MLCSS'23@ICL

Traditional honeypot deployments expose vulnerable systems for extended periods of time in large quantities to gather empirical information on intrusion techniques. This deployment strategy can be too slow to respond to emerging threats and provide opportunity for attackers to develop detection techniques on the honeypots employed. In this talk, we present two new methodologies inspired by the clinical trial community to optimize this data collection process by decreasing the cost and amount of time required to obtain similar information. These methodologies are applied in an exemplary study to autonomously and rapidly answer immediate questions on the risk of a given vulnerability. The first is a Randomized Control Trial (RCT) that compares honeypots with and without a certain vulnerability to understand its impact within the given population. This method ensures conclusion within a set budget, but relies on accurate initial assumptions prior to starting the trial. The second method, known as Adaptive Design (AD), can improve RCTs by optimizing mid-trial with statistical methods to achieve the set objectives with less resources. Unlike the RCT, AD can alter some initial assumptions during the trial to account for inaccuracies, but the alterations might exceed a given budget. We compare both the RCT and AD methods with the vanilla deployment, where a large quantity of honeypots are observed over a set length of time rather than stages. By conducting studies with a control, we uncover a method of understanding the causal relationship a vulnerability has on a system infection.