| In order to be able to capture and recognize new types of cyber attacks, security experts have developed honeypots. A honeypot is a computer system that does not serve any ordinary users and does not provide any advertised service. Since it has no users, a honeypot should neither receive nor generate any traffic under ordinary conditions. If the honeypot receives or generates traffic, this is probably because it has been attacked (or compromised). Effectively, a honeypot is a decoy system that lures attackers into compromising it. However, each attack against a honeypot is logged so that security administrators will be able to study and analyze it. Once security administrators analyze an attack they will be able to produce immunization metrics against it. Over the last four years, security experts have been using honeypots in order to study attackers by capturing the development of their attack while this was being planned, discussed, and deployed. Although honeypots deliver information that is very accurate and usually consists only of cyber attack-related activity, their major disadvantage is that they have a very narrow field of view. That is, they are able to provide information only about the attacks they receive themselves. For example, if their neighbor computer is heavily under attack, honeypots would not notice it, before they are being attacked themselves. Thus, although honeypots have the potential to identify cyber attacks, each one of them lacks the critical mass needed to make fast and accurate decisions regarding recognition and spread of new cyber attacks. For example, suppose that an organization deploys a single honeypot, and that a new worm starts to spread. Then, it may take a long time before the worm attacks the honeypot: on the average, the worm will attack half the computers on the Internet before attacking this particular honeypot. At that time, it would probably be too late to take countermeasures against the worm: the worm would have hit half of the organizations systems on the average. Fortunately, the more honeypots an organization deploys, the faster it is before the worm hits any of the honeypots. For example, if an organization deploys k honeypots, then on the average, at least one of them will be hit after about 1/k of the vulnerable machines on the Internet have been infected. For example, if an organization deploys 1,000 honeypots, then approximately one of them will detect the new cyber attack after about only 1 thousandth of the vulnerable machines has been hit. However, deploying and managing such a large number of honeypots may be very difficult for a single organization. Moreover, the locality of IP addresses that these honeypots will share within a single organization will probably make them less effective, since they will cover a narrow local subset of the Internet. In NoAH, we propose to study the feasibility and perform the necessary technical preparatory work towards building an Infrastructure consisting of a European Network of Advanced honeypots. This will be a network of honeypots that cooperate and exchange information in order to effectively combat cyber attacks. |
