Re: Undergraduate student Research topic about the Honeypots or Honeynet

[Valdis.Kletnieks () vt edu]

On Sat, 13 Nov 2004 13:05:15 GMT, Alan Chung said:

> My final year project topic is "Profiling Security Threats with Honeypots"

> The project plan is deploy a centralized database to collect the data and
> design user interface. Then using the user interface to summarize, profiling
> and report the threats.

The biggest problem you will encounter is how to do proper filtering of the
noise.  For instance, my laptop has been up for 3 hours and 3 minutes, and
in that time, I've seen 486 probes, including 140 on port 445, 125 on port 1433,
and 91 on port 135.  However, none of those is by itself a *threat*, because
those ports aren't open.

There's 3 categories of malicious traffic:  

1) the eternal flood of known bad traffic, which most sites should have little
to no *threat* from if they've properly configured their systems and installed
patches.

2) New fairly recent vulnerabilities that your vendor hasn't shipped a patch
applicable to your operating system (for instance, there's an IFRAME bug that's
alledgedly fixed in XP SP2, but not for W2K).  Also included are threats from
exploits for patches you've not installed because they break critical applications
or hardening procedures you've not done because they break something.

3) Odd, totally uncharacterizable traffic - the kind you see on a tcpdump and
say "What the <bleep> was *THAT*?" You know - stuff like a successful 3-packet
handshake to a host in your darknet, packets coming *from* the Ethernet
broadcast address, etc,, :)

Finding a way to model the *threat* from traffic in categories 2 and 3 is truly
a worthy research project (especially when you factor in the effect of a true
0-day - by the time you *see* the packet, it's not a threat anymore, because
you were *already* hacked).

Remember - the average *well-run* site has little to fear from the average
script kiddie.  However, the *threat* may be very hard to model based on
mere traffic, because the threat is composed of motivated black hats, disgruntled
(possibly not yet ex-)employees, and the like.

Another open research question is how to get a black hat to hit your honeypot
rather than the "real" service - if they're targeting a PHP exploit on your
corporate webserver in order to harvest credit card numbers, it's unlikely
they'll poke your honeypot by accident in any detectable way.  As a result,
the honeypot traffic may not reflect the actual *threat* model.

Attachment: _bin
Description: