Honeypot Detection Method Based on Anomalous Requests Response Differences

Honeypot detection is a popular technology in the current cyber security, which can be used to check the disguise and protection level of deployed honeypots. To address the problem of low detection accuracy of existing honeypot detection techniques, this paper proposes a honeypot detection method based on the differences of anomalous requests' response. The method uses the anomalous request packet construction method designed in this paper to construct anomalous request packets, and sends the constructed anomalous request packets to the identity-known devices to collect the responses. Combined with the responses analysis method designed in this paper, the responses are analyzed in terms of similarity in both content and structure dimensions, which enables the evaluation of anomalous request packets in turn, and the selection of those that can consistently trigger a differential response from the honeypots to form a probing packets set based on anomaly. A deep learning model aiming at honeypot detection is designed using the responses of the identity-known devices in response to the probing packets set based on anomaly. The model and the responses of the nodes to detect to the probing packets set based on anomaly are used to detect honeypots. Experiment shows that the method is able to detect the nodes to detect with an accuracy of 96.4%.