Honeypots mailing list archives
Re: Undergraduate student Research topic about the Honeypots or Honeynet
From: Valdis.Kletnieks () vt edu
Date: Mon, 15 Nov 2004 14:09:35 -0500
On Sat, 13 Nov 2004 13:05:15 GMT, Alan Chung said:
My final year project topic is "Profiling Security Threats with Honeypots"
The project plan is deploy a centralized database to collect the data and design user interface. Then using the user interface to summarize, profiling and report the threats.
The biggest problem you will encounter is how to do proper filtering of the noise. For instance, my laptop has been up for 3 hours and 3 minutes, and in that time, I've seen 486 probes, including 140 on port 445, 125 on port 1433, and 91 on port 135. However, none of those is by itself a *threat*, because those ports aren't open. There's 3 categories of malicious traffic: 1) the eternal flood of known bad traffic, which most sites should have little to no *threat* from if they've properly configured their systems and installed patches. 2) New fairly recent vulnerabilities that your vendor hasn't shipped a patch applicable to your operating system (for instance, there's an IFRAME bug that's alledgedly fixed in XP SP2, but not for W2K). Also included are threats from exploits for patches you've not installed because they break critical applications or hardening procedures you've not done because they break something. 3) Odd, totally uncharacterizable traffic - the kind you see on a tcpdump and say "What the <bleep> was *THAT*?" You know - stuff like a successful 3-packet handshake to a host in your darknet, packets coming *from* the Ethernet broadcast address, etc,, :) Finding a way to model the *threat* from traffic in categories 2 and 3 is truly a worthy research project (especially when you factor in the effect of a true 0-day - by the time you *see* the packet, it's not a threat anymore, because you were *already* hacked). Remember - the average *well-run* site has little to fear from the average script kiddie. However, the *threat* may be very hard to model based on mere traffic, because the threat is composed of motivated black hats, disgruntled (possibly not yet ex-)employees, and the like. Another open research question is how to get a black hat to hit your honeypot rather than the "real" service - if they're targeting a PHP exploit on your corporate webserver in order to harvest credit card numbers, it's unlikely they'll poke your honeypot by accident in any detectable way. As a result, the honeypot traffic may not reflect the actual *threat* model.
Attachment:
_bin
Description:
Current thread:
- Undergraduate student Research topic about the Honeypots or Honeynet Alan Chung (Nov 13)
- Re: Undergraduate student Research topic about the Honeypots or Honeynet Miled Fathia (Nov 16)
- Re: Undergraduate student Research topic about the Honeypots or Honeynet Marc Dacier (Nov 16)
- Re: Undergraduate student Research topic about the Honeypots or Honeynet Valdis . Kletnieks (Nov 16)
- Re: Undergraduate student Research topic about the Honeypots or Honeynet VHP3 (Nov 18)