The principle of honeypot technology

1. Introduction

With the growing demand for Internet in human society, network security has become a key issue for the further development of Internet and various network services and applications, especially after 1993 when the Internet began to be commercialized, With the growing number of e-business businesses through the internet and the maturing of internet/intranet technologies, many organizations and businesses have built their own internal networks and connected them to the Internet. The above E-commerce applications and business secrets in the corporate network have become the targets of attackers. Security issues such as hacking and viruses caused tens of billions of dollars in economic losses in 2000, with cyber attacks occurring every few seconds worldwide, according to a survey published by the American Business Journal Information Weekly. In the summer of 2003, it was a nightmare for thousands of hosts running Microsoft Windows! Also to the vast number of netizens left a sad memory, which is due to the Shockwave worm's worldwide spread.

2. The development background of honeypot technology

The key problem of network and information security technology is to protect computer system and network effectively. Network security protection covers a wide range, from the technical level, mainly including firewall technology, intrusion detection technology, virus protection technology, data encryption and authentication technology. In these security technologies, most technologies are passive protection of the system when an attacker attacks the network. and Honeypot technology can take the initiative way. As the name implies, is to use unique characteristics to attract attackers, while the attackers of various attacks to analyze and find an effective solution. (here, it might be a matter of stating, just now, that "to attract an attacker with unique characteristics," maybe someone might think you're appealing to an attacker, and that's not asking for trouble, but, I think, how can you attract an attacker if he doesn't attack you? In other words, maybe it's called Shen.

3. The concept of honeypot

Here, we first put forward the concept of honeypot. United States L. Spizner is a famous Honeypot technology expert. He once made such a definition of the honeypot: The honeypot is a resource and its value is attacked or captured. This means that the honeypot is used to be probed, attacked, and eventually compromised, and that the honeypot does not fix anything, thus providing the user with additional, valuable information. The honeypot does not directly improve the computer network security, but it is an active defense technology which is irreplaceable by other security policies.

Specifically, the most important function of the honeypot system is to monitor and record all the actions and behaviors in the system, and the network security experts can make a careful disguise so that the attacker will not know all their actions are under the surveillance of the system after entering the target system. In order to attract attackers, it is common to leave some security backdoor on the honeypot system to attract attackers, or to place sensitive information that the network attacker would like to receive, which is false information, of course. In addition, some honeypot systems record the chat content of the attackers, and the administrator can get the information of the attacker's attack tools, attacking means, attacking target and attack level by studying and analyzing these records, and also can understand the scope of the attacker's activity and the next attack goal. At the same time, in a way, this information will be evidence of prosecution of attackers. However, it is just a simulation of other systems and applications that can create a prison environment where attackers can be trapped, or a standard product system. No matter how the user builds and uses the honeypot, only it is attacked and its role can be played out.

4. The specific classification of honeypot and the security value embodied

Since the first interconnection of computers, researchers and security experts have been using a variety of honeypot tools, according to different standards can be different classification of honeypot technology, previously mentioned that the use of honeypot technology is based on security value considerations. But, to be sure, honeypot technology does not replace other security tools, such as firewalls, system listening, and so on. Here I also discuss the honeypot technology in terms of the value of security.

★ According to the design of the ultimate purpose of different we can be divided into product-type honeypot honeypot and research-type Honeypot two types.

① product-type honeypot is generally used in the network of commercial organizations. Its aim is to mitigate the threat of attacks that the Organization will be subjected to, and the honeypot strengthens security measures for protected organizations. The work they do is to detect and deal with malicious attackers.

⑴ this kind of honeypot in the protection of the contribution is very little, the honeypot will not be those who attempt to attack the intruder shut out, because the original intention of the honeypot design is compromise, so it will not reject the intruder in the system, in fact, the honeypot is to want someone to break into the system, so that the

⑵ Although the Honeypot protection function is very weak, but it has a strong detection function, for many organizations, it is very difficult to detect suspicious behavior from a large number of system logs. Although, there are intrusion detection system (IDS) exists, but the false positives and false reports of IDs, so that system administrators are tired of dealing with a variety of warnings and false positives. And the role of the honeypot is reflected in the false alarm rate far less than most of the IDs tools, but also beware of feature database updates and detection engine changes. Because the honeypot does not have any effective behavior, from the principle, any connection to the Honeypot connection should be a listening, scanning or attack of one, this can greatly reduce the false alarm rate and missing rate, thus simplifying the detection process. In a sense, the honeypot has become a more and more complex security detection tool.

⑶ if the system within the organization has been compromised, those systems that are in an accident cannot work offline, which will result in all of the product services provided by the system being stopped, and the system administrator will not be able to properly authenticate and analyze, and the honeypot can respond to the intrusion, It provides a system with low data pollution and a sacrificial system that can work offline at any time. At this point, the system administrator will be able to analyze the offline system and apply the results and experiences of the analysis to future systems.

② Research-type honeypot is designed specifically for the purpose of research and acquisition of attack information. This kind of honeypot does not enhance the security of specific organizations, on the contrary, the honeypot to do is to study the organization of various network threats, and to find a better way to deal with these threats, they have to do is to collect information of malicious attackers. It is generally applied to the army, the Security research organization.

★ According to the honeypot and the interaction between the attackers, can be divided into 3 categories: Low interactive honeypot, in the interactive honeypot and high interactive honeypot, at the same time this also reflects the development of the Honeypot 3 processes.

The biggest characteristic of ① low interactive honeypot is simulation. The honeypot is not the real product system, but the simulation of all kinds of systems and services provided by the attackers. Because its service is simulated behavior, so the honeypot can get the information is very limited, only to the attackers simple response, it is the safest type of honeypot.

② interaction is a simulation of the behavior of a real operating system, which provides more interaction information and can also get more information from the attacker's behavior. In this simulated behavior system, the honeypot can look like a real operating system without distinction. They are a real system and a tempting target to attack.

③ High Interactive honeypot has a real operating system, its advantages are embodied in the real system to provide the attacker, when the attacker obtained root authority, the system, the data authenticity of confusion, his more activities and behavior will be recorded. The disadvantage is that the possibility of intrusion is high, if the entire high honeypot is invaded, then it will be the next step for attackers to attack the springboard. At home and abroad, the main honeypot products have dtk, empty system, Bof,specter,home-made honeypot, Honeyd,smokedetector,bigeye,labrea tarpit,netfacade,kfsensor, Tiny Honeypot, mantrap,honeynet 14 species.