Determining the strength of a decoy system: a paradox of deception and solicitation

This paper examines the effectiveness of two shallow decoys, Deception Toolkit (DTK) and Honeyd. A series of attacks, ranging in complexity, were used to examine how these systems interact with key anomalies differently than actual services do. Analysis of these tests shows that shallow decoys not only have difficulty with normal Web traffic, but they also show significant deviation from normal Web services while interacting with malicious code. This paper also discusses the difficulties inherent in developing effective shallow decoys and demonstrates that, contrary to what might be expected, when implemented in less covertly deceptive ways, shallow decoys may actually be more likely to solicit interaction from the malicious systems they are designed to study.