Honeytoken Quantifier Algorithm

• Honeytoken Quantifier Algorithm is a computational framework that rigorously evaluates decoy data security using metrics such as flatness and success-number.
• The algorithm employs probabilistic models, including Bernoulli schemes and information-theoretic measures, to optimize honeytoken system performance.
• It integrates practical pseudocode and topic semantic matching to measure both password-based honeywords and document-like honeyfiles in real-world scenarios.

A honeytoken quantifier algorithm is a formal or computational mechanism for rigorously quantifying the efficacy or enticement of honeytokens—decoy data objects intended to detect adversarial activity. The quantification may focus on security indistinguishability (e.g., in password-based systems) or enticement (in honeyfiles and related contexts). Canonical algorithmic forms of honeytoken quantification include: (a) the flatness and success-number metrics for honeyword security, which measure indistinguishability under optimal adversarial strategy; (b) information-theoretic and probabilistic metrics for honeyword sets generated by stochastic algorithms such as the Bernoulli process; and (c) semantic similarity–based enticement quantification as in Topic Semantic Matching (TSM) for honeyfiles. These approaches yield both formal criteria and computational schemes for evaluating or tuning honeytoken systems with respect to adversarial models, data distributions, and context (Su et al., 2023, Wang et al., 2022, Timmer et al., 2022).

1. Canonical Security Metrics for Honeytokens

In the honeyword framework, two security metrics have emerged as canonical quantifiers:

• Flatness (ε(i)): For a system parameterized by sweetness $k$, an attacker observing a sweetword list (one real password from $P$, $k-1$ decoys from $Q$, shuffled) outputs $i$ guesses and wins if the real password is among them. The flatness function $\epsilon(i)$ is the maximal winning probability over all adversaries producing $i$ guesses. Flatness expresses the system's resistance to optimal targeted guessing, quantifying how indistinguishable real from decoy is in the adversarial view.
• Success-number (λ_U(i)): For $U$ accounts, an attacker sequentially guesses one password per account, stopping when the total number of failures reaches $i$. The function $\lambda_U(i)$ is the expected number of successes achieved by the optimal adversary. It characterizes the trade-off between adversarial power and expected honeytoken triggers across users.

Both are defined for optimal (not heuristic) adversaries, assuming complete knowledge of distributions $P$ (real) and $Q$ (decoy) (Su et al., 2023).

2. Mathematical Structure and Computation

The formalism relies on the ratio random variable $X := P(pw)/Q(pw)$, with cumulative distribution functions (CDFs) $F(x), G(x)$ for $pw$ drawn from $P$ or $Q$. The density $f(x) = x \cdot g(x)$ emerges under the assumption that $Q$ has full support.

The key closed-form expressions are:

• Flatness:

$$\epsilon(i) = \sum_{j=1}^i \int_{0}^{M} \binom{k-1}{j-1} f(x) G(x)^{k-j} (1-G(x))^{j-1} dx$$

In particular,

$$\epsilon(1) = \frac{1}{k}\left(M - \int_{0}^{M} G(x)^k dx\right)$$

• Success-number:

$$\lambda_U(i) = U \cdot \sum_{j=1}^i \int_{1/k}^1 t a(t) \binom{U-1}{j-1} E[v_t]^{U-j} (1 - E[v_t])^{j-1} dt$$

where $a(t)$ is the optimal one-shot guess density and $E[v_t]$ is its expectation under varying thresholds.

General-purpose pseudocode implements these via discrete-sum algorithms, assuming $P,Q$ arrays of size $N$ (the password space), with time complexity $O(N + M \log M + k M)$ for flatness and $O(I^2 B)$ for the full success-number curve (with $M$ unique $X$ values, $B$ histogram bins, $I$ maximum index) (Su et al., 2023).

3. Bernoulli Quantification Schemes

The Bernoulli honeyword quantifier replaces manual decoy selection with a fixed-probability random process: each possible password (other than the real one) is independently flagged as a honeyword with probability $p$.

• False Alarm Probability: For an attacker making $k$ guesses per account, the probability of causing a false alarm is

$\text{hwi}_{raat}(p, k) = 1 - (1-p)^k$

and with $m$ accounts,

$1 - (1 - (1-p)^k)^m$

• True Alarm Probability: For a breaching attacker (BRAT) who knows the honeyword markings, detection probability when attacking a set $A$ of accounts is

$1 - \prod_{a \in A}(1 - \text{tdp}_a)$

with per-account detection probability $\text{tdp}_a$ determined analytically as a function of the marked set and password probabilities.

This model enables analytic trade-offs between detection and false-alarm rates by tuning $p$ based on operational constraints. It integrates efficiently into both honeychecker-based and stateless Amnesia-style detection architectures (Wang et al., 2022).

4. Honeyfile Enticement Quantification: Topic–Semantic Matching

While honeyword quantifiers focus on indistinguishability, honeyfile enticement is quantified by the Topic Semantic Matching (TSM) algorithm:

• Topic Model Construction: From a local corpus $L$ (context), train a topic model (e.g., LDA), extracting for each topic $k$ the top-$n$ words to form the set of topic-words $t$.
• Embedding and Similarity: Apply standard NLP preprocessing. Lookup word embeddings for honeyfile $h$ ($h'$) and context topic-words ($t$) and build matrices $H, T$ of unit-normalized embeddings.
• Similarity Matrix: Compute $S_{HT} = S(H^\top T)$, with $S_{ij}$ rescaled cosine similarities.
• Aggregation: Define enticement score as

$$E_\delta = \frac{1}{N_h N_T} \sum_{i,j: S_{ij} \geq \delta} S_{ij}$$

$\delta \approx 0.9$ empirically filters to robust high-similarity matches.

Experimental evidence indicates that TSM (especially with high thresholding) achieves clear separation between honeyfiles matched to their context corpus and those from other domains, outperforming Doc2Vec and common-word count baselines for enticement quantification (Timmer et al., 2022).

5. System Integration and Practical Computability

Practical use of honeytoken quantifiers requires assumptions: full knowledge of $P$ and $Q$ (or robust estimates), independence across accounts, and commensurate context for semantic models. For flatness and success-number, discrete sum algorithms and Monte Carlo approximations permit polytime computation in the size of the password universe and number of samples; the same holds for the TSM algorithm on document sets.

Bernoulli honeywords utilize Bloom filter–based set membership, with pseudorandom subset embedding and honeychecker checks, or stateless re-randomization schemes. These designs permit both efficient per-login operations and remote or distributed detection protocols (Wang et al., 2022).

6. Extensions, Limitations, and Open Questions

Current quantification models presume access to $P, Q$ or strong surrogates; in practice, $P$ must be inferred, introducing estimation error. For flatness, extension to multi-factor/biometric honeytokens, correlated user behavior, or structured document decoys remains an open research avenue. For Bernoulli schemes, tuning $p$ requires operational data and threat modeling, with blocklisting yielding marked improvements.

The general information-theoretic connection (flatness and total variation) frames honeytoken indistinguishability as a classical statistical problem, but practical sample complexity for distribution learning (e.g., for PCFG or Markov password models) is unresolved in existing quantifier literature (Su et al., 2023). In honeyfile enticement, robustness to paraphrasing and embedding drift is empirically strong, but adversarially-resilient enticement quantification remains a developing area.

7. Empirical Results and Comparative Assessment

Empirical evaluations confirm:

• High-quality honeyword distributions (e.g., learned PCFG models) require large training sample sizes ($\gg$1M) to bring total variation—and thus flatness—within secure thresholds ($<0.1$).
• Bernoulli honeyword systems, even with modest $p \approx 0.07$, rapidly detect breaches on realistic datasets with low false-alarm rates, outperforming legacy “list” approaches in detectability and analytic tractability.
• The TSM enticement score (at threshold $\delta=0.9$) cleanly distinguishes honeyfiles by context domain, with control (Lorem Ipsum) files scoring near zero, demonstrating metric validity.

These results establish the honeytoken quantifier algorithm as a central framework for both security and enticement analysis in honeyword and honeyfile systems (Su et al., 2023, Wang et al., 2022, Timmer et al., 2022).