Publication details
Flow-based Monitoring of Honeypots
| Authors | |
|---|---|
| Year of publication | 2013 |
| Type | Article in Proceedings |
| Conference | Security and Protection of Information 2013 |
| MU Faculty or unit | |
| Citation | |
| Field | Informatics |
| Keywords | honeypot;monitoring;NetFlow;NfSen;dictionary attack |
| Attached files | |
| Description | Honeypots are known as an effective tools for discovering new attacks and for observing activity of the attackers. However, they are often seen as a research-oriented tools for security professionals that require constant supervision. We have created an incident detection system based on a combination of honeypots and flow-based monitoring that takes the best of both without additional complexity. In this paper we present deployment of both low-interaction and high-interaction honeypots and their monitoring based on network flows. We show how honeypots can be used as an automatic detection tool in the production network. We present a plug-in called honeyscan for widely-used NetFlow collector NfSen that was developed to monitor and evaluate network activity of the honeypot and to report security incidents. This plug-in processes traffic destined to honeypots, stores credentials from authentication attempts, and observes attacker's activity in the protected network. The plug-in has been deployed in the network of Masaryk University and has become one of the most contributory detection tools with tens of reported incidents per month. We support this claim by doing a comparison with other detection tool and by exploring applications of recorded data. |
| Related projects: |