Abstract
In this paper, we propose a honeypot architecture for detecting and analyzing unknown network attacks. The main focus of our approach lies in improving the “significance” of recorded events and network traffic that need to be analyzed by a human network security operator in order to identify a new attacking pattern. Our architecture aims to achieve this goal by combining three main components: 1. a packet filter that suppresses all known attacking packets, 2. a proxy host that performs session-individual logging of network traffic, and 3. a honeypot host that executes actual network services to be potentially attacked from the Internet in a carefully supervised environment and that reports back to the proxy host upon the detection of suspicious behavior. Experiences with our first prototype of this concept show that it is relatively easy to specify suspicious behavior and that traffic belonging to an attack can be successfully identified and marked.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Baris. Dune. http://freshmeat.net/projects/dune/, 1999.
J. Beale, J. C. Foster, J. Posluns, R. Russell, and B. Caswell. Snort 2.0 Intrusion Detection. Syngress, 2003.
W. La Cholter et al. IBAN: Intrusion Blocker Based on Active Networks. In Proc. of Dance 2002.
Fyodor. The Art of Port Scanning. Phrack Magazine, 7, 1997.
A. Hess, M. Jung, and G. Schäfer. FIDRAN: A Flexible Intrusion Detection and Response Framework for Active Networks. In Proc. of 8th IEEE Symposium on Computers and Communications (ISCC'2003), July 2003.
A. Hess and G. Schäfer. ISP-Operated Protection of Home Networks with FIDRAN. In First IEEE Consumer Communications and Networking Conference (CCNC'2004), January 2004.
A. Hess and G. Schäfer. Realizing a Flexible Access Control Mechanism for Active Nodes based on Active Networking Technology. In IEEE International Conference on Communications (ICC 2004), Paris, France, June 2004.
C. Kreibich and J. Crowcroft. Honeycomb-Creating Intrusion Detection Signatures Using Honeypots. In 2nd Workshop on Hot Topics in Networks (HotNets-II), 2003.
J. Larsen. Hogwash. http://hogwash.sourceforge.net/docs/overview.html.
V. Paxson. Bro: a System for Detecting Network Intruders in Real-Time. Computer Networks (Amsterdam, Netherlands: 1999), 31(23–24):2435–2463, 1999.
The Honeynet Project. Know Your Enemy. Addison-Wesley, 2002.
N. Provos. Honeyd-A Virtual Honeypot Daemon. In 10th DFN-CERT Workshop, Hamburg, Germany, Februrary 2003.
L. Spitzner. Honeypots: Tracking Hackers. Addison-Wesley, 2003.
Takemori, Rikitake, Miyake, and Nakao. Intrusion Trap System: An Efficient Platform for Gathering Intrusion Related Information. Technical report, KDDI R and D Laboratories Inc., 2003.
Xfocus Team. X-Scan Version 3.1 English. http://www.xfocus.org, 2004.
Vade79. Xdune an Exploit for the Dune HTTP Server. http://downloads.securityfocus.com/vulnerabilities/exploits/xdune.c, 2003.
von Raison, A. and Grunwald, L. Wireless Honeypot auf der Cebit, Messe-Trend Mobile Hacking. iX, 5:16, 2003.
J. Whitsitt and A. Gonzalez. Bait'n'Switch. Technical report, Team Violating. http://baitnswitch.sf.net.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Diebold, P., Hess, A., Schäfer, G. (2005). A Honeypot Architecture for Detecting and Analyzing Unknown Network Attacks. In: Müller, P., Gotzhein, R., Schmitt, J.B. (eds) Kommunikation in Verteilten Systemen (KiVS). Informatik aktuell. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-27301-8_20
Download citation
DOI: https://doi.org/10.1007/3-540-27301-8_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24473-8
Online ISBN: 978-3-540-27301-1
eBook Packages: Computer Science and Engineering (German Language)