Honey Pot Research And Decision By Hanh Thi Hong Nguyen Venkata Krishna Mahesh Kumar Kondraju Kieran Andrews
This Open Book independent Model unlike Intrusion detection systems offers or provides all necessary information regarding the resources to the Intruders Kuwatly et al. (2004) • This is a Platform set by the software to detect the security violations & to monitor abnormal patterns in the system audit records. Honey pot model audit trails lists out anomalous events, typical user behaviors and security incidents. And this further leads to help system security officers in investigations Kuwatly et al. (2004)
Honey pots consist of vulnerabilities, With low-interaction honey pots the risk is limited when comparing with the high-interaction ones because low interaction honey pots do not provide a real environment, real operating system, or real services for attackers to use Spitzner (2004). However, attackers can ignore them and only focus on the real systems while administrators think that these honeypots will be attractive target and will give warning of attacks. Attackers can attack production servers while they try to avoid honey pots Scottberg et al. (2002). • With high-interaction honeypots, attackers are provided real operating systems and application to interact. The attackers can control the honeypots and use them to attack production systems Spitzner (2004). If an attackers use honeypots to attack another outside system, the honeypots’ operator may be responsible to his or her damage Mokube & Adams (2007).
The main aim of Honey pots is to detect intrusions to prompt evasive measures, And further aim is to supply evidence in criminal and civil legal proceedings Krone (2005). • Two determinants weight and admissibility are legally accepted in the form of evidence for the prosecution Krone (2005). • The problems which courts are dealing are the differences between Scientific evidence & legal proofs Krone (2005). • For successful evaluation of honey pots sources as legal proofs it needs to follow few ethics, which are recommended such as preservation of evidence, continuity of evidence and transparency in Honey pot forensics Krone (2005). • Example:Honey pot is being reviewed as a cooperative preventive approach by police from Australia, Canada, UK and US. Australian Institute of criminology released an issue on International Police Operations Against Online Child Pornography . This operation focuses on police maintaining a ‘honey pot’ web site that presents itself as offering explicit child pornographic content. As browsers click through screens warning of the explicit nature of the content, they come to a screen that announces that their attempt to obtain online child pornography has been tracked and will be reported to local police Krone (2005).
Advantages: • Data value: honey pots collects very little data, but what they do collect is normally of high value. Honey pots can give you the precise information you need in a quick and easy to understand format. This makes analysis much easier and reaction time much quicker Spitzner (2002). • Resources:Honey pots avoid exhaustion resources. honeypots only catch activities directed to them and so the system is not overwhelmed by the traffic Spitzner (2002) • Simplicity: simplicity the biggest single advantage of honey pots. There are no fancy algorithms to develop, no signature databases to maintain, simpler the concept the more reliable it is Spitzner (2002). Disadvantages: • Narrow field View: Honeypots deals with the activities which are directed towards it , but unaware of the happenings or activities directed to other systems sharing the same network Spitzner (2002). • Fingerprinting:Fingerprinting is when an attacker can identify the true identity of a Honey pot. Honey pots has a typical behaviour of misspelling the commands, this misspelling becomes a fingerprint for the honey pot Spitzner (2002).
The software which we recommended is honeyd, an opensource honeypot software. It is low-interactive and productive honeypot. • This honeypot software has less functionality when compared with high-interaction & research honeypots, it is easy to deploy and maintain Mokube & Adams (2007). • Low-interaction is less risky than high-interaction Mokube & Adams (2007). • Honeyd has more features and is more flexible than other honeypots Grimes (2005). Honeyd allows us to choose the level of interaction and at the same time allows us to modify its services accordingly Spitzner (2002). • An interesting ability of Honeyd is that it can monitor a large number of IP addresses at the same time. The IP addresses monitored by Honeyd are unused addresses Spitzner (2002).
References: 1) Spitzner, L 2004, ‘Problems and Challenges with Honeypots’, SecurityFocus, viewed 21 March, 2009, <http://www.securityfocus.com/infocus/1757> 2) Scottberg, B, Yurcik, W, Doss, D 2002, ’Internet Honeypots: Protection or Entrapment’, International Symposium on Technology and Society,pp. 387 - 391 <http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1013842> 3) Mokube, I, Adams, M 2007, ‘Honeypots: Concepts, Approaches, and Challenges’, ACM Southeast Regional Conference, pp. 321 - 326 <http://portal.acm.org/citation.cfm?id=1233399> 4) Grimes, RA 2005, Honeypots for Windows, Springer Science & Business Media, Berkeley, CA. http://newcatalogue.library.unisa.edu.au/vufind/Record/1058298 5) Spitzner, L 2002, Honeypots: Tracking Hackers, Addison Wesley. 6) Kuwatly, I, Sraj, M, Al Masri, Z, Artail, H 2004, ‘A Dynamic Honeypot Design for Intrusion Detection’, International Conference on Pervasive Services, pp. 95-104. 7) Krone, T 2005, ‘International Police Operations Against Online Child Pornography, Trends and Issues in crime and criminal justice ‘, Australian Institute of Criminology, viewed 23 March, 2009, <http://www.ecpat.se/upl/files/279.pdf>