Honeypots mailing list archives
Real-Time Virtual Honeypot Users
From: Sylvain P.Leblanc <Sylvain.Leblanc () rmc ca>
Date: 16 Jun 2004 19:19:14 -0000
I enjoyed the Virtual Honeypot Users thread, as it closely related to my main current research topic. However, I want to take the Virtual User idea a little further. My interest lies in simulating user activity on the honey pot itself, and not only at the connection level. If the blackhat is on the honeypot, she/he has access to the kernel and can watch the interaction of the various device drivers. If everything is done remotly (I enjoy the representation of the honeypot as a computer without a keyboard In Andrew Lamb's white paper), the blackhat would be able to detect the lack of driver activity. To guard against this, an organization could have actual users sitting at the computer and interacting with the hardware. This is very costly, and it would likely only be done for a very high value research honeypot. In such cases, we may benefit from generating device driver interaction automatically. My thought is to model specific device driver interaction by capturing data on actual production systems. If it is possible to parametrize these models, we may be able to vary the parameters of the model to have valid, yet slightly different behaviour for different users (nod to Vlad from the Virtual Honeypot Users thread). I am in the very early stages of this research, but I would really appreciate hearing what the communtiy thinks. Cheers. Sly
Current thread:
- Real-Time Virtual Honeypot Users Sylvain P . Leblanc (Jun 16)