Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

First draft of a presentation I gave to students almost an year back.

Published in: Business, Technology
  • Login to see the comments


  1. 1. Honeypots Jayant Kumar Gandhi - Himanshu Bhatnagar Sachin Gajjar Sameek Banerjee Shashwat Agrawal
  2. 2. Agenda <ul><li>Motivation </li></ul><ul><li>Definition </li></ul><ul><li>Advantages/ Disadvantages </li></ul><ul><li>Types </li></ul>
  3. 3. Motivation <ul><li>Key to effective intrusion detection is information </li></ul><ul><ul><li>Learn more about past attacks </li></ul></ul><ul><ul><li>Detect currently occurring attacks </li></ul></ul><ul><ul><li>Identify new types of attacks </li></ul></ul><ul><ul><li>Do all this in real time </li></ul></ul>
  4. 4. Definition <ul><li>“ Any security resource who’s value lies in being probed, attacked, or compromised” – L. Spitzner, Honeypots: Tracking Hackers , ISBN 0-321-10895-7 </li></ul>
  5. 5. How honeypots work <ul><li>A resource that expects no data, so any traffic to or from it is most likely unauthorized activity </li></ul>
  6. 6. Advantages <ul><li>Reduce false positives and false negatives </li></ul><ul><li>Data value </li></ul><ul><li>Resources </li></ul><ul><li>Simplicity </li></ul>
  7. 7. Disadvantages <ul><li>Narrow Field of View </li></ul><ul><li>Fingerprinting </li></ul><ul><li>Risk </li></ul>
  8. 8. Types <ul><li>Production (Law enforcement) </li></ul><ul><li>Research (Counter-intelligence) </li></ul>
  9. 9. Production Honeypots <ul><li>Prevention </li></ul><ul><li>Detection </li></ul><ul><li>Response </li></ul>
  10. 10. Research Honeypots <ul><li>Early warning and prediction </li></ul><ul><li>Discover new tools and tactics </li></ul><ul><li>Understanding motives, behavior and organization </li></ul><ul><li>Develop analysis and forensic skills </li></ul>
  11. 11. Level of Interaction <ul><li>Level of interaction determines the amount of functionality a honeypot provides </li></ul><ul><ul><li>Low Interaction </li></ul></ul><ul><ul><ul><li>Less learning, complexity and risk </li></ul></ul></ul><ul><ul><li>High Interaction </li></ul></ul><ul><ul><ul><li>High learning, complexity and risk </li></ul></ul></ul>
  12. 12. Risk <ul><li>Attacker can compromise your honeypot to harm, attack or infiltrate other systems and organizations </li></ul>
  13. 13. Low Interaction <ul><li>Provide emulated services </li></ul><ul><li>No operating system to access </li></ul><ul><li>Information limited to transactional information and attackers activities with the emulated services </li></ul>
  14. 14. High Interaction <ul><li>Provides actual Operating Systems </li></ul><ul><li>Learn extensive amount of information </li></ul><ul><li>Extensive risk </li></ul>
  15. 15. Honeyd <ul><li>Low-interaction honeypot </li></ul><ul><li>Runs on a single computer </li></ul><ul><ul><li>Simulates a group of virtual machines </li></ul></ul><ul><ul><li>Simulates the physical network between them </li></ul></ul><ul><li>Simulates only the network stack of each machine </li></ul><ul><li>Intended primarily to fool fingerprinting tools </li></ul>
  16. 16. Honeyd <ul><li>Fingerprinting </li></ul><ul><ul><li>Attackers often try to learn more about a system before attacking it </li></ul></ul><ul><ul><li>Can determine a machine’s operating system by “testing” its network behavior </li></ul></ul><ul><ul><ul><li>How the initial TCP sequence number is created </li></ul></ul></ul><ul><ul><ul><li>Response packets for open and closed ports </li></ul></ul></ul><ul><ul><ul><li>Configuration of packet headers </li></ul></ul></ul><ul><ul><li>Common fingerprinting tools: Nmap, Xprobe </li></ul></ul>
  17. 17. Honeynets <ul><li>High-interaction honeypots </li></ul><ul><li>Network of real machines (honeypots) </li></ul><ul><li>Honeywall – a gateway between honeypots and rest of the world </li></ul>
  18. 18. Legal issues <ul><li>Privacy </li></ul><ul><li>Entrapment </li></ul><ul><li>Liability </li></ul>
  19. 19. Legal Mumbo Jumbo <ul><li>Design template is Copyright © 2006 Jayant Kumar Gandhi ( </li></ul><ul><li>Clip art is Copyright © 2006 Microsoft Corporation </li></ul><ul><li>All trademarks, registered trademarks are acknowledged and are property of their respective owners </li></ul>
  20. 20. Bibliography <ul><li>Robert Graham, Network intrusion detection systems, 2000. </li></ul><ul><li>David Klug, Honeypots and intrusion detection. </li></ul><ul><li>Christian Plattner Reto Baumann, White paper: Honeypots., </li></ul><ul><li>Lance Spitzner, Honeypots: Tracking hackers ISBN: 0-321-10895-7 </li></ul><ul><li>Lance Spitzner, Intrusion detection, 2000. </li></ul><ul><li>Lance Spitzner, Know your enemy: I, ii and iii, 2000 </li></ul>
  21. 21. Questions?
  22. 22. Uploaded on for the public.