Honeypots mailing list archives
RE: profiling honeypots..
From: "Bernie, CTA" <cta () hcsin net>
Date: Mon, 7 Apr 2003 17:50:52 -0400
I agree we must have a model that accurately describes the honeypot's system in terms of expected functional and behavioral characteristics. However I believe there are engineering obstacles which must be considered and overcome before we can make a detailed assessment of the criteria influencing the model's construction. The first obstacle is that an accurate model can not be built until we formally identify and describe the system's operating requirements with respect to satisfying user/operator objectives and its correlation with an actual active system environment. What is more, I believe we can not establish the engineering criteria of a honeypot model until we model and understand the operating criteria of an actual active system environment, inclusive of its processes/users/operators/attackers and inherent instabilities. The second obstacle is that we do not actually understand the user/operator objectives, namely what we want to achieve from the deployment of a honeypot. Are we trying to capture data and actions to analyze attackers, the attack or both? My opinion is that current honeypot design implementations do more to capture intelligence specific to the attack profile, while revealing relatively trivial intelligence regarding the profile of the attacker. On 7 Apr 2003, at 13:46, Toby Miller wrote:
I have been reading this thread with great interest and the dialogue is good but the one thing people need to realize is that profiling is an art not a science. I have given some lectures on my model and the one thing people fail to realize is that no model will be accurate 100% of the time. The FBI will tell you their profiling system is not accurate 100% of the time. What we need to do is come up with a model that can is accurate most of the time and can be used as a another tool in the honeypot/ids world. Toby On 7 Apr 2003, at 10:12, Anton A. Chuvakin wrote:implementations are that they exhibit predictable or identifiable probe/attack response characteristics, and their locations areHmm, that sounds a bit weird to me. When you type a UNIX command, the response is pretty predictable (or at least one hopes so). Why should honeypots "display unpredictable behavior"?bhh>>> I believe you are considering only one stimulus / response event and not the quantization effect/error dynamics of the entire system. On a truly "active" system one would observe a quantifiable randomness in the system-wide operating and response characteristics indicative of the open-loop dynamics of a live/active system. Conversely, a most honoypots by design are closed loop systems that respond in a linear or controlled manner with predictable responses to step changes and stimuli, when analyzed as a system.
- - **************************************************** Bernie Chief Technology Architect Chief Security Officer cta () hcsin net Euclidean Systems, Inc. ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> *******************************************************
Current thread:
- profiling honeypots.. nigel (Apr 06)
- Re: profiling honeypots.. Ali Saifullah Khan (Apr 07)
- Re: profiling honeypots.. Dominik Lupinski (Apr 07)
- Re: profiling honeypots.. Bernie, CTA (Apr 07)
- Re: profiling honeypots.. Anton A. Chuvakin (Apr 07)
- Re: profiling honeypots.. Bernie, CTA (Apr 07)
- RE: profiling honeypots.. Toby Miller (Apr 07)
- RE: profiling honeypots.. Nigel Clarke (Apr 07)
- RE: profiling honeypots.. Toby Miller (Apr 07)
- RE: profiling honeypots.. Nigel Clarke (Apr 07)
- Re: profiling honeypots.. Anton A. Chuvakin (Apr 07)
- RE: profiling honeypots.. Bernie, CTA (Apr 07)
- <Possible follow-ups>
- Re: profiling honeypots.. Garrett Sinfield (Apr 07)
- Re: profiling honeypots.. paul (Apr 07)
- RE: profiling honeypots.. mb_lima (Apr 07)
- RE: profiling honeypots.. Toby Miller (Apr 07)
- Re: profiling honeypots.. Seth Arnold (Apr 07)
- RE: profiling honeypots.. Golomb, Gary (Apr 07)
