Early warning system for Internet-based security alerting
Original Publication Date: 2004-Mar-05
Included in the Prior Art Database: 2004-Mar-05
Process for setting up a controlled, centralized repository for hacker activities for personal Honeypot security resource.
Early warning system for Internet -based security alerting
Ref: A Honeypot is a security resource whose value lies in being probed, attacked, or compromised and thus diverting the attention of hackers away from valid Internet resources. In this definition, a Honeypot is a tiny application located on personal computers, which flags potential security vulnerabilities and provides customized reporting to a central management station to facilitate the collection and analysis of current trends in computer hacking, for the sole purpose of providing an early warning system to the general Internet user population.
Conventional honeypots typically capture traffic or activity in a passive manner to allow the user to understand how a hacker works, and lure them away from a more valuable resource. . However, they lack a centralized repository which analyzes the resulting data and allows for the sharing of the hacker activity makes a conventional honeypot relatively useless to the Internet community. Honeypots are typically limited in function and provide no incentive to the general user to deploy them other than as an academic exercise.
In this scenario, the proposal is to combine traditional firewall functionality with a "personal honeypot" on a wide number of processors on the Internet (similar in concept to how SETI@home works). These honeypots would work in conjunction with a master database to log and record all hacker activity and allow for trending of deviant activity across the Internet. Analysis of honeypot alerts can result in the creation of new virus scanning signatures and firewall filtering alerts before a specific "strain" of attack becomes a widespread Internet problem.
The firewall, in addition to fulfilling conventional functions, filters good traffic to the real operating system and bad traffic to the honeypot. The firewall logs IP addresses, port numbers, and time of events. "Good Traffic" or traffic sanctioned by the operating system would be passed on to the main Operating system for the various network processes to handle. "Bad Traffic" or traffic not sanctioned or initiated by the Operating system (thus potential hacker activity) would be forwarded to processes specifically configured to respond like real applications, but would in turn be tracking hacker activity. In a generic firewall, bad traffic would be blocked, here the traffic is passed to the Honeypot for collection, and forwarding to...