Threat-Aware Honeypot for Discovering and Predicting Fingerprinting Attacks Using Principal Components Analysis

The proliferation of cyberattacks, their increase in complexity and therefore their resolution, has resulted in significant concern within the cybersecurity industry. A honeypot is a popular concealed tool used to entice attackers to disclose information about themselves. It is an effective tool provided that its identity is not revealed, however, a successful fingerprinting attack can reveal the honeypots identity; leading to possible devastating consequences, resulting in the imperative to detect such fingerprinting at the earliest opportunity. Several effective methods are available to prevent a fingerprinting attack; therefore, a real-time prediction method is highly desirable. Unfortunately, no technique is available to discover and predict a fingerprinting attack in real-time as it is difficult to isolate that attack from other attacks. Therefore, this paper proposes a technique to discover and predict fingerprinting attacks on the honeypot in real-time by using a Principal Components Analysis (PCA). As every fingerprinting attack requires a sequence of actions to collect sufficient information to generate a fingerprint, this proposed technique takes advantage of this requirement to gather its symptoms. Analysing several abnormalities in attributes of TCP, UDP and ICMP packets collected during the simulation of fingerprinting attacks, evaluating them based on popular attack techniques and empirical evidence. After selecting several targeted attributes based on the previous analysis, it performs a PCA to establish the most influential attributes by which a fingerprinting attack can be discovered and predicted accurately. Finally, it proposes a general model to predict the severity level of the fingerprinting attack on the honeypot.