Intrusion research frequently collects data on attack techniques currently employed and their potential symptoms. This includes deploying honeypots, logging events from existing devices, employing a red team for a sample attack campaign, or simulating system activity. However, these observational studies do not clearly discern the cause-and-effect relationships between the design of the environment and the data recorded. Neglecting such relationships increases the chance of drawing biased conclusions due to unconsidered factors, such as spurious correlations between features and errors in measurement or classification. In this paper, we present the theory and empirical data on methods that aim to discover such causal relationships efficiently. Our adaptive design (AD) is inspired by the clinical trial community: a variant of a randomized control trial (RCT) to measure how a particular ``treatment'' affects a population. To contrast our method with observational studies and RCT, we run the first controlled and adaptive honeypot deployment study, identifying the causal relationship between an ssh vulnerability and the rate of server exploitation. We demonstrate that our AD method decreases the total time needed to run the deployment by at least 33%, while still confidently stating the impact of our change in the environment. Compared to an analogous honeypot study with a control group, our AD requests 17% fewer honeypots while collecting 19% more attack recordings than an analogous honeypot study with a control group.

翻译：入侵研究常收集当前攻击技术及其潜在症状的数据，包括部署蜜罐、记录现有设备事件、采用红队进行样本攻击演练或模拟系统活动。然而，这些观测性研究无法清晰区分环境设计与记录数据之间的因果关系。忽视此类关系会增加因未考虑因素（如特征间的伪相关、测量或分类错误）而得出有偏结论的风险。本文提出旨在高效发现此类因果关系的理论方法及实证数据。我们的自适应设计（AD）受临床试验领域启发：作为随机对照试验（RCT）的变体，用于衡量特定“干预”对总体产生的影响。为对比我们的方法与观测性研究和RCT，我们开展了首次受控且自适应的蜜罐部署实验，识别了SSH漏洞与服务器被利用速率之间的因果关系。结果表明，我们的AD方法可将部署总时长至少减少33%，同时仍能可靠地说明环境变更的影响。与采用对照组的类似蜜罐研究相比，我们的AD方法所需蜜罐数量减少17%，而采集的攻击记录数量增加19%。