Adapting Honeypot Configurations to Detect Evolving Exploits

Honeypots are fake resources that gain value in being probed and attacked. They deceive network intruders into detailing the intruder's behavior and the nature of an intended attack. A honeypot's success relies on the quality of its deception and the perceived value to the attacker. In this paper, we emphasize the latter. We model a repeated game where a defender must select from a list of honeypot configurations to detect an adversary's attack. The adversary's attacks each contain their own unique value function and required features to execute an exploit. Each exploits "evolves" by having its value decreases with the number of detections and new attacks may be added to the adversary's arsenal as the game progresses. We show that this model demands the defender to act strategically, by showing the adversary can exploit naive defense strategies. To solve this problem, we leverage the Multi-Armed Bandit (MAB) framework, a class of machine learning problems that demand balance between exploration and exploitation.