honeypots

759 Words2 Pages

.Introduction

The main goal of a honeypot is to be attacked and compromised. It distracts the attacker and gains information about the attacker , the type of attack method he uses and the resources he is attacking. A honeypot pretends to be vulnerable but is infact deployed in a highly controlled environment. It is therefore a false target to the attacker.
All the traffic to the honeypot is suspicious because no productive systems are located on this resource. The data collected by the honeypot is therefore very interesting. A honeypot comprises of a computer and network site that appears to be a part of the network of the organization but it is physically isolated and continuously monitored, and which seems to contain information of value to attackers. It can be viwed as a police baiting a criminal and then conducting undercover surveillance.

2.Types of honeypots

The honeypots can be classified based on the design criteria and the deployment.
Based on the deployment:
Production Honeypots
These are generally the low-interaction honeypots which are easy to deploy. They capture less information unlike the more sophisticated research honeypots. These are placed in the production servers by the organization to improve the overall security.

Research Honeypots
They are used to collect information about the organized criminals who launch attacks on different organizations. They do not provide security but they can be used to research threats that organizations face and to analyze how to protect against those threats. They are pretty complex but they capture extensive information and are deployed mainly by government and military organizations.

Based on the design criteria they can be classified into the following ...

... middle of paper ...

...opy itself into it. So, we can trick the malware into believing that the honeypot software is a removable drive.
There is a driver in the kernel mode that indicated to the operating system if a particular driver is removable or not. It is known as the disk.sys driver which inspects any new device. So we place the ghost.bus driver into that driver to show that the honeypot software we installed is a removable USB drive.

Hence, we can mount the virtual flashdrive(the honeypot software) on demand to facilitate the notion of a removable device.

Whatever API the malware uses, the ghost.bus indicates itself to the higher levels of the operating system as a removable drive. Therefore, whenever a malware tries to copy itself to the virtual drive it can be easily detected and removed. The important aspect here is that all malwares use social engineering to infect devices.

Open Document