Authors: Pavol Sokol, Matej Zuzčák, Tomáš Sochor
Abstract
Honeypots play an important role in network security, since they obtain information about attackers, their targets, methods, and tools. This paper offers a discussion about the definition of attack. The main matter of discuss is when an activity is considered to be an attack. Paper only focuses on low-level interaction server honeypots and outlines the definition of attack from the perspective of windows service emulation and Linux SSH services emulation.
Introduction
At present, methods, procedures and targets of intruders have changed. To be
successful in protecting of information systems of organizations, we have to
change our defense tools as well. Honeypots present a sort of relatively new
tools in field of IT security. In 2003 the public forum of over 5,000 security pro
fessionals defined the term honeypot as ”an information system resource, whose
value lies in unauthorized or illicit use of that resource” [1].
Honeypots can bedivided into several types, based on their level of interaction,
purpose, role and deployment. In this paper the classification based on level of
interaction and the role is used. Usually low-interaction and high-interaction
honeypots are distinguished. The difference between these classes is the extent,
to which the attacker is allowed to interact with the system. In paper we focus
on the low-level interaction honeypots that detect attackers using software
emulation of characteristics of a particular operating system and network services
on the host operating system. There are lots of implementations, for example
Dionaea[2] and Kippo[3]. The second classification used in the paper is based
on the role.
The main idea of honeypots is based on the fact that it is ”a system whose
value lies in being probed, attacked and/or compromised” [1]. Since honeypots are designed to be attacked, the most significant term associated to honeypots
is the term attack. The definition of attack in the context of honeypots is very
important for honeypot usage, especially their efficiency and quality of the col
lected data. Request for comments (RFC) 4949 [4] defines the attack as ”an
intentional act by which an entity attempts to evade security services and vio
late the security policy of a system. That is, an actual assault to system security
that derives from an intelligent threat”. According to this RFC the attacker
is ”the subject performing an attack (either automated represented by a piece
of software or human) and connection is ”sequence of logically tied packets
forming the attack”.
Since 2004 the definition of attack from the perspective of honeypots has been
unchanged. The common approach considers each connection as an attack [1].
Current approaches to the definition of attack are discussed in the following
text in more details. In our opinion, present definitions of attack do not take
current trends in low-level interaction honeypots into account. The contribution
of this paper is discussion of approaches to definition of attack against low-level
interaction server honeypots from the perspective of windows service emulation
and Linux SSH services emulation. Second contribution lies in proposal for the
definition of attack.
