The Problem
Current detection is passive — we match known attack patterns against input. But sophisticated attackers probe first: they send test inputs to map what security exists before launching real attacks. We have no way to detect this reconnaissance phase.
Proposed Solution: Honeypot Patterns
Intentional "traps" embedded in scanning that detect attacker probing behavior:
from sunglasses.honeypot import HoneypotLayer
honeypot = HoneypotLayer()
# Returns scan result + probing indicators
result = honeypot.analyze(input_text, scan_history=recent_scans)
if result.probing_detected:
print(f"Attacker probing detected: {result.probe_type}")
# e.g., "boundary_testing", "pattern_enumeration", "evasion_calibration"Detection strategies:
- Boundary testing: Sequential inputs that incrementally push limits (testing where the filter triggers)
- Pattern enumeration: Rapid variations of the same attack trying different evasion techniques
- Canary triggers: Fake "vulnerability" patterns that no legitimate input would match — only an attacker actively testing would hit them
- Timing analysis: Unusual scan frequency from the same source suggesting automated fuzzing
- Evasion calibration: Inputs that contain partial attacks mixed with escape characters, testing which encoding bypasses work
Why This Matters
Catching an attacker during reconnaissance — before they launch the real payload — is significantly more valuable than catching the attack itself. This shifts SUNGLASSES from reactive defense to proactive threat detection.
How to Contribute
- Design canary pattern format (patterns that look like vulnerabilities but are traps)
- Build the probing detection heuristics
- Define what "scan history" analysis looks like
- Write test scenarios simulating attacker recon behavior
- Design the alert/reporting format for detected probes
This is exploratory — creative security thinkers welcome! 🕶️
The Problem
Current detection is passive — we match known attack patterns against input. But sophisticated attackers probe first: they send test inputs to map what security exists before launching real attacks. We have no way to detect this reconnaissance phase.
Proposed Solution: Honeypot Patterns
Intentional "traps" embedded in scanning that detect attacker probing behavior:
Detection strategies:
Why This Matters
Catching an attacker during reconnaissance — before they launch the real payload — is significantly more valuable than catching the attack itself. This shifts SUNGLASSES from reactive defense to proactive threat detection.
How to Contribute
This is exploratory — creative security thinkers welcome! 🕶️