Effective honeypots with sensors on production systems

Trapped!

Article from ADMIN 10/2012

By Jan Gassen , By Elmar Gerhards-Padilla

A honeypot is a specialized security tool that pretends to be an ordinary system to attract and identify attackers. Experienced intruders, however, are not so easily fooled. An experimental new technology known as HoneypotMe moves honeypot functionality to real systems on the production network.

Individual sources report that more than 286 million new, positively identified malware instances were registered in 2010 alone [1], not counting unreported cases (i.e., malware that cannot be detected by current security tools). In many cases, these huge numbers of "new" malicious programs (Figure 1) are not necessarily malware with any new functionality; instead, they are often the result of polymorphic or metamorphic code that regularly generates slightly modified variants of a malicious program with virtually identical functionality. The objective of this procedure is to modify the structure of the malware so that it is no longer recognized by classic, signature-based detection tools.

Figure 1: The number of malicious programs on the Internet has exploded in recent years. (From AV-TEST Institute [2], which registered more than 55,000 malicious programs every day.)

Although regular updates of signature databases used in virus scanners and intrusion detection systems are essential, uniquely assigning all newly discovered malware to a signature would take an average of 38 new signatures per minute. This number

...

Use Express-Checkout link below to read the full article (PDF).