In Singapore’s evolving cyber landscape, 96% of organisations have suffered at least one cyber attack and 95% of organisations have been reporting more sophisticated attacks in the frame of one year according to a 2019 report by Carbon Black. As such, more tools must be utilised to counter increasingly refined attacks performed by malicious actors. Honeypots are effective tools for studying and mitigating these attacks. They work as decoy systems, typically deployed alongside real systems to capture and log the activities of the attacker. These systems are useful as they can actively detect potential attacks, help cybersecurity specialists study an attacker’s tactics and even misdirect attackers from their intended targets. Honeypots can be classified into two main categories:
1. Low-interaction honeypots merely emulate network services and internet protocols, allowing for limited interaction with the attacker.
2. High-interaction honeypots emulate operating systems, allowing for much more interaction with the attacker.
Although honeypots are powerful tools, its value diminishes when its true identity is uncovered by attackers. This is especially so with attackers becoming more skilled through system fingerprinting or analysing network traffic from targets and hence, hindering honeypots from capturing more experienced attackers. While substantial research has been done to defend against system fingerprinting scans (see 1.1 Related Work), not much has been done to defend against network traffic analysis. As pointed out by Symantec, when attackers attempt to sniff network traffic of the system in question, the lack of network traffic raises a red flag, increasing the likelihood of the honeypot’s true identity being discovered. In addition, the main concern with regards to honeypot deployment being their ability to attract and engage attackers for a substantial period of time, an increased ability to interest malicious actors is invaluable. Producing human-like network activity on a honeypot would appeal to more malicious actors. Hence, this research aims to build an intelligent web-surfer which can learn and thus simulate human web-surfing behaviour, creating evidence of human network activities to disguise the identity of honeypots as production systems and luring in more attackers interested in packet sniffing for malicious purposes.