Honeypots: RE: profiling honeypots..

["Bernie, CTA" <cta () hcsin net>]

I agree we must have a model that accurately describes the 
honeypot's system in terms of expected functional and 
behavioral characteristics.  However I believe there are 
engineering obstacles which must be considered and 
overcome before we can make a detailed assessment of the 
criteria influencing the model's construction.

The first obstacle is that an accurate model can not be built 
until we formally identify and describe the system's operating 
requirements with respect to satisfying user/operator objectives 
and its correlation with an actual active system environment. 
What is more, I believe we can not establish the engineering 
criteria of a honeypot model until we model and understand the 
operating criteria of an actual active system environment, 
inclusive of its processes/users/operators/attackers and 
inherent instabilities.

The second obstacle is that we do not actually understand the 
user/operator objectives, namely what we want to achieve from 
the deployment of a honeypot.  Are we trying to capture data 
and actions to analyze attackers, the attack or both? My 
opinion is that current honeypot design implementations do 
more to capture intelligence specific to the attack profile, while 
revealing relatively trivial intelligence regarding the profile of the 
attacker. 

On 7 Apr 2003, at 13:46, Toby Miller wrote:
> I have been reading this thread with great interest and the
> dialogue is good but the one thing people need to realize is that
> profiling is an art not a science. I have given some lectures on
> my model and the one thing people fail to realize is that no
> model will be accurate 100% of the time. The FBI will tell you
> their profiling system is not accurate 100% of the time. What we
> need to do is come up with a model that can is accurate most of
> the time and can be used as a another tool in the honeypot/ids
> world.
>
>            Toby
> On 7 Apr 2003, at 10:12, Anton A. Chuvakin wrote:
>
> > > implementations are that they exhibit predictable or
> > > identifiable probe/attack response characteristics, and their
> > > locations are
> > Hmm, that sounds a bit weird to me. When you type a UNIX
> > command, the response is pretty predictable (or at least one
> > hopes so). Why should honeypots "display unpredictable
> > behavior"?
> bhh>>>
> I believe you are considering only one stimulus / response
> event and not the quantization effect/error dynamics of the
> entire system. On a truly "active" system one would observe a
> quantifiable randomness in the system-wide operating and response
> characteristics indicative of the open-loop dynamics of a
> live/active system. Conversely, a most honoypots by design are
> closed loop systems that respond in a linear or controlled manner
> with predictable responses to step changes and stimuli, when
> analyzed as a system.
-
-
****************************************************
Bernie 
Chief Technology Architect
Chief Security Officer
cta () hcsin net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************