Computer Laboratory Home Page Search A-Z Directory Help
University of Cambridge Home Computer Laboratory
May 22nd 2003
Computer Laboratory > Research > Systems Research Group > NetOS > Seminars > May 22nd 2003

Honeycomb and the current state of honeypot technology

Christian Kreibich
Honeypots are systems whose only purpose is to be probed, attacked or compromised. Any activity on these sytems is highly suspicious by definition, as honeypots serve no value to benign users. Recently several sophisticated tools have been developed to help admins detect, capture and contain attacks in progress. I will first review the state of the art in honeypot technology and then present a system that attempts to detect patterns in traffic seen on honeypots in order to automatically produce attack signatures for network intrusion detection systems. The system is an extension to the open-source honeypot honeyd and uses a combination of longest-common substring algorithms and protocol header analysis to create those signatures. The talk will also include some of the results the system produced when running it on an unprotected DSL connection for 48 hours.