Академический Документы
Профессиональный Документы
Культура Документы
Abstract: controlling what traffic can flow where. They are used as an
Honeypots are closely monitored decoys that are employed in a access control device. Firewalls are most commonly deployed
network to study the trail of hackers and to alert network around an organization's perimeter to block unauthorized
administrators of a possible intrusion. Using honeypots provides activity. Network Intrusion Detection Systems are designed to
a cost-effective solution to increase the security posture of an detect attacks by monitoring either system or network activity.
organization. Even though it is not a panacea for security They are used to identify unauthorized activity.
breaches, it is useful as a tool for network forensics and
intrusion detection. Nowadays, they are also being extensively Honeypot can be of any computer resource type, such as a
used by the research community to study issues in network firewall, a web server, or even an entire site it runs no real
security, such as Internet worms, spam control, DoS attacks, etc. production services any contact with it is considered potentially
In this paper, we survey the types of honeypot technologies and malicious traffic sent to or from a honeypot is considered either
their deployments as an effective educational tool to study issues an attack or a result of the honeypot being compromised
in network security. In addition to survey of honeypot
classifications, we present a primary tool for each type. Notable features of honeypots include: collect small volumes of
higher value traffic are capable of observing previously
Introduction unknown attacks detect and capture all attackers’ activities
including encrypted traffic and commands, and require minimal
Honeypots are used for some time in computing systems for resources.
detection of intrusion and tracking the attackers. A honeypot is a
deception trap, designed to attract an attacker into attempting to
compromise the information systems in an organization. A
Honeypot Technologies
honeypot can serve as an early-warning and advanced security 1) Types by level of interactions:
surveillance tool, minimizing the risks from attacks on IT
systems and networks. Honeypots can also analyze the ways in a. The Low-Interaction Honeypots (Specter)
which attackers try to compromise an information system,
providing valuable information into potential system loopholes.
b. The High-Interaction Honeypots (Symantec
Decoy Server)
Honeypot definition: A honeypot as a security resource whose
value lies in being probed, attacked, or compromised[1]. A
2) Types by their intended use:
closely monitored computing resource that we want to be
probed, attacked, or compromised[2].
a. Production honeypots (Honeynets)
This means that expectations and goals of a honeypot are to
have the system probed, attacked, and potentially exploited. It b. Research honeypots (Leurre.com)
does not matter what the resource is (a router, scripts running
emulated services, a jail, or an actual production system). The 3) Types by attack role:
resource's value lies in its being attacked. If the system is never
probed or attacked, then it has little or no value. This is the exact a. Server side honeypots (Honeyd)
opposite of most production systems, which you do not want to
be probed or attacked. b. Client side honeypots (HoneyMonkey)
In other method each server is paired with a honeypot, and This deployment is easier to deploy and maintain. Furthermore,
suspicious traffic destined for the server is directed to the the emulated services reduce the risk by containing the
honeypot. For instance, traffic at TCP port 80 can be directed to attacker’s activity. The attacker will never have access to an
a web server IP address as normal, while all other traffic to the operating system to do further damage. However, only limited
web server will be directed towards the honeypot. To information is logged. It is also easier for an attacker to detect a
camouflage the honeypot, a certain amount of data, such as the low-interaction honeypot in this particular architecture. No
website contents of a web server, may need to be replicated on matter how good the emulation is, a skilled attacker can
the honeypot. There are several ways to set up a server eventually detect its presence. Another disadvantage is that it
honeypot. It can be set in front of a firewall, in the DMZ or will not allow the researcher to capture any additional data
behind a firewall. It is best to deploy the honeypot closer to the associated with the attack other than the initial probe. The
server, as it is more tempting for the attacker. Another way to honeypots are deployed in the same logical subnet to distract an
deploy a honeypot would be to place it in between servers, but attacker from the real targets. They are used as a bait to bind
this method is not very effective. It would only prove use mostly attacking attempts as long as possible and protect the productive
against sweep scans. environment in the meantime. The primary interest here is to
protect the real systems. The purpose of running Honeypot in
the intranet is to detect internal attackers. It is also possible to
Virtual Honeypot Deployment detect a misconfigured firewall using an internal honeypot. In
Virtual honeypots simulate virtual computer systems at the addition, implementation of the web honeypot is a great way to
network level[15]. The simulated computer systems appear to run detect worms or Trojans.
on unallocated network addresses. To deceive network
fingerprinting tools, these honeypots simulate the networking
stack of different operating systems and can provide arbitrary
References
routing topologies and services for an arbitrary number of [1] Honeypots: Tracking Hackers By Lance Spitzner. Publisher
virtual systems. These honeypots help in many areas of system : Addison Wesley Pub Date : September 13, 2002
security, e.g. detecting and disabling worms, distracting
adversaries, or preventing the spread of spam email. [2] N. Provos, “A virtual honeypot framework,” in SSYM’04:
Proceedings of the 13th conference on USENIX Security
Honeyd is example of Virtual Honeypot framework Symposium. Berkeley, CA, USA: USENIX Association, 2004.
Deployment of a Client Honeypot [3] Low Interaction Server Honeypot Evolution Mark
[16]
Schloesser Giraffe Honeynet Project FIRST Technical
Client honeypots focus on malicious webservers, which they Colloquium, Kuala Lumpur December 2, 2009
interact with by driving a web browser on the honeypot system.
Honeyclient detects successful attacks by monitoring changes to [4] SPECTER a smart honeypot-based intrusion detection
a list of files, directories and system configuration after the system http://www.specter.com/default50.htm
Honeyclient has interacted with a server. Honeyclient such as
Honeymonkey also detects intrusions by monitoring changes to
[5] Security and Results of a Large-Scale High-Interaction
a list of executable files and registry entries, but Honeymonkey
Honeypot J. Briffaut, J.-F. Lalande, C. Toinard; JOURNAL OF
goes a step further by adding monitoring of the child processes
COMPUTERS, VOL. 4, NO. 5, MAY 2009
to its repertoire to detect client side attacks. The UW client
honeypot uses event triggers of file system activity, process
creation, registry activity and browser crashes to identify client [6] Symantec Releases Decoy-Based Intrusion Detection
side attacks. All these client honeypots can be classified as high System;
interaction client honeypots because they make use of a real http://www.symantec.com/press/2003/n030623b.html
browser within a real operating system environment and monitor
the state of the entire system. [7] Issues in Informing Science and Information Technology
Volume 3, 2006 Honeypot through Web (Honeyd@WEB): The
Emerging of Security Application Integration Nor Badrul Anuar,
Omar Zakaria, and Chong Wei Yao University of Malaya, Kuala
Lumpur MY [12] Strider HoneyMonkey Exploit Detection
http://research.microsoft.com/en-
[8] HoneyLab: Large-scale Honeypot Deployment and Resource us/um/redmond/projects/strider/honeymonkey/
Sharing by P. Akritidis, W. Y. Chin, E. P. Markatos, E. [13] Effective Deployment of Honeypots Against Internal and
Kotsovinos, S. Ioannidis, K. G. Anagnostakis External Threats Douglas B. Moran
[9] Know Your Enemy: Honeynets What a honeynet is, its [14] Honeypot Deployment Hanli Ren Member of UNB
value, overview of how it works, and risk/issues involved. Honeynet Project Faculty of Computer Science University of
honeynet Project http://www.honeynet.org 31 May, 2006 New Brunswick, Fredericton, Canada
[10] Developments of the Honeyd Virtual Honeypot: [15] Virtual honeypots: from botnet tracking to intrusion
http://www.honeyd.org/ detection, First edition Authors: Niels Provos, Thorsten Holz.
Publisher Addison-Wesley Professional Year of Publication:
[11] HoneyC - The Low-Interaction Client Honeypot by 2007
Christian Seifert, Ian Welch, Peter Komisarczuk
[16] Honeyware: a web-based low interaction client honeypot
{cseifert, ian.welch, peter.komisarczuk}@mcs.vuw.ac.nz; Yaser Alosefer, Omer Rana School of Computer Science &
August 2006 Informatics, Cardiff University, UK