Honeypots mailing list archives

RE: profiling honeypots..


From: Nigel Clarke <nigel () 26354 net>
Date: 07 Apr 2003 16:56:42 -0400

Toby,

I agree with you. If you graph or design your methodology against elite
attackers, you would have better success. The script kiddies don't write
attacks. They use elite attacker programs.

The only problem is that there are so many security practitioners who
are "white hat" during the day and "black hat" in their spare time. They
would be successful in working around your model. 






On Mon, 2003-04-07 at 16:44, Toby Miller wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Because there is no way we could get a profile right 100% of the
time, hell I don't believe we could get a profile right 95% of the
time(especially against elite attackers). I came up with a very
immature model and am still working on it, the problem is many people
want a model that is correct 100% of the time. There are many
variables in our field, covering every single variable is difficult.
This makes modeling difficult as well. All that being said, we still
could continue developing a model, we would have to realize that it
would have flaws. Just my .02 worth

                                                                              Toby


Toby, I am interested in learning what would classify profiling as an
art and not a science?


I have given some lectures on my model and the
one thing people fail to realize is that no model will be accurate
100% of the time. The FBI will tell you their profiling system is
not accurate 100% of the time. What we need to do is come up with a
model that can is accurate most of the time and can be used as a
another tool in the honeypot/ids world.

It is important to develop a model. One thing that prohibits
development
are some of the networks and the way they are designed. If client X
is
attacked, depending on the severity of the outage you won't have the
chance to perform and type of analysis. Not everyone uses TCP dump
recorders.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPpHjAVLhpjRJgUE5EQKYTACcDlZF91bDn2j8hYYf8M1iD3etYkUAoK2o
xXQnMdXDUT72o0DbYqTQejPc
=oltq
-----END PGP SIGNATURE-----



-- 
Nigel Clarke
Blade Runner #26354
*Filed and Monitored*



Current thread: