Amber: A zero-interaction honeypot and network enforcer with modular intelligence

2013 Information Security for South Africa Pub Date : 2013-10-21 DOI:10.1109/ISSA.2013.6641053

A. Schoeman

{"title":"Amber: A zero-interaction honeypot and network enforcer with modular intelligence","authors":"A. Schoeman","doi":"10.1109/ISSA.2013.6641053","DOIUrl":null,"url":null,"abstract":"For the greater part, security controls are based around the principle of Decision through Detection (DtD). The exception to this is a Honeypot, which analyses interactions between a third party and itself, while occupying a piece of unused information space. As honeypots are not located on productive information resources, any interaction with it can be assumed to be non-productive. This allows the honeypot to make decisions based simply on the presence of data, rather than on the behaviour of the data. But due to limited resources in human capital, honeypots' uptake in the South African market has been underwhelming. Amber attempts to change this by offering a zero-interaction security system, which will use the honeypot approach of Decision through Presence (DtP) to generate a blacklist of third parties, which can be passed on to a network enforcer. Empirical testing has been done proving the usefulness of this alternative and low cost approach in defending networks. The functionality of the system was also extended by installing nodes in different geographical locations, and streaming their detections into the central Amber hive.","PeriodicalId":300864,"journal":{"name":"2013 Information Security for South Africa","volume":"115 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 Information Security for South Africa","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISSA.2013.6641053","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

For the greater part, security controls are based around the principle of Decision through Detection (DtD). The exception to this is a Honeypot, which analyses interactions between a third party and itself, while occupying a piece of unused information space. As honeypots are not located on productive information resources, any interaction with it can be assumed to be non-productive. This allows the honeypot to make decisions based simply on the presence of data, rather than on the behaviour of the data. But due to limited resources in human capital, honeypots' uptake in the South African market has been underwhelming. Amber attempts to change this by offering a zero-interaction security system, which will use the honeypot approach of Decision through Presence (DtP) to generate a blacklist of third parties, which can be passed on to a network enforcer. Empirical testing has been done proving the usefulness of this alternative and low cost approach in defending networks. The functionality of the system was also extended by installing nodes in different geographical locations, and streaming their detections into the central Amber hive.

查看原文本刊更多论文

Amber:一个具有模块化智能的零交互蜜罐和网络执行者

在很大程度上，安全控制基于通过检测决策(DtD)的原则。蜜罐是一个例外，它分析第三方和自己之间的交互，同时占用一块未使用的信息空间。由于蜜罐不位于生产性信息资源上，因此与蜜罐的任何交互都可以假定是非生产性的。这允许蜜罐仅根据数据的存在而不是数据的行为来做出决策。但由于人力资本资源有限，蜜罐在南非市场的吸收一直不尽如人意。Amber试图通过提供一个零交互安全系统来改变这一点，该系统将使用DtP的蜜罐方法来生成第三方黑名单，该黑名单可以传递给网络执行者。已经进行了实证测试，证明了这种替代和低成本方法在防御网络方面的有效性。通过在不同的地理位置安装节点，并将其检测结果流式传输到中央琥珀蜂巢，系统的功能也得到了扩展。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 Information Security for South Africa

自引率

0.00%

发文量