This paper examines how a web site honeypot can help security professionals perform their jobs more effectively by functioning as an intrusion detection system (IDS). It outlines a four-step research approach: designing a provocative honeypot web site to attract attackers, monitoring port activity using the BackOfficer Friendly (BOF) application, collecting connection and log-file data generated by intrusion attempts, and analyzing that data using the Nebula signature generator in SNORT format. Drawing on peer-reviewed and industry literature, the paper explains the advantages honeypots offer over conventional intrusion-detection solutions, including low false-positive rates, the ability to capture previously unknown attacks, and the capacity to record attacker tools, methods, and communications.
The paper demonstrates effective use of operational definition supported by layered citation. Each technical tool — BackOfficer Friendly, Nebula, SNORT — is introduced with a precise definition drawn from a primary or practitioner source and then immediately contextualized within the paper's research framework. This technique anchors unfamiliar terminology and shows readers exactly how each tool fulfills a step in the methodology.
The paper opens with a broad historical and economic framing of computer crime, then narrows to the specific research question. A dedicated overview section defines honeypots conceptually before the argument moves into four sequential methodology steps: site design, monitoring, data collection, and signature-based analysis. A brief chapter summary closes the discussion and signals a literature review to follow. This funnel structure — broad context to specific method — is characteristic of a well-organized research proposal introduction.
The origins of intrusion detection systems are lost in the mists of time, but it is clear from the archaeological record that people have been trying to protect what is theirs from early on by using an increasingly sophisticated array of barricades, fortifications, and other barriers designed to keep the "bad guys" out. The historical record also provides ample evidence of how the "bad guys" would always develop ways to overcome these defenses, and the same cycle continues in the defense industry and home protection market today. Moreover, these same security needs have been extended to digital data of all types in the Age of Information, but especially data maintained on computer systems connected to the Internet. In this regard, Wible (2003) reports that "Computer crime comes in many varieties, including online theft and fraud, vandalism, and politically motivated activities. Other hackers simply try to break code, seeking challenge, competition, and bragging rights" (p. 1577).
The costs associated with such illicit access activities can be astronomical when entire computer systems are disabled, and even modest disruptions of service can be extremely costly for many companies today (Hahn & Layne-Farrar, 2006). While the actual costs may never be known precisely — because much of this type of activity remains underreported out of fear of reputational loss and out of concern about attracting even more attacks — these authors suggest that the average cost of such attacks in 2005 was at least $204,000 (Hahn & Layne-Farrar, 2006).
While a number of initiatives have been advanced in recent years designed to protect online data and prevent unauthorized access, the fact remains that virtually all online data is vulnerable to exploitation to some extent, and identifying appropriate responses represents a timely and important enterprise. To this end, the proposed study seeks to identify ways in which a web site honeypot can help security professionals perform their jobs more effectively by acting as an intrusion detection system (hereinafter alternatively "IDS"). This chapter provides an overview of the proposed study, including the specific steps that will be undertaken to achieve the research purpose and goals discussed further below, followed by a summary of this introductory chapter.
Generally speaking, a "honeypot" is simply something intended to be as attractive as possible to a target audience, whether it is a geographic location such as Shakespeare's birthplace, a reliable source of campaign contributions, or even the irresistible "huney-pot" of a certain fictional bear in the Hundred Acre Wood. Today, the term "honeypot" also refers to a web site intended to provide computer security professionals with timely data about what types of illicit activity are taking place in their systems and what protections are needed to prevent comparable attacks in the future. According to Thomae and Bakos (2004), "A honeypot is a heavily instrumented machine or service, real or emulated, that is deployed in the hope that an attacker will attempt to break into it, actually break into it, or perform other illicit or unauthorized actions" (p. 1).
Today, such honeypots offer a number of advantages for security professionals seeking to identify improved ways to protect their data and determine weaknesses in their systems. Thomae and Bakos (2004) report that honeypots can be used as a decoy to distract attackers from authentic targets within a computer network, or to detect ongoing attacks and collect data for analysis concerning attacker tools, methods, and motivations.
The first step involved in achieving the goals of the proposed study is to design a web site sufficiently provocative to attract attention from the appropriate audience. In other words, the web site must be sufficiently interesting — and annoying — to potential attackers so that they will devote the time and resources needed to attack it. For this purpose, the web site envisioned by this study will employ provocative language in order to compel attackers into attempting to breach the honeypot site so that their activities can be monitored and analyzed.
"Hackers" and "crackers" are by and large an intelligent group, and they can reasonably be expected to be highly interested in newly developed security approaches, since it makes good sense to keep abreast of what the "enemy" is doing. Likewise, by using obsolete and irritating terminology, these attackers can be further provoked into targeting the honeypot web site. Terms such as "hacking" and "hacker" are now considered old-fashioned and are no longer used by savvy computer users; they are deemed antagonistic to this community (pers. obs.). These techniques will be combined into a web site designed to be irresistible to the cracking community and to provoke aggressive reactions that result in intrusion attempts — the precise outcome intended by this study and the primary purpose of a web site honeypot.
You’re 38% through this paper. Sign up to read the remaining 3 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.