Honeypots

B.VIJAYKUMAR
2451-15-735-301
 Introduction

•A honeypot is a trap set to detect, deflect, or in some manner

counteract attempts at unauthorized use of information systems

•They are the highly flexible security tool with different applications
for security. They don't fix a single problem. Instead they have
multiple uses, such as prevention, detection, or information
gathering

•A honeypot is an information system resource whose value lies in

unauthorized or illicit use of that resource
 Literature review

•Honeypot is a non-production system, used for exploiting the

attacker and notice the attacking techniques and actions.
•The objective of honeypots is not only to notice but to tackle the
risk and remove it.
•There are various definitions of honeypots are available as few
people take it as a system to confuse the attackers and inspect their
activities where as other take it as a technology for detecting attacks
or real systems formed for getting attacked.
 What is a Honey Pot?
• A Honey Pot is an intrusion detection technique used to study
hackers movements
 What is a Honey Pot?(cont.)

• Virtual machine that sits on a network or a client

• Goals
 Should look as real as possible!
 Should be monitored to see if its being used to launch a
massive attack on other systems
 Should include files that are of interest to the hacker
 Classification
By level of interaction
• High
• Low
By Implementation
• Virtual
• Physical
By purpose
• Production
• Research
 Interaction
Low interaction Honeypots
• They have limited interaction, they normally work by emulating
services and operating systems
• They simulate only services that cannot be exploited to get complete
access to the honeypot
• Attacker activity is limited to the level of emulation by the honeypot
• Examples of low-interaction honeypots include Specter, Honeyd,
and KFsensor
 Interaction
High interaction Honeypots
• They are usually complex solutions as they involve real operating
systems and applications
• Nothing is emulated, the attackers are given the real thing
• A high-interaction honeypot can be compromised completely,
allowing an adversary to gain full access to the system and use it to
launch further network attacks
• Examples of high-interaction honeypots include Symantec Decoy
Server and Honeynets
 Implementation

• Physical
• Real machines
• Own IP Addresses
• Often high-interactive
• Virtual
• Simulated by other machines that:
– Respond to the traffic sent to the honeypots
– May simulate a lot of (different) virtual honeypots at the
same time
 Production
• Production honeypots are easy to use, capture only limited
information, and are used primarily by companies or corporations
• Prevention
• To keep the bad elements out
• There are no effective mechanisms
• Deception, Deterrence, Decoys do NOT work against
automated attacks: worms, auto-rooters, mass-rooters
• Detection
• Detecting the burglar when he breaks in
• Response
• Can easily be pulled offline
 Research

• Research honeypots are complex to deploy and maintain, capture

extensive information, and are used primarily by research, military,
or government organizations.
• Collect compact amounts of high value information
• Discover new Tools and Tactics
• Understand Motives, Behavior, and Organization
• Develop Analysis and Forensic Skills
Working of Honeynet – High – interaction honeypot

• Honeynet has 3 components:

 Data control
 Data capture
 Data analysis
Working of Honeyd – Low – interaction honeypot

 Open Source and designed to

run on Unix systems
 Concept - Monitoring unused
IP space
 Advantages

• Small data sets of high value.

• Easier and cheaper to analyze the data
• Designed to capture anything thrown at them, including tools
or tactics never used before
• Require minimal resources
• Work fine in encrypted or IPv6 environments
• Can collect in-depth information
• Conceptually very simple
 Disadvantages

• Can only track and capture activity that directly interacts with
them
• All security technologies have risk
• Building, configuring, deploying and maintaining a high-
interaction honeypot is time consuming
• Difficult to analyze a compromised honeypot
• High interaction honeypot introduces a high level of risk
• Low interaction honeypots are easily detectable by skilled
attackers
 Conclusion

• Not a solution!
• Can collect in depth data which no other technology can
• Different from others – its value lies in being attacked, probed
or compromised
• Extremely useful in observing hacker movements and preparing
the systems for future attacks
 References
1. Spitzner, L. 2002. Honeypots: Tracking Hackers. 1st ed. Boston,
MA, USA: Addison Wesley.
2.Mokube, I. & Adams M., 2007. Honeypots: Concepts,
Approaches, and Challenges. ACMSE 2007, March 23-24, 2007,
Winston-Salem, North Carolina, USA, pp.321-325
3.Aaron Lanoy and Gordon W. Romney, Senior Member,IEEE
[2006] A Virtual Honey Net as a Teaching Resource .
4.G. Romney, et al., "A Teaching Prototype for Educating IT
Security Engineers in Emerging Environments," Presented at
the IEEE ITHET 2004 Conference in Istanbul, Turkey, June 2,
2004. Published in IEEE Xplore.
Thank you

Questions??