The paper proposes a reactive roaming scheme for honeypots. The main aim of a honeypot is to capture the activities of the attacker. If the attacker detects honeypot on a system, its value drops. So, the concept of roaming honeypots is being proposed, to prevent the attacker from detecting the honeypot, which in turn increases the efficiency of honeypot and allows collecting rich data about activities of active attackers. The honeypot is shifted to another system which is most probable to be attacked within the network. The concept of Markov chain analysis is being used to detect the most probable system to be attacked based on the current status of the network. Further, using IP shuffling and services on/off concepts, honeypots roam on the network to the most probable system to be attacked using the threat score. Snort is used to capture data about the number of attacks on each of the nodes of the network and the data collected is then used as an input for Markov chain analysis to identify the most probable system where honeypot can be roamed/moved. The roaming scheme has been implemented for both high interaction honeypots and low interaction honeypots. The high interaction implementation helps in capturing in depth information on a shorter range of IP addresses, whereas the low interaction implementation is efficient in capturing information on a large range of IP addresses. The main advantage of this approach is that it predicts the frequency of attacks on the nodes of a particular network and takes a reactive step by starting the honeypot services on that particular node/system on the network.
