Knowledge sharing honeynets

Abstract

Due to the prevalence of distributed and coordinated Internet attacks, many researchers and network administrators study the nature and strategies of attackers. To analyze event logs, using intrusion detection systems and active network monitoring, honeynets are being deployed to attract potential attackers in order to investigate their modus operandi. The goal is to use honeynet clusters as real-time warning systems in production networks. Towards satisfying this objective, we have built a honeynet cluster and have run experiments to determine its effectiveness. Majority of the honeynets function in isolation, not sharing information in real time. In order to rectify this deficiency, the authors built a federation of cooperating honeynets (referred to as knowledge sharing honeynets) that shares knowledge of malicious traffic. This paper describes the methods in building a hardware assisted honeynet cluster and testing its effectiveness.