Alata, E., Nicomette, V., Kaaniche, M., Dacier, M., & Herrb, M. (2006). Lessons learned from the deployment of a high-interaction honeypot. Proceedings of the Sixth European Dependable Computing Conference (EDCC’06). doi: 0-7695-2648-9/06
This paper presented an experimental study of a compromised high-interaction honeypot during a six-month period in which close observations of the attacker where logged. Honeypots are systems connected to the network that do not serve any purpose, but if connected to should bring suspicions to security administrators. The two most common forms of honeypots are high-interaction and low-interaction. High-interaction pertains to the system being highly usable while low-interaction pertain to a sample of a system available for use.
The authors present the lessons learned from developing and deploying a high-interaction honeypot. They decided to install the operating system on VMware as compared to the physical-based system solution. It was determined virtual honeypots provided a cost effective and flexible solution that would suitable for running experiments and observation of various attacks.
The authors confirm compromised systems are used to carry out planned attacks, even though some sophistication in the attacks are apparent, many of the attacker do not seem to be skilled and lastly, the location of the systems play a major part with the results presented in the experiment. The authors present in the 131 days the high-interaction honeypot was connected to the Internet, 480 Internet Protocol (IP) addresses tried to connect to the Secure Shell (SSH) port. On the same network, the low-interaction honeypot which has been connected for the same length of time only had 298 visits, less than two-thirds of the high-interaction honeypot.
The authors surmised, the attackers are driven by the knowledge of knowing in advance the vulnerable state of a system depending by the number of services that are running.
Kuwatly, I., Sraj, M., Masri, Z., & Artail, H. (2004). A Dynamic honeypot design for intrusion detection. Proceedings for the IEEE.ACS International Conference n Pervasive Services (ICPS’04). doi: 0-7695-2535-0/04
The authors stated how honeypots provide a platform to study the methods and tools used by an attacker. Unlike an intrusion detection system, honeypots provide the attacker with the necessary recourses to conduct a successful attack. This paper discusses the design of a dynamic honeypot that is autonomous and capable of adapting in a dynamic environment. The authors identified the following components as part of a dynamic honeypot implementation. For example, a dynamic honeypot needs an active probing tool, a passive fingerprinting tool, a low-interaction honeypot to simulate network traffic, a high-interaction honeypot to receive redirected traffic, a database, a dynamic honeypot engine that interacts with all the components listed above and lastly, an interface to configure dynamic honeypot servers in real-time.
The authors explained, the security administrator as the option of operating the honeypot in passive or active mode. If passive move is selected, the security administrator has to verify the dynamic honeypot has access to as many packets as possible to sniff the network. There are many challenges depending on the equipment used on the network. For example, a hub where all systems share the same collision domain would allow for packet capturing, whereas a switch environment would require a TAP or spanning configuration to be implemented.
The authors conclude they introduce a new approach to dynamic honeypots and proposed the use of the systems in real network of all sizes and usage. The authors further stated, using the collected data to provide suitable and automated countermeasure a future related research.
McGrew, R., & Vaughn, R. (2006). Experience with honeypot systems: development, deployment, and analysis. Proceedings of the 39th Hawaii International Conference on System Sciences. doi: 0-7695-2507-5/06
The author stated honeypots are systems put on the network purposely unsecure to entice attackers to it. Once an attacker accesses a honeypot, it allows for the understanding of the techniques, tools and motives to be understood and captured. On production-based systems, it is difficult to determine inappropriate activity with appropriate ones. So the author stated, an important property of honeypots are that any traffic to them should be suspicious in nature since the do not serve any purpose. The author also stated honeypots can be deployed in many locations on the network and serve as an early warning system to malicious events.
The research presented in the paper deployed both low-interaction and high-interaction honeypots and analyze the results from both. The first set of results pertained to the placement of the honeypot. In a two-week time frame, honeypots were placed inside the firewall and no activity was detected. The author concluded the honeypot could serve as either an insider threat tool or a tool that validate perimeter defense controls. After removing the firewall rules for the honeypot, the next test pertained to how much time it would take until the first unauthorized connection to occur. The first week took a Solaris system 2 hours and 40 minutes for a connection to the system to ensue. The test was conduct two weeks later using a Windows XP system and an unauthorized connection took 14 minutes at that time. The author deduced, the time difference might have something to do with the IP being revisited from the initial Solaris connection.
Raynal, F., Berthier, Y., Biondi, P., & Kaminsky, D. (2004). Honeypot forensic part 1: Analyzing the network. IEEE Computer Society. doi: 1540-7993/04
This article explains the major goal of honeypot research is to improve the knowledge of what the attack does in two ways, the technical and ethnological. Through the technology stand point, the research wants to be able to detect and analyze new root-kits, Trojans and zero-day exploits. On the ethnological aspect, the researcher wants to better understand the relationship on the black hat world.
The authors feel accomplishing the goal of ethnological can be accomplished if honeypot researchers increase log data and traces so that every action can the attacker conducts can be analyzed for forensic purposes. Traditional computer forensics rely on analysis once the system has been compromised, but in the honeypot world, researcher expect honeypots to be compromised, so honeypot forensics focuses on understanding the attacker’s technique and tools before and after the intrusion.
The authors stated, the type and setup of a honeypot and its environment is very important because it will affect analysis. They also stated, honeypot technology is still in its early stages and can be easy to fingerprint. If an attacker falls pry to a honeypot and determine that it is a trap, they will depart from the system. A set of guideline was presented to assist other honeypot researcher when deploying honeypots. These guidelines include, knowing the honeypot, knowing the network, know the system and lastly, know the enemy.
Rowe, N. (2006). Measuring the effectiveness of Honeypot counter-counterdeception. Proceeding of the 39th Hawaii International Conference on System Science doi: 0-7695-2507-5.06
This paper discusses metrics to measure the effectiveness of a honeypot’s deception since many of them are just normal computer systems placed on the network. The paper stated honeypots are an important tool for detecting new types of attacks and can also be used offensively to provide mislead an attacker. The authors states, honeypots are only effective if it can deceive an attacker and since many attackers do not want their methods known, many have abandoned suspicious systems.
The author states three main problems in designing and using honeypots. The first problem pertains to deception. Designing a honeypot to look and act like a normal computer is not an easy task. The second dilemma pertains to the counterdeception problem while the third issue is with the counter-counterdeception.
The author introduced a tool that would create a fake file system to increase the deception of honeypots. The tool titled NFDir depicts a Microsoft MS-DOS directory system like that provide in the “Command Prompt” on Windows systems. It displays a realistic array of filenames, directory, file sizes and modification dates to the user. The user has the ability to access files and directories to ten levels deep offering a sure-fire deception to many common attackers and even more advance attackers may be fooled as well.
The author concluded honeypots are an important tool in computer defense and deception needs to be the main active component for it to be effective. The author has presented many tool to measure and evaluate honeypot deception.