A Markov Decision Process Model for High Interaction Honeypots

Honeypots, which are traps designed to resemble easy-to- compromise computer systems, have become essential tools for security professionals and researchers because of their significant contribution in disclosing the underworld of cybercrimes. However, recent years have witnessed the development of several anti-honeypot technologies. Botmasters can exploit the fact that honeypots should not participate in illegal actions by commanding the compromised machine to act maliciously against specific targets which are used as sensors to measure the execution of these commands. A machine that is not allowing the execution of such attacks is more likely to be a honeypot. Consequently, honeypot operators need to choose the optimal response that balances between being disclosed and being liable for participating in illicit actions. In this paper, we consider the optimal response strategy for honeypot operators. In particular, we model the interaction between botmasters and honeypots by a Markov Decision Process (MDP) and then determine the optimal policy for honeypots responding to the commands of botmasters. The model is then extended using a Partially Observable Markov Decision Process (POMDP) which allows operators of honeypots to model the uncertainty of the honeypot state as determined by botmasters. The analysis of our model confirms that exploiting the legal liability of honeypots allows botmasters to have the upper hand in their conflict with honeypots. Despite this deficiency in current honeypot designs, our model can help operators of honeypots determine the optimal strategy for responding to botmasters' commands. We also provide simulation results that show the honeypots' optimal response strategies and their expected rewards under different attack scenarios.