23-07-2012, 01:26 PM
Honeypots: Concepts, Approaches, and Challenges
Honeypots.pdf (Size: 194.33 KB / Downloads: 29)
ABSTRACT
Information security is a growing concern today for organizations
and individuals alike. This has led to growing interest in more
aggressive forms of defense to supplement the existing methods.
One of these methods involves the use of honeypots. A honeypot
is a security resource whose value lies in being probed, attacked
or compromised. In this paper we present an overview of
honeypots and provide a starting point for persons who are
interested in this technology. We examine different kinds of
honeypots, honeypot concepts, and approaches to their
implementation.
Introduction
In this day and age, information security is an ever-increasing
concern. The traditional approach to security has been largely
defensive so far, but interest is increasingly being paid to more
aggressive forms of defense. One of these forms is decoy-based
intrusion protection [6] through the use of honeypots and/or
honeynets.
A honeypot is tough to define because it is a new and changing
technology, and it can be involved in different aspects of security
such as prevention, detection, and information gathering. It is
unique in that it is more general technology, not a solution, and
does not solve a specific security problem. Instead, a honeypot is
a highly flexible tool with applications in such areas as network
forensics and intrusion detection. For the purpose of this paper,
we will use the following definition: a honeypot is a security
resource whose value lies in being probed, attacked, or
compromised [17].
Related Work
Research in this area has resulted in a number of papers
discussing specific topics concerning honeypots and how
honeypots can be created and deployed.
Several papers have explored the use of honeynets as an
educational tool for IT students and academic institutions [8],
[10]. This research indicates that honeynets can be an effective
tool in security education. A significant amount of work is
available that details the benefits of honeypots [12], [6]. Other
papers go into some detail about the strategic considerations
involved when using honeypots [12]. There are also papers that
describe specific applications of honeypots as building blocks for
a system such as a honeycomb, which is used to create intrusion
detection signatures [11].
A large amount of helpful information exists on the Honeynet
Project at [1]. This website documents lessons learned about
security threats through the use of honeypots.
Existing work looks at specific areas concerning honeypots;
however it is difficult to find information from a single source that
provides an overall picture of honeypots including their benefits,
the concepts behind honeypots, the approach to using honeypots,
and the challenges involved when implementing honeypots.
Types of Honeypots
Honeypots can be classified based on their purpose (production,
research, and honeytokens) and level of interaction (low, medium,
and high). We include honeytokens as another type, because they
do not belong to either of the categories mentioned above. We
examine each type in more detail below.
Purpose of Honeypots
Research Honeypot
A research honeypot is designed to gain information about the
blackhat community and does not add any direct value to an
organization [10]. They are used to gather intelligence on the
general threats organizations may face, allowing the organization
to better protect against those threats. Its primary function is to
study the way in which the attackers progress and establish their
lines of attack, it helps understand their motives, behavior and
organization Research honeypots are complex to both deploy and
maintain and capture extensive amounts of data. They can be
very time extensive.
Very little is contributed by a research honeypot to the direct
security of an organization, although the lessons learned from one
can be applied to improve attack prevention, detection, or
response. They are typically used by organizations such as
universities, governments, the military or large corporations
interested in learning more about threats research.
Honeypot Concepts and Approaches to their
Implementation
We now take a look at the main concepts of honeypots and a few
different ways in which they can be implemented.
Honeypots are digital network bait and use deception to attract
intruders [12], thereby distracting them from real production
systems. A honeypot with several layers can slow down an
attack, increasing the possibility of the attack being detected, and
the possibility of countering the intrusion before it succeeds [2].
Intrusion detection and logging applications can be deployed
within the honeypot to listen for and log unauthorized activity.
Since no interaction with a honeypot is authorized, there is no
need to filter through the information collected by a honeypot for
suspicious traffic. This information can then be used to learn how
the intruders operate, and to come up with suitable
countermeasures. In summary, the main concept of a honeypot is
to learn from the intruder’s actions [12].
Conclusions and Future Outlook
In this paper we have provided a brief overview of what
honeypots are, and what they are useful for. We have discussed
the different types of honeypots such as production honeypots,
research honeypots, and honeytokens. We also looked at factors
that should be considered when implementing a honeypot. For
example, the level of interaction of your honeypot depends on
what you want to use it for. The legal issues surrounding
honeypots and their implementation were examined, and
throughout we mentioned the advantages of honeypots. An
important point to remember is that experts advise using
honeypots together with some other form of security such as an
IDS.
Honeypots are a relatively new technology that is becoming
increasingly popular, and will become even more so as
commercial solutions become available that are easy to use and
administer. Because they can be used to collect information on
attackers and other threats, we believe they can prove a useful tool
in digital forensics investigations.