Flow-based Monitoring of Honeypots

D 2013

Flow-based Monitoring of Honeypots

HUSÁK, Martin a Martin DRAŠAR

Základní údaje

Originální název

Flow-based Monitoring of Honeypots

Název česky

Monitorování honeypotů pomocí toků

Autoři

HUSÁK, Martin a Martin DRAŠAR

Vydání

Brno, Security and Protection of Information 2013, od s. 63-70, 8 s. 2013

Nakladatel

Univerzita obrany

Další údaje

Jazyk

angličtina

Typ výsledku

Stať ve sborníku

Obor

10201 Computer sciences, information science, bioinformatics

Stát vydavatele

Česká republika

Utajení

není předmětem státního či obchodního tajemství

Forma vydání

tištěná verze "print"

Označené pro přenos do RIV

Ano

Kód RIV

RIV/00216224:14610/13:00065721

Organizační jednotka

Ústav výpočetní techniky

ISBN

978-80-7231-922-0

ISSN

Klíčová slova anglicky

honeypot;monitoring;NetFlow;NfSen;dictionary attack

Příznaky

Mezinárodní význam, Recenzováno

Změněno: 27. 4. 2018 05:05, RNDr. Martin Husák, Ph.D.

Anotace

V originále

Honeypots are known as an effective tools for discovering new attacks and for observing activity of the attackers. However, they are often seen as a research-oriented tools for security professionals that require constant supervision. We have created an incident detection system based on a combination of honeypots and flow-based monitoring that takes the best of both without additional complexity. In this paper we present deployment of both low-interaction and high-interaction honeypots and their monitoring based on network flows. We show how honeypots can be used as an automatic detection tool in the production network. We present a plug-in called honeyscan for widely-used NetFlow collector NfSen that was developed to monitor and evaluate network activity of the honeypot and to report security incidents. This plug-in processes traffic destined to honeypots, stores credentials from authentication attempts, and observes attacker's activity in the protected network. The plug-in has been deployed in the network of Masaryk University and has become one of the most contributory detection tools with tens of reported incidents per month. We support this claim by doing a comparison with other detection tool and by exploring applications of recorded data.

Návaznosti

VG20132015103, projekt VaV

Název: Kybernetický polygon (Akronym: KYPO)

Investor: Ministerstvo vnitra ČR, Kybernetický polygon

Přiložené soubory

honeypot_netflow_monitoring.pdf Verze souboru

honeypot_netflow_monitoring_presentation.pdf Verze souboru

Citovat

HUSÁK, Martin a Martin DRAŠAR. Flow-based Monitoring of Honeypots. In Jaroslav Dočkal, Milan Jirsa, Josef Kaderka. Security and Protection of Information 2013. Brno: Univerzita obrany, 2013, s. 63-70. ISBN 978-80-7231-922-0.

@inproceedings{1112293,
   author = {Husák, Martin and Drašar, Martin},
   address = {Brno},
   booktitle = {Security and Protection of Information 2013},
   editor = {Jaroslav Dočkal, Milan Jirsa, Josef Kaderka},
   keywords = {honeypot;monitoring;NetFlow;NfSen;dictionary attack},
   howpublished = {tištěná verze "print"},
   language = {eng},
   location = {Brno},
   isbn = {978-80-7231-922-0},
   pages = {63-70},
   publisher = {Univerzita obrany},
   title = {Flow-based Monitoring of Honeypots},
   year = {2013}
}

TY  - CONF
ID  - 1112293
AU  - Husák, Martin - Drašar, Martin
PY  - 2013
TI  - Flow-based Monitoring of Honeypots
PB  - Univerzita obrany
CY  - Brno
SN  - 9788072319220
KW  - honeypot;monitoring;NetFlow;NfSen;dictionary attack
N2  - Honeypots are known as an effective tools for discovering new attacks and for observing activity of the attackers. However, they are often seen as a research-oriented tools for security professionals that require constant supervision. We have created an incident detection system based on a combination of honeypots and flow-based monitoring that takes the best of both without additional complexity. In this paper we present deployment of both low-interaction and high-interaction honeypots and their monitoring based on network flows. We show how honeypots can be used as an automatic detection tool in the production network. We present a plug-in called honeyscan for widely-used NetFlow collector NfSen that was developed to monitor and evaluate network activity of the honeypot and to report security incidents. This plug-in processes traffic destined to honeypots, stores credentials from authentication attempts, and observes attacker's activity in the protected network. The plug-in has been deployed in the network of Masaryk University and has become one of the most contributory detection tools with tens of reported incidents per month. We support this claim by doing a comparison with other detection tool and by exploring applications of recorded data.
ER  -

HUSÁK, Martin a Martin DRAŠAR. Flow-based Monitoring of Honeypots. In Jaroslav Dočkal, Milan Jirsa, Josef Kaderka. \textit{Security and Protection of Information 2013}. Brno: Univerzita obrany, 2013, s.~63-70. ISBN~978-80-7231-922-0.

Přehled o publikaci