A Mimic Honeypot Construction Method Based on Incomplete Information Zero-Sum Stochastic Games and Q-Learning

Honeypots based on the deception technology offer a promising solution to address the asymmetry of attack and defense in the Internet of Things (IoTs). However, as the IoT security situation continues to evolve, attackers can identify honeypots by analyzing system characteristics and network behaviors, launching targeted virtual escape attacks that may exploit the honeypot as a stepping stone to compromise other systems. Once the IoT honeypot itself is successfully identified and attacked, the current defense measures typically rely on postattack remediation. To address this challenge, we propose a mimic honeypot construction method based on incomplete information zero-sum stochastic game and Q-learning. This method enhances the IoT honeypot’s deceptive capabilities while ensuring the security of the honeypot itself. First, inspired by the concept of mimic defense (MD), we design a dynamic heterogeneous redundancy (DHR) honeypot (mimic honeypot), which contains multiple business executors composed of both business and virtualization layers. Second, we establish an incomplete information zero-sum stochastic game model to represent the honeypot attack–defense scenario. The Q-learning algorithm is employed to solve for the Bayesian Nash equilibrium, enabling the mimic honeypot to adaptively adjust its deployment strategies based on the attacker’s observed actions. Finally, the experimental results demonstrate that the proposed mimic honeypot outperforms existing methods in terms of deceptive effectiveness and honeypot self-protection capabilities, significantly reducing the likelihood of honeypot compromise and ensuring the robust network defense.