The bilateral communication-based dynamic extensible honeypot

With network getting progressed, it is very crucial for us to guard the information that we have. One of these methods is the honeypot which is also a very powerful component for security analysts to collect malicious data for a long time. We need to let attackers intrude into a honeypot, so that we can analyze the malicious data we get, and find a method to prevent related attacks. Because it is important to prevent attackers to attack another computer through a honeypot, almost all of the honeypots block outgoing traffic. This may create a serious problem. Some assailants would test whether the computer which they attack is a honeypot by creating some simple external connections. If they know the computer they are attacking is a honeypot, they will not do further malicious behavior. If a honeypot cannot collect attack patterns anymore, it becomes useless. In this paper, we introduce a new design of honeypot, DEH (Dynamic Extensible Two-way Honeypot), to fix this serious problem with a bilateral communication mechanism. DEH based on the bilateral communication allows not only incoming traffic but outgoing traffic. If the outgoing traffic includes malicious shellcode, we can hold this traffic and copy the shellcode, and then DEH replace it with our own code to set up the bilateral communication and protective mechanism of the computer that the attacker wants to intrude into. After we set up the mechanism, we let the attacker intrude into a victim, but he is monitored by our protective mechanism. When attacker wants to send traffic out of the victim, DEH can extend the protective mechanism to other computers or redirected the connections back to the honeypot. Therefore, the mechanism can efficiently not only protect the honeypot from being detected but also prevent the attack from being spread, in the same time we could also get more information from attackers.