Real-Time Virtual Honeypot Users

[Sylvain P.Leblanc <Sylvain.Leblanc () rmc ca>]

I enjoyed the Virtual Honeypot Users thread, as it closely related to my main current research topic.  However, I want 
to take the Virtual User idea a little further.

My interest lies in simulating user activity on the honey pot itself, and not only at the connection level.  If the 
blackhat is on the honeypot, she/he has access to the kernel and can watch the interaction of the various device 
drivers.  If everything is done remotly (I enjoy the representation of the honeypot as a computer without a keyboard In 
Andrew Lamb's white paper), the blackhat would be able to detect the lack of driver activity.  

To guard against this, an organization could have actual users sitting at the computer and interacting with the 
hardware.  This is very costly, and it would likely only be done for a very high value research honeypot.  In such 
cases, we may benefit from generating device driver interaction automatically.

My thought is to model specific device driver interaction by capturing data on actual production systems.  If it is 
possible to parametrize these models, we may be able to vary the parameters of the model to have valid, yet slightly 
different behaviour for different users (nod to Vlad from the Virtual Honeypot Users thread).

I am in the very early stages of this research, but I would really appreciate hearing what the communtiy thinks.  
Cheers.

Sly