Honeypots and Honeynets

Details

Brief description

The concept of honeypots has already proven to be of great value whithin the detection and analysis of new kinds of computer attacks. A honeypot in this context, is an unused network resource (e.g. PC, router, ip address) whose sole purpose lies within being attacked and compromised. In contrast to other intrusion detection mechanisms, honeypots have the clear advantage that every access can be regarded as illicit and thus treated as an attack. Consequently there is no need to distinguish between regular and illegal data traffic in a first step. As an effect, the amount of data to be analysed is considerably reduced. Nevertheless, the quantity of captured data at a honeypot tends to be enormous, which leads to the necessity of methods for automated analysis. These methods should allow to differentiate between known and unknown attacks, record them, identify the exploited vulnerability and ideally generate a signature of the observed attack.

Objectives

  • Gather experience in the deployment of honeypots
  • Identification of further applications for honeypots
  • Development of a tool chain for detecting and examining previously unknown attacks
  • Automated generation of attack signatures
  • Identification of attack trends
  • Insights into the methods of attackers
  • Observation of botnets
  • Insights into new functionalities of bots
  • Tracking and observation of non-irc botnets