RES: Protocol Anomaly Detection IDS - Honeypots

Lance's point can be expanded in very interesting views. Why use only honeypots "hosts" or "nets", when whe can use accounts, documents, info, etc? I was developing an idea that I call "honeytokens", to use on Windows networks. Basically, information that shouldn't be flowing over the network and, if you can detect it, something wrong is happening.

--
Augusto Paes de Barros, CISSP
http://www.paesdebarros.com.br
augusto@paesdebarros.com.br



-----Mensagem original-----
De: Lance Spitzner [mailto:lance@honeynet.org]
Enviada em: quinta-feira, 20 de fevereiro de 2003 15:59
Para: Robert Graham
Cc: Focus on Intrusion Detection Systems; slyph@alum.mit.edu
Assunto: Re: Protocol Anomaly Detection IDS - Honeypots


On Wed, 19 Feb 2003, Robert Graham wrote:

> People have been hoping that there is some sort of magic-pill technology


that


> solves the problem of IDS. "Protocol-anomaly detection" is one of those


> buzzwords that promises a magic pill.



Okay, I'll admit, to me alot of the security problems I see are nothing
more then nails, and honeypots are the hammer.  However, seriously, have
folks
considered the detection capabilities of honeypots?  The reason I bring
this up in this thread, is for honeypots, everything is an anamoly.  The
concept of a honeypot is it has no production or authorized activity.
Everything it captures its way is most likely malicious activity.  Not
only that, but you dramaticaly reduce 'noise'.  Instead of dealing with
5,000 alerts a day (not that high of a number for many organizations) a
honeypot in the same environment could only generate 5 or 10 alerts a day,
alerts you most likely need to take action on.  These small data sets
can make it far easier and cost effective to identify and act on
unauthorized activity.

I'm in no way suggesting that honeypots replace any existing detection
technologies, I'm suggesting that can contribute.  Personally, I feel
the concept of deception has overshadowed the value of honeypots, when
one of their true values lies in detection.

lance


-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure


-----------------------------------------------------------
Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure