RE: profiling honeypots..

["Toby Miller" <toby_miller () adelphia net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Because there is no way we could get a profile right 100% of the
time, hell I don't believe we could get a profile right 95% of the
time(especially against elite attackers). I came up with a very
immature model and am still working on it, the problem is many people
want a model that is correct 100% of the time. There are many
variables in our field, covering every single variable is difficult.
This makes modeling difficult as well. All that being said, we still
could continue developing a model, we would have to realize that it
would have flaws. Just my .02 worth

                                                                                Toby


Toby, I am interested in learning what would classify profiling as an
art and not a science?


> I have given some lectures on my model and the
> one thing people fail to realize is that no model will be accurate
> 100% of the time. The FBI will tell you their profiling system is
> not accurate 100% of the time. What we need to do is come up with a
> model that can is accurate most of the time and can be used as a
> another tool in the honeypot/ids world.

It is important to develop a model. One thing that prohibits
development
are some of the networks and the way they are designed. If client X
is
attacked, depending on the severity of the outage you won't have the
chance to perform and type of analysis. Not everyone uses TCP dump
recorders.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPpHjAVLhpjRJgUE5EQKYTACcDlZF91bDn2j8hYYf8M1iD3etYkUAoK2o
xXQnMdXDUT72o0DbYqTQejPc
=oltq
-----END PGP SIGNATURE-----