HoneyPots

Presented By :
Sparsh Thakur
1603617051
ECE (6th)
 Introduction
• A honeypot is a trap set to detect, deflect, or in some manner counteract
attempts at unauthorized use of information systems

• They are the highly flexible security tool with different applications for
security. They don't fix a single problem. Instead they have multiple uses,
such as prevention, detection, or information gathering

• A honeypot is an information system resource whose value lies in

unauthorized or illicit use of that resource
What is a
Honey Pot?
•A Honey Pot is an intrusion
detection technique used to
study hackers movements

•Virtual machine that sits on a

network or a client

•Goals
 Should look as real
as possible!
 Should be
monitored to see if
its being used to
launch a massive
attack on other
systems
 Should include files
that are of interest
to the hacker
 Classification
By level of interaction
• High
• Low
By Implementation
• Virtual
• Physical
By Purpose
• Production
• Research
 Literature Review
[1]
Title – The Study of an Attack (Know Your Enemy: A Forensic Analysis)
Year Of Publishing - 2000
Author – Lance Spitzner
Methodology – In this paper it is show that how Honeypots was
compromised , backdoored and eventually used for trinoo
attacks.
Advantages – 1) It analyzes the attack
Limitations – 1) It does not work in offline system
 Literature Review
[2]
Title – Honeypots for Distributed Denial of Service Attacks
Year Of Publishing - 2002
Author –Nathalie Weiler
Methodology – In this paper, they described a promising tool for luring
attackers into the belief of a successful DDoS attack. They
showed how such a system can be used in a defence in depth
real-world network environment.
Advantages – 1) We can defend our operational network with a high
probability against known DDoS and against new,
future variants
2) We trap the attacker so that recording of the compromise
can help in a legal action against the attacker.
Limitations – 1)The attack must be detectable.
2) The honeypot must be able to simulate the organisation's
network infrastructure, at least the parts known to the
attacker.
 Literature Review
[3]
Title – Honeypots: Catching the Insider Threats
Year Of Publishing – 2003, December
Author – Lance Spitzner
Methodology – In this paper it is discuss about the contribute to the early
indication and confirmation of advanced insider threats.
However they can be eliminated by the combination of
Honeytokens and Honeynet.
Advantages –1) Their identity can easily be changed.
2) By using honeytoken tool they become more difficult to
detect
Limitations – 1) The insider threat may not ever use or interact with a
honeypot or honeytoken
2) Honeypots will not work if their identity is known or
discovered by the insider
 Literature Review
[4]
Title – Honeycomb : Creating Intrusion Detection Signatures Using
Honeypots
Year Of Publishing - 2004
Authors – Christian Kreibich, Jon Crowcroft
Methodology –They have presented Honeycomb, a system that can
produce NIDS signatures automatically by analyzing traffic
on a honeypot. The system produces good-quality
signatures on a typical end user’s Internet connection.
Advantages – 1) No duplication of efforts
2) avoidance of Cold Start issues
Limitations – 1) For now it does not work efficiently with high traffic
 Literature Review
[5]
Title – Detecting Honeypots and other suspicious environments
Year Of Publishing – 2005
Authors – Thorsten Holz , Frederic Raynal
Methodology – The article aims at showing the limitation of current
honeypot-based research.
 Comparison
S.No Title Year of Authors Methodology Future Work
Publishing
1 The Study of an 2000 Lance Spitzner Compromised NIL
Attack using forensic
analysis
2 Honeypots for 2002 Nathalie Weiler Elimination of NIL
DDos Attacks DDos attacks
3 Honeypots: 2003 Lance Spitzner Elimination of Introduction to
Catching the insider threats. Adaptive
Insider Threats Honeytoken

4 Honeycomb 2004 Christian Produce NIDS Exposing to

Kreibich, Jon signatures more
Crowcroft aggressive
traffic patterns
5 Detecting 2005 Thorsten Holz , Limitation of Develop new
Honeypots Frederic Raynal Current kind of
Honeypot honeypots and
Based Research existing tool
stealthiness
 Conclusion
This Presentation gives us an depth knowledge about honeypots and their
contribution to the security community. A honeypot is just a tool. How one
uses this tool is upto them.
Honeypots are in their infancy and new ideas and technologies will surface
in the next time. At the same time as honeypots are getting more advanced ,
hackers will also develop methods to detect such systems. A regular arms
race could start between the good guys and blackhat community.
Let’s hope that such a technology will be used to restore the peace and
prosperity of the world and not to give the world a devastating end.
 References
[1] Spitzner, L. (2000). Know your enemy: A forensic analysis.
[2] Weiler, N. (2002). Honeypots for distributed denial-of-service attacks.
In Enabling Technologies: Infrastructure for Collaborative Enterprises,
2002. WET ICE 2002. IEEE.
[3] Spitzner, L. (2003, December). Honeypots: Catching the insider threat.
In Computer Security Applications Conference, 2003.IEEE.
[4] Kreibich, C., & Crowcroft, J. (2004). Honeycomb: creating intrusion
detection signatures using honeypots. ACM SIGCOMM computer
communication review, 34(1), 51-56
[5] Holz, T., & Raynal, F. (2005, June). Detecting honeypots and other
suspicious environments. In Information Assurance Workshop, 2005.
IAW'05. Proceedings from the Sixth Annual IEEE SMC (pp. 29-36). IEEE