Cyber Deception Reactive: TCP Stealth Redirection to On-Demand Honeypots
Pedro Beltran Lopez, Pantaleone Nespoli, Manuel Gil Perez
TL;DR
This paper addresses defending critical infrastructures with cyber deception by integrating stealth TCP redirection to on-demand honey servers. It presents an SDN/NFV-based architecture using a Snort IDS and a Ryu controller to redirect connections to a real-time clone of the victim, enabling continuous threat intelligence collection with minimal resource use. Through Mininet and KVM-based experiments, the work demonstrates that redirection remains stealthy, with negligible latency changes for attackers during migration, and that on-demand honey servers can be instantiated efficiently. The contributions include a publicly released implementation and a framework for threat-informed reaction and autonomous learning in future deployments.
Abstract
Cybersecurity is developing rapidly, and new methods of defence against attackers are appearing, such as Cyber Deception (CYDEC). CYDEC consists of deceiving the enemy who performs actions without realising that he/she is being deceived. This article proposes designing, implementing, and evaluating a deception mechanism based on the stealthy redirection of TCP communications to an on-demand honey server with the same characteristics as the victim asset, i.e., it is a clone. Such a mechanism ensures that the defender fools the attacker, thanks to stealth redirection. In this situation, the attacker will focus on attacking the honey server while enabling the recollection of relevant information to generate threat intelligence. The experiments in different scenarios show how the proposed solution can effectively redirect an attacker to a copied asset on demand, thus protecting the real asset. Finally, the results obtained by evaluating the latency times ensure that the redirection is undetectable by humans and very difficult to detect by a machine.