Honeygames: A Game Theoretic Approach to Defending Network Monitors

Abstract

A honeynet is a portion of routed but otherwise unused address space that is instrumented for network traffic monitoring. Over the past several years, honeynets have proven to be an invaluable tool for understanding the characteristics of unwanted Internet traffic from misconfigurations and malicious attacks. In this paper, we address the problem of defending honeynets against systematic mapping by malicious parties to ensure that they remain viable in the long term. Our first step is to abstract the problem into a simple two player game. The objective of the {\em Attacker} is to probe a range of address space in order to identify the embedded honeynet. The objectives of the {\em Defender} are ($a$) to prevent the honeynet from being mapped by periodically shuffling the honeynet's location within the address space and ($b$) to minimize frequency of shuffling. We establish provably optimal strategies for both the attacker and defender. We also consider progressively more realistic variants of the game. Next, we evaluate the strategies analytically to understand how they apply over a range of honeynet configurations. We find that network size, monitor size, presence of unused address space, and probe rates directly impact shuffling frequency. Finally, we discuss experimental results from prototype implementation of a network shuffling middlebox that provides insights on expected resource requirements and performance implications. We show that the system is capable of effectively defending large networks, with limited impact on normal traffic, and responds well in the face of network attacks and anomalies.