，GH-MTD系统实现了既经济高效又高效的防御响应。经验评估显示，通过对面向服务的MTD架构进行基准测试，攻击转移概率提高了5.5倍，而捕获率比传统蜜罐高出3.4倍。特别是针对真正的攻击者，GH-MTD捕获的数据包是独立蜜罐的5.6倍，攻击者消耗的时间是独立蜜罐的1.5倍。在我们的实验中，我们针对各种攻击方法评估体系结构的性能，包括自动化脚本、手动攻击和高级渗透测试人员的攻击。结果表明，GH-MTD体系结构表现异常出色，特别是在缓解和对抗高级、复杂的攻击方面，从而证明了其在现代网络防御策略中的有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Information Sciences 工程技术-计算机：信息系统

CiteScore

14.00

自引率

17.30%

发文量

1322

审稿时长

10.4 months

期刊介绍： Informatics and Computer Science Intelligent Systems Applications is an esteemed international journal that focuses on publishing original and creative research findings in the field of information sciences. We also feature a limited number of timely tutorial and surveying contributions. Our journal aims to cater to a diverse audience, including researchers, developers, managers, strategic planners, graduate students, and anyone interested in staying up-to-date with cutting-edge research in information science, knowledge engineering, and intelligent systems. While readers are expected to share a common interest in information science, they come from varying backgrounds such as engineering, mathematics, statistics, physics, computer science, cell biology, molecular biology, management science, cognitive science, neurobiology, behavioral sciences, and biochemistry.