Testing a Low-Interaction Honeypot against Live Cyber Attackers

摘要

The development of honeypots as decoys designed to detect, investigate, and counterattack unauthorized use of information systems has produced an 'arms race' between honeypots (computers designed solely to receive cyber attacks) and anti-honeypot technology. To test the current state of this race, we performed experiments in which we ran a small group of honeypots, using the low-interaction honeypot software Honeyd, on a network outside campus firewall protection. For 15 weeks, we ran different configurations of ports and service scripts, and simulated operating systems to check which configurations were most useful as a research honeypot and which were most useful as decoys to protect other network users. We analyzed results in order to improve the results for both purposes in subsequent weeks. We did find promising configurations for both purposes; however, good configurations for one purpose were not necessarily good for the other. We also tested the limits of Honeyd software and identified aspects of it that need to be improved. We also identified the most common attacks, most common ports used by attackers, and degree of success of decoy service scripts.