Honeypots mailing list archives
RE: profiling honeypots..
From: Nigel Clarke <nigel () 26354 net>
Date: 07 Apr 2003 16:56:42 -0400
Toby, I agree with you. If you graph or design your methodology against elite attackers, you would have better success. The script kiddies don't write attacks. They use elite attacker programs. The only problem is that there are so many security practitioners who are "white hat" during the day and "black hat" in their spare time. They would be successful in working around your model. On Mon, 2003-04-07 at 16:44, Toby Miller wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Because there is no way we could get a profile right 100% of the time, hell I don't believe we could get a profile right 95% of the time(especially against elite attackers). I came up with a very immature model and am still working on it, the problem is many people want a model that is correct 100% of the time. There are many variables in our field, covering every single variable is difficult. This makes modeling difficult as well. All that being said, we still could continue developing a model, we would have to realize that it would have flaws. Just my .02 worth Toby Toby, I am interested in learning what would classify profiling as an art and not a science?I have given some lectures on my model and the one thing people fail to realize is that no model will be accurate 100% of the time. The FBI will tell you their profiling system is not accurate 100% of the time. What we need to do is come up with a model that can is accurate most of the time and can be used as a another tool in the honeypot/ids world.It is important to develop a model. One thing that prohibits development are some of the networks and the way they are designed. If client X is attacked, depending on the severity of the outage you won't have the chance to perform and type of analysis. Not everyone uses TCP dump recorders. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPpHjAVLhpjRJgUE5EQKYTACcDlZF91bDn2j8hYYf8M1iD3etYkUAoK2o xXQnMdXDUT72o0DbYqTQejPc =oltq -----END PGP SIGNATURE-----
-- Nigel Clarke Blade Runner #26354 *Filed and Monitored*
Current thread:
- profiling honeypots.. nigel (Apr 06)
- Re: profiling honeypots.. Ali Saifullah Khan (Apr 07)
- Re: profiling honeypots.. Dominik Lupinski (Apr 07)
- Re: profiling honeypots.. Bernie, CTA (Apr 07)
- Re: profiling honeypots.. Anton A. Chuvakin (Apr 07)
- Re: profiling honeypots.. Bernie, CTA (Apr 07)
- RE: profiling honeypots.. Toby Miller (Apr 07)
- RE: profiling honeypots.. Nigel Clarke (Apr 07)
- RE: profiling honeypots.. Toby Miller (Apr 07)
- RE: profiling honeypots.. Nigel Clarke (Apr 07)
- Re: profiling honeypots.. Anton A. Chuvakin (Apr 07)
- RE: profiling honeypots.. Bernie, CTA (Apr 07)
- <Possible follow-ups>
- Re: profiling honeypots.. Garrett Sinfield (Apr 07)
- Re: profiling honeypots.. paul (Apr 07)
- RE: profiling honeypots.. mb_lima (Apr 07)
- RE: profiling honeypots.. Toby Miller (Apr 07)
- Re: profiling honeypots.. Seth Arnold (Apr 07)
- RE: profiling honeypots.. Golomb, Gary (Apr 07)
