Synthetic Environments for Emergency Response Simulation
MainPeoplePapers and How To DocumentsRelated Projects

 Analysis of the Data-Collection Capabilities of a Large-Scale, Distributed Honeypot System
Executive Summary

A honeypot is a heavily instrumented machine or service, real or emulated, that is deployed in the hope that an attacker will attempt to break into it, actually break into it, or perform other illicit or unauthorized actions. Honeypots can be used to distract attackers from real targets within the network, and to detect ongoing attacks and collect data for research into attacker tools, methods, and motivations. For the latter use, honeypots have several advantages. First, since honeypots have no production use, most activity directed at honeypots represents genuine attacks, leading to few, if any, false positives. In addition, honeypots can capture all activity directed at them, allowing the detection of previously unknown attacks. Finally, honeypots can capture more attack data than most other intrusion-detection solutions, including (for some kinds of honeypots) shell commands, installed attack software, and even attacker-to-attacker interaction through chat servers or other communication mechanisms. Extending the honeypot concept, a honeynet is an entire network of honeypots, rather than just a single honeypot.

A Distributed Honeypot System (DHS) can be defined as a collection of honeynets or honeypots that are distributed throughout the Internet or other large network and that send their data to a central analysis point. Such a system can play a critical intelligence-gathering role for network defenders, since it will observe a broader range of attack activity than a single honeypot, and if the honeypots are deployed at different types of organizations, will observe attack activity from many different types of attackers. The DHS could provide reliable detection of attacks directed against the Internet or other network, early warning of new attacker tools, methodologies and techniques across a wide range of attacker types, and extensive attack data that can be analyzed as a first step toward developing preventive and defensive measures.

In this project, we will analyze the usefulness of a DHS as a large-scale intelligence-gathering tool. Specifically, we will deploy and operate a DHS involving multiple types of honeypots at multiple types of organizations, collect attack data from these deployed honeypots, and systematically analyze that data to determine the breadth and depth of attack activity directed against the DHS. This analysis will include a consideration of the type of attack activity and apparent skill and purpose of the attackers, for the overall DHS and as a function of honeypot and organization type. The analysis will serve two purposes. First, it will provide an indication of how much data a DHS can expect to capture, and thus how useful a DHS can be as an intelligence-gathering tool. Second, the methodology and software tools that we develop will allow the study to be reproduced rapidly for different mixes of organizations. For example, although we will focus exclusively on honeypots deployed within the unclassified networks of commercial companies, universities, and other “public” organizations, a military organization could repeat the study for their classified networks. In short, this study, building on previous analyses of the activity directed against individual honeypots or honeynets, is a critical first step toward determining whether honeypots can play a larger role in intelligence-gathering and subsequent prevention efforts.





Principal Investigators:

Irv Thomae

George Bakos

 
Webmaster: webmaster@ists.dartmouth.edu
© 2004, ISTS
All rights reserved.