Re: RES: Protocol Anomaly Detection IDS - Honeypots

On Fri, 2003-02-21 at 10:54, Mike Shaw wrote:
> >For example, you create a word document that has the title of payroll

Yes, they are. When discussion this, we have to be careful to not overstep the fine line that differentiates the honeytoken idea with a copy-bug or deception-pools.

A copy-bug is a marker embedded in a document that lets you identify an illegal copy. Most widely used are grammatical or typographical errors. If someone reproduces a document titled 'The Delcaration of Independence' you can spot because you know that you marked it with that typo.

A deception pool is a stash of falsified documents (think research data) amongst which you hide the real document. Imagine a folder called Research with the files Result00001.doc until Result99999.doc. Only Result77453.doc contains the real result.

Copy-bugs can be tracked just like you would zoom in on a honeytoken, but they do not attract like a honeypot. A deception-pool provides a lot of false info, just like a honeypot/honeytoken, but again does not attract. Honeypots, while providing false info, attract the hacker so we can learn about their techniques.

Don't get me wrong, the idea of honeytokens it great. But we have to be careful that don't give an old horse a new name.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Cheers,
Frank