Simon Mavsar (2009) Research honeypot - a prototype. EngD thesis.
Abstract
A honeypot is a trap set to detect attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network but which is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource that would be of value to attackers. Goal of research work was to evaluate and summarize various concepts of honeypot solutions as one of network security techniques available today. Additionally custom made high interaction honeypot solution was developed in context of this work, which was later used to produce some research results presented at the end. High interaction research honeypots are by definition run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of the Blackhat community targeting different networks. These honeypots do not add direct value to a specific organization. Instead they are used to research the threats organizations face, and to learn how to better protect against those threats. This information is then used to protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations. In first part of paper I’ve prepared a theoretical overview of basic concepts of most widely used internet protocols, different ways to break and harden network security and detailed presentation of honeypot concepts. As practical part of research work I’ve developed my own version of high interaction honeypot solution, called simx, which was used for actual experiment on isolated subnet of academic network. Because honeypot is a trap set to detect unauthorized activity, very practical problem surfaced, and that is how to lure such activity on our honeynet. In order to overcome described limitation I’ve decided to prepare a web page which was designed to generate organic, non automated traffic which may produce higher volume of desired activity. In order to present added value of honeypot deployment I’ve decided to extend practical part of this research work with results produced by standard intrusion detection (IDS) tools on two additional control nodes set up in Ljubljana and Krško. This approach made effective comparison (standards intrusion detection tools vs. honeypot solutions) possible by detailed analysis of captured material on all thee control nodes. Results of research work are presented in second, practical part of this paper. Keywords honeypot, honeynet, intrusion detection system, network security, intrusion detection, fire
Actions (login required)