It seems to be a very interesting thought. Correct me if I am wrong in understanding this -
the basic premise is that, once the 'monitor' identifies a process that is not conforming to the usual practice (say via anamoly detection), it silently transfers the process image to a honeypot - without disruption of anysort and the process runs within the honeypot (a VM, in all probability).
May be initially one can only take care of the socket connections, and then move to the part of file handles, memmaps and others.
Was this attempted before - I don't know, hence the question.
Thanks
Gangadhar
-----Original Message-----
From: "Payton, Zack" <Zack.Payton_at_MWAA.com>
To: <dewadedw_at_yahoo.com>, <honeypots_at_securityfocus.com>
Date: Tue, 11 Oct 2005 11:09:17 -0400
Subject: RE: search for master of science project topic
Sure, What about writing a paper about the best way to monitor
processes on a production box and processes transfer and tcp redirect to
honeypot in event of anomaly.
Zack
-----Original Message-----
From: dewadedw_at_yahoo.com [mailto:dewadedw_at_yahoo.com]
Sent: Sunday, October 09, 2005 1:32 AM
To: honeypots_at_securityfocus.com
Subject: search for master of science project topic
I am a master of science student in electronic engineering. I am
searching for a topic about honeypot for my thesis. I was wondering if
any body could give me some recommendations.
Received on Oct 14 2005
Intro
