You are currently viewing Deploying Honeypots and Honeynets: Issue of Privacy

Deploying Honeypots and Honeynets: Issue of Privacy
Article
Link to Google Scholar

Authors: Pavol Sokol, Martin Husák, František Lipták

Abstract

Honey pots and honey nets are popular tools in the area of network security and network forensics. The deployment and usage of these tools are influenced by a number of technical and legal issues, which need to be carefully considered together. In this paper, we outline privacy issues of honey pots and honey nets with respect to technical aspects. The paper discusses the legal framework of privacy, legal ground to data processing, and data collection. The analysis of legal issues is based on EU law and is supported by discussions on privacy and related issues. This paper is one of the first papers which discuss in detail privacy issues of honey pots and honey nets in accordance with EU law.

Introduction

Traditional means of defence are becoming less and less effective since attackers behaviour, methods, and tools are changing. Therefore, we need to find new approaches to protect the information and infrastructure of organizations. One useful approach to protect them is the concept of honeypots and honeynets.

Lance Spitzner defines honeypots as an information system resource whose value lies in unauthorized or illicit use of that resource [1]. It can also be defined as a computing resource, whose value is in being attacked [2]. Honeypots are a very useful framework for learning about the attackers and their targets, procedures, tools, and methods.

For the purpose of this paper, we classify honeypots according to their level of interaction and purpose. The first classification is based on level of interaction. The level of interaction can be defined as the range of possibilities that a honeypot allows an attacker to have. Low-interaction honeypots detect attackers using software emulation of characteristics of a particular operating system and network services on the host operating system. The advantage of this approach is better control of attacker activities, since the attacker is limited to software running on a host operating system. On the other hand, this approach has a disadvantage: la low-interaction honeypot emulates a service, or a couple of services, but it does not emulate a complete operating system. Examples of this type of honeypot are Dionaea [3] and Glastopf [4].

In order to get more information about attackers, their methods and attacks, we use a complete operating system with all services. This type of honeypot is called a high-interaction honeypot. This type of honeypot aims to give the attacker access to a real operating system, where nothing is emulated or restricted [1]. Examples of this type of honeypot are Sebek [5] and NonSSH [6].

Spitzner suggests classification of honeypots by purpose [1]. There are research honeypots and production honeypots. The research honeypot is designed to gain information about the blackhat community and it does not add any direct value to the organization, which has to protect its information [7]. The main aim here is to get maximum information about the blackhats by giving them full access to penetrate the security system and infiltrate it [8]. A second type of purpose-classified honeypot is the production honeypot, used within an organizations environment to protect the organization and help mitigate risk [7]. An example of the production honeypot is a honeypot which captures, collects, and analyses malware for anti-virus, intrusion detection system signatures, etc.

Honeynet extends the concept of a single honeypot to a highly controlled network of honeypots [9]. The honeynet is composed of four core elements [7], [10]:

  • Data control- monitors and logs all of the activities of an attacker within the honeynet;

  • Data capture – controls and contains the activity of an attacker;

  • Data collection – stores all captured data in one central location;

  • Data analysis – an ability of the honeynet to analyse the data being collected from it.

 

Deployment and usage of honeypots bring many benefits, e.g. the possibility of discovering new forms of attacks. In addition, low-interaction honeypots are easy to deploy, undemanding resource-wise, and simple to use [7]. On the other hand, a number of issues need to be addressed during deployment and usage.

The most frequent problems are [11]:

  • inaccurate results – in some cases, data obtained from the honeypots lead to poor results, due to a limited amount of data;

  • discovery and fingerprinting – the attackers can detect the honeypots;

  • risk of takeover – the honeypot may be used to attack against the real (no-honeypots) systems.

 

The quantity and quality of the data collected from honeypots belong to the problems associated with their usage. This problem is closely linked to the issue of privacy. It represents one of the most significant concepts in the field of law, and it was set forth in Article 8 of the European Convention on Human Rights. Privacy can be defined as the right to be left alone and to have a private life is [7]. It can also be defined as the right of a person to be free from unwarranted publicity [9].

It includes some individual privacy, such as privacy of the home and office, the protection of physical integrity and also privacy of communications (telephone calls, chats, emails etc.). Therefore, the primary motivation for elaborating this paper is the fact that an administrator has to take into account the issue of privacy and related issues in the process of data collection. The failure of an administrator to meet that responsibility leaves him open to a lawsuit for any disruption of privacy and resulting damages.

To formalize the scope of our work, two research questions are stated:

  1. What data can honeypot administrators collect?

  2. What are the conditions for the collection of data and data retention?

 

In this paper, the authors focus on European Union (EU) regulations, EU directives and international agreements. National legislation of EU Member States is based on these legal documents (EU directives, international agreements) or legal documents are an integral part of national legislation (EU regulations, international agreements). Therefore, some national legislation may be slightly different from the concept found in EU law or international law.

This paper is organized into seven sections. In Section II, the paper focuses on previous writings related to legal aspects of honeypots and honeynets. In this section we discuss the related papers focus on the issue of privacy. Section III is the main part of paper. It provides an overview of privacy in the field of honeypots, including the issue of collected data and the legal ground to collect data. This section answers the first research question and partially the second research question. Section IV outlines data retention in honeypots. In Section V, the paper outlines the relationship between network monitoring and honeypots. Section IV and Section V answer the second research question. Section VI focuses on issues related to honeypots – publication of the results and intellectual property issues. Section VII concludes the paper and contains suggestions for future work.