RE: profiling honeypots..

["Toby Miller" <toby_miller () adelphia net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have been reading this thread with great interest and the dialogue
is good but the one thing people need to realize is that profiling is
an art not a science. I have given some lectures on my model and the
one thing people fail to realize is that no model will be accurate
100% of the time. The FBI will tell you their profiling system is not
accurate 100% of the time. What we need to do is come up with a model
that can is accurate most of the time and can be used as a another
tool in the honeypot/ids world.

                                                                                        Toby
On 7 Apr 2003, at 10:12, Anton A. Chuvakin wrote:

> > implementations are that they exhibit predictable or
> > identifiable probe/attack response characteristics, and their
> > locations are
> Hmm, that sounds a bit weird to me. When you type a UNIX command,
> the response is pretty predictable (or at least one hopes so).
> Why should honeypots "display unpredictable behavior"?

bhh>>>
I believe you are considering only one stimulus / response
event and not the quantization effect/error dynamics of the
entire system. On a truly "active" system one would observe a
quantifiable randomness in the system-wide operating and
response characteristics indicative of the open-loop dynamics
of a live/active system. Conversely, a most honoypots by
design are closed loop systems that respond in a linear or
controlled manner with predictable responses to step changes
and stimuli, when analyzed as a system.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPpG5VlLhpjRJgUE5EQImCQCghwnKmIG03BwmzaLb8YiwPAgio9cAoO5T
38d59MLRLG+2tTqAClqZbZ/S
=B6dd
-----END PGP SIGNATURE-----