worm blog: The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks

« Worm Meets Beehive | Main | EPOCalypse NOW! (The Explosion of Win32 Worm Threats) »

The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks

Another paper that analyzes the efficacy of a honeypot deployment on actually curtailing malicious traffic. This paper gives you some insight into the data management techniques, too, for large-scale honeypot and honeynet deployments.

Computer Networks connected to the Internet continue to be compromised and exploited by hackers. This is in spite of the fact that many networks run some type of security mechanism at their connection to the Internet. Large Enterprise Networks, such as the network for a major university, are very inviting targets to hackers who are looking to exploit networks. Large Enterprise Networks may consist of many machines running numerous operating systems. These networks normally have enormous storage capabilities and high speed/high bandwidth connections to the Internet. Due to the requirements for Academic Freedom, system administrators are restricted in what requirements they can place on users on these networks. The high bandwidth usages on these networks make it very difficult to identify malicious traffic within the enterprise network. We propose that a Honeynet can be used to assist the system administrator in identifying malicious traffic on the enterprise network. By its very nature, a Honeynet has no production value and should not be generating or receiving any traffic. Thus, any traffic to or from the Honeynet is suspicious in nature. Traffic from the enterprise network to a machine on the Honeynet may indicate a compromised enterprise system.

Source: The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks, John Levine, Richard LaBella, Henry Owen, Didier Contis, Brian Culver. From: Proceedings of the 2003 IEEE Workshop on Information Assurance, United States Military Academy, West Point, NY June 2003.

April 7, 2005 in detection, honeypots, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit