Honeycomb and the current state of honeypot technology
Christian Kreibich
Honeypots are systems whose only purpose is to be probed, attacked or
compromised. Any activity on these sytems is highly suspicious by
definition, as honeypots serve no value to benign users. Recently
several sophisticated tools have been developed to help admins detect,
capture and contain attacks in progress. I will first review the state
of the art in honeypot technology and then present a system that
attempts to detect patterns in traffic seen on honeypots in order to
automatically produce attack signatures for network intrusion detection
systems. The system is an extension to the open-source honeypot honeyd
and uses a combination of longest-common substring algorithms and
protocol header analysis to create those signatures. The talk will also
include some of the results the system produced when running it on an
unprotected DSL connection for 48 hours.
|