Q-Cowrie: An adaptive honeypot to analyse attackers’ behaviour
摘要
Honeypots in computer security have been used as effective security solutions to lure attackers, capture their interactions with the honeypot systems and study their behaviour. Attackers interacting with honeypots may use Artificial Intelligence (AI)-based techniques to detect the presence of honeypots leading to evasion by the attackers. This paper discusses the application of Reinforcement Learning (RL) to address these issues by improving response generation in honeypots. We propose “Q-Cowrie”, a honeypot that is built upon customising a medium interaction server honeypot, that is, Cowrie, to increase the honeypot’s deception. RL capabilities have been integrated into the honeypot to support adaptive behaviour while interacting with attackers. Two experimental studies have been conducted in which Cowrie and Q-Cowrie honeypots were used, respectively. First, we deployed a Cowrie honeypot to capture cyber attacks and identify attackers’ goals and techniques. This allowed us to create a probabilistic model, that is, the Markov Decision Making Process (MDP), to understand the decision-making process of attackers in different situations. Learning from attackers’ unique patterns and applying RL techniques, Q-Cowrie was able to actively interact with attackers, making adaptive decisions.