ASGARD: An abstract model for adaptive self-guarded honeypots

A honeypot is a security tool which is deliberately designed to be vulnerable, enticing attackers to probe, attack, and compromise it. It has been used since the early 1990s to capture cyberattacks. Today, it remains one of the most widely used security tools, alongside other security mechanisms such as firewalls and intrusion detection systems. Honeypots serve as an early warning system and collect attack-related data that helps security professionals understand threat actors' techniques. 

Honeypots are classified by their interaction levels, namely: low, medium, and high. A low-interaction honeypot is based on system emulation. It offers limited functionalities and is designed to accept connections with very limited responses.
A medium-interaction honeypot builds upon the low-interaction model but offers 
more functionalities and can respond to more requests from attackers. A high-interaction honeypot, however, relies on a real operating system or a real system such as an actual database server or web application, providing a complete environment for attackers to interact with.

While these collective honeypots, also known as conventional honeypots, 
have achieved significant success, they remain deterministic in their responses to attacks. 
This is where adaptive or intelligent honeypots come into play. An adaptive honeypot leverages machine learning techniques, such as reinforcement learning, to interact with attackers. These systems learn to take actions that can disrupt the normal execution flow of an attack, potentially forcing attackers to alter their techniques. As a result, attackers must find alternative routes or tools to achieve their objectives, ultimately leading to the collection of more attack data.

However, conventional honeypot systems face two main challenges: 
The first challenge is detection, particularly for low- and medium-interaction honeypots, which can significantly reduce their effectiveness in collecting attack data. 
The second challenge is the security risk that a real-system-based honeypot can pose to an organization if it is not adequately protected. Since adaptive honeypots rely on the same underlying systems, they also inherit these challenges.

The remaining question is whether it is possible to design a new honeypot system that overcomes these challenges while still fulfilling its primary objective of collecting attack data. 
This is the main research question that this thesis seeks to address. To this end, this thesis proposes a new abstract model for adaptive self-guarded honeypots, designed to balance attack data collection, detection evasion, and security preservation, ensuring that it does not pose a risk to the rest of the network.