An Adaptive IoT SSH Honeypot Strategy Based on Game Theory Opponent Modeling

doi:10.3969/j.issn.1671-1122.2023.11.005

Abstract

Abstract:

The proliferation of IoT devices has led to an increasing number of attacks against the Internet of things, it’s urgent for cybersecurity personnel to use proactive defense techniques to turn reactive defense into proactive defense. The introduction of SSH (secure shell) honeypot technology allows defenders to capture learn attackers’ interaction informationacting strategy, which is of great significance for IoT security. However, traditional honeypots are easily identified and exploited by attackers because of their fixed characteristics or behavioral patterns. From the perspective of game theory, this paper established an interaction model between honeypots and attackers, and we calculated the best response strategy of the defender by useing SAC (soft actor-critic) algorithm. Simulation results show that adaptive honeypot by combining reinforcement learning and game theory can quickly find the optimal interaction strategy in a variety of scenarios, and the reinforcement learning method added to the policy network is better than the traditional reinforcement learning method based on the value network alone.

Key words: Internet of things, deception defense, honeypot, reinforcement learning, game theory

CLC Number:

TP309

SONG Lihua, ZHANG Jinwei, ZHANG Shaoyong. An Adaptive IoT SSH Honeypot Strategy Based on Game Theory Opponent Modeling[J]. Netinfo Security, 2023, 23(11): 38-47.

Figures/Tables 12

References 21

[1]	SPITZNER L. Honeypots: Tracking Hackers[M]. Boston: Addison Wesley, 2003.
[2]	LOGANADEN V, MARK D. Baushke. Increase the Secure Shell Minimum Recommended Diffie-Hellman Modulus Size to 2048 Bits[EB/OL]. (2017-12-01)[2023-05-30]. https://rfc-editor.org/rfc/rfc8270.txt.
[3]	METONGNON L, SADRE R. Prevalence of IoT Protocols in Telescope and Honeypot Measurements[EB/OL]. (2019-04-04)[2023-05-30]. https://dl.acm.org/doi/pdf/10.1145/3229598.3229604.
[4]	KRAWETZ N. Anti-Honeypot Technology[J]. IEEE Security & Privacy, 2004, 2(1): 76-79.
[5]	PAWLICK J, COLBERT E, ZHU Quanyan. A Game-Theoretic Taxonomy and Survey of Defensive Deception for Cybersecurity and Privacy[J]. ACM Computing Surveys (CSUR), 2019, 52(4): 1-28.
[6]	JIANG Yangyang, SONG Lihua, XING Changyou, et al. Belief Driven Attack and Defense Policy Optimization Mechanism in Honeypot Game[J]. Computer Science, 2022, 49(9): 333-339. doi: 10.11896/jsjkx.220400011
	姜洋洋, 宋丽华, 邢长友, 等. 蜜罐博弈中信念驱动的攻防策略优化机制[J]. 计算机科学, 2022, 49(9): 333-339. doi: 10.11896/jsjkx.220400011
[7]	KROER C, SANDHOLM T. Limited Lookahead in Imperfect-Information Games[EB/OL]. (2020-03-19)[2023-05-30]. https://arxiv.org/abs/1902.06335.
[8]	WAGENER G, STATE R, ENGEL T, et al. Adaptive and Self-Configurable Honeypots[C]// IEEE. 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops. New York: IEEE, 2011: 345-352.
[9]	HAYATLE O, OTROK H, YOUSSEF A. A Game Theoretic Investigation for High Interaction Honeypots[C]// IEEE. 2012 IEEE International Conference on Communications (ICC). New York: IEEE, 2012: 6662-6667.
[10]	PAWLICK J, COLBERT E, ZHU Quanyan. Modeling and Analysis of Leaky Deception Using Signaling Games with Evidence[J]. IEEE Transactions on Information Forensics and Security, 2018, 14(7): 1871-1886. doi: 10.1109/TIFS.10206 URL
[11]	WANG Juan, YANG Hongyuan, FAN Chengyang. A SDN Dynamic Honeypot with Multi-Phase Attack Response[J]. Netinfo Security, 2021, 21(1): 27-40.
	王鹃, 杨泓远, 樊成阳. 一种基于多阶段攻击响应的SDN动态蜜罐[J]. 信息网络安全, 2021, 21(1): 27-40.
[12]	PANDA S, RASS S, MOSCHOYIANNIS S, et al. HoneyCar: A Framework to Configure Honeypot Vulnerabilities on the Internet of Vehicles[J]. IEEE Access, 2022(10): 104671-104685.
[13]	WAGENER G, STATE R, DULAUNOY A, et al. Heliza: Talking Dirty to the Attackers[J]. Journal in Computer Virology, 2011(7): 221-232.
[14]	PAUNA A, BICA I. RASSH-Reinforced Adaptive SSH Honeypot[C]// IEEE. 2014 10th International Conference on Communications (COMM). New York: IEEE, 2014: 1-6.
[15]	PAUNA A, IACOB A, BICA I. A Self-Adaptive SSH Honeypot Driven by Q-Learning[C]// IEEE. International Conference on Communications. New York: IEEE, 2018: 417-422.
[16]	PAUNA A, BICA I, POP F, et al. On the Rewards of Self-Adaptive IoT Honeypots[J]. Annals of Telecommunications, 2019(74): 501-515.
[17]	TOUCH S, COLIN J N. A Comparison of an Adaptive Self-Guarded Honeypot with Conventional Honeypots[EB/OL]. (2022-05-19)[2023-05-30]. https://doi.org/10.3390/app12105224.
[18]	LOPEZ Y J S, FAGETTE A. Increasing Attacker Engagement on SSH Honeypots Using Semantic Embeddings of Cyber-Attack Patterns and Deep Reinforcement Learning[C]// IEEE. 2022 IEEE Symposium Series on Computational Intelligence (SSCI). New York: IEEE, 2022: 389-395.
[19]	SUTTON R S. On the Significance of Markov Decision Processes[C]// Springer. Artificial Neural Networks-ICANN’97: 7th International Conference Lausanne. Berlin: Springer, 1997: 273-282.
[20]	HAARNOJA T, ZHOU A, HARTIKAINEN K, et al. Soft Actor-Critic Algorithms and Applications[EB/OL]. (2018-12-13)[2023-05-30]. https://arxiv.org/abs/1812.05905.
[21]	HESSEL M, MODAYIL J, HASSELT H V, et al. Rainbow: Combining Improvements in Deep Reinforcement Learning[EB/OL]. (2017-10-06)[2023-05-30]. https://arxiv.org/abs/1710.02298.

符号	含义
${{\mu }_{1}}$	攻击者以先验概率${{\mu }_{1}}$认为所攻击的系统是蜜罐，与防御者部署的蜜罐数量有关
${{\mu }_{i}}$	在每轮博弈开始时，攻击者以${{\mu }_{i}}$的概率认为访问的系统是蜜罐，$i$表示当前博弈轮次
${{l}_{h}}$	当攻击者访问的系统是蜜罐时，执行high动作，被蜜罐捕获后所造成的损失
${{l}_{l}}$	当攻击者访问的系统是蜜罐时，执行low动作，被蜜罐捕获后所造成的损失
${{r}_{t}}$	当攻击者访问的系统是蜜罐时，执行test，蜜罐选择block时，攻击者所得到的收益
${{r}_{h}}$	当攻击者访问的系统是物联网生产系统时，攻击者执行high 动作成功时所得到的收益
${{r}_{l}}$	当攻击者访问的系统是物联网生产系统时，攻击者执行low 动作成功时所得到的收益
${{c}_{t}}$	攻击者选择test动作所需要的攻击成本
${{c}_{h}}$	攻击者选择high动作所需要的攻击成本
${{c}_{l}}$	攻击者选择low动作所需要的攻击成本
${{p}_{t}}$	攻击者以概率${{p}_{t}}$选择执行test动作
${{p}_{h}}$	攻击者以概率${{p}_{h}}$选择执行high动作
${{p}_{l}}$	攻击者以概率${{p}_{l}}$选择执行low动作
${{o}_{t}}$	当攻击者选择test动作时，蜜罐系统执行allow动作需要付出的成本
${{o}_{h}}$	当攻击者选择high动作时，蜜罐系统执行allow动作需要付出的成本
${{o}_{l}}$	当攻击者选择low动作时，蜜罐系统执行allow动作需要付出的成本
${{q}_{t}}$	真实物联网生产系统允许执行命令的概率，本文为0.9
${{U}_{a}}$	攻击者的期望收益
${{U}_{d}}$	防御方的期望收益

动作	high	low	test
allow	${{l}_{h}}-{{o}_{h}}$	${{l}_{l}}-{{o}_{l}}$	$-{{o}_{t}}$
block	${{l}_{h}}$	${{l}_{l}}$	${{r}_{t}}$

${{r}_{h}}=6$	${{o}_{h}}=3$	${{c}_{h}}=3$	${{l}_{h}}=3$	${{d}_{h}}=6$
${{r}_{l}}=3$	${{o}_{l}}=2$	${{c}_{l}}=1$	${{l}_{l}}=1$	${{d}_{l}}=3$
${{r}_{t}}=2$	${{o}_{t}}=1$	${{c}_{t}}=0.5$	—	—

信念值	策略	平均值	信念值	策略	平均值
0.1	GAME	6.77	0.3	GAME	3.11
	Rainbow	5.93		Rainbow	2.21
	cowrie	5.43		cowrie	2.40
	物理蜜罐	-8.18		物理蜜罐	-3.57
	低交互蜜罐	6.48		低交互蜜罐	2.88
0.5	GAME	-0.58	0.7	GAME	-1.39
	Rainbow	-1.30		Rainbow	-1.39
	cowrie	-0.79		cowrie	-1.44
	物理蜜罐	-2.36		物理蜜罐	-1.58
	低交互蜜罐	-3.26		低交互蜜罐	-2.58