Hosting Provided By

RE: Protocol Anomaly Detection IDS - Honeypots

From: Adam Powers <apowers(at)lancope.com>
Date: Thu Feb 20 2003 - 18:28:43 EST

Indeed, the true value of the honeypot does lies in detection and the reduction of false positives.

Most of the discussion thus far has been in regards to packet and session specific protocol anomalies. We must also consider policy-based anomalies. These include deviations from normal or acceptable behavior that's unrelated to the payload or makeup of a given datagram.

Projects such as honeyd (my personal favorite for this task) and LeBrea provide a convenient mechanism for creating "network booby-traps". As Lance points our, when hosts access honeypot resources there's rarely a legitimate reason. Short of a fat fingered addr or malfunctioning app, connections to honeypot hosts are almost always a SURE sign of nefarious behavior.

I think it'll be interesting how we vendors import honeypot functionality (for the above listed cause and others) into their technologies.

-----Original Message-----
From: Lance Spitzner [mailto:lance@honeynet.org] Sent: Thursday, February 20, 2003 1:59 PM To: Robert Graham
Cc: Focus on Intrusion Detection Systems; slyph@alum.mit.edu Subject: Re: Protocol Anomaly Detection IDS - Honeypots

On Wed, 19 Feb 2003, Robert Graham wrote:

> People have been hoping that there is some sort of magic-pill
technology that
> solves the problem of IDS. "Protocol-anomaly detection" is one of
those
> buzzwords that promises a magic pill.

Okay, I'll admit, to me alot of the security problems I see are nothing more then nails, and honeypots are the hammer. However, seriously, have folks
considered the detection capabilities of honeypots? The reason I bring this up in this thread, is for honeypots, everything is an anamoly. The concept of a honeypot is it has no production or authorized activity. Everything it captures its way is most likely malicious activity. Not only that, but you dramaticaly reduce 'noise'. Instead of dealing with 5,000 alerts a day (not that high of a number for many organizations) a honeypot in the same environment could only generate 5 or 10 alerts a day,
alerts you most likely need to take action on. These small data sets can make it far easier and cost effective to identify and act on unauthorized activity.

Do you need help?

I'm in no way suggesting that honeypots replace any existing detection technologies, I'm suggesting that can contribute. Personally, I feel the concept of deception has overshadowed the value of honeypots, when one of their true values lies in detection.

lance

Does your IDS have Intelligent Attack Profiling? If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure

Does your IDS have Intelligent Attack Profiling? If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure Received on Thu Feb 20 18:38:45 2003

This message: [ Message body ]
Next message: Rob Shein: "RE: Protocol Anomaly Detection IDS - Honeypots"
Previous message: Michael Katz: "Re: Web server response to attacks"
In reply to Robert Graham: "Re: Protocol Anomaly Detection IDS"
Reply: Rob Shein: "RE: Protocol Anomaly Detection IDS - Honeypots"
Reply: Pete Herzog: "RE: RES: Protocol Anomaly Detection IDS - Honeypots"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:10 EDT