CHAPTER 1

INTRODUCTION
The information security is an ever-increasing concern of organizations and individuals. As attacks have become more sophisticated, the information security techniques have started to take different forms from the traditional techniques which used in the past. One of these new forms is honeypots. In the area of information security, the term of honeypot refers to a closely monitored computing resource that we want to be probed, attacked or compromised. Lance Spitzner defines a honeypot to be "a resource whose value is in being probed, attacked or compromised. Honeypot has no productive value; thus any attempt to contact it is suspicious by definition. With honeypots, security system uses deception techniques to entice the adversary. Deception can be referred to creation of false environment to deceive people. Therefore, honeypot systems are meant for creating a false computing environment in order the entrap the attacker in a false system. The purpose of this paper is to study and analyze the deception techniques of virtual honeypots, and to provide a reasonable overview and comparison among these techniques. Furthermore, we discuss level of deception presented to attackers in honeypot system.

Deception Methodology in Virtual Honeypots

CHAPTER 2

BACKGROUND
In the early 1990s, the use of honeypots as a deceptive tools in defense of information security came to the forefront with a paper about a "Jail" created by AT&T researcher to observe the attackers activities in real time. Since that time, deception has increasingly been explored as a key technology for innovation in information protection.

2.1 Honeypots Taxonomy

Honeypots can be classified into physical and virtual honeypots. Physical honeypots are real standalone computers, while virtual honeypots use software to emulate services or network. Most of works have tended toward developing and researching virtual honeypots as they require less cost and maintenance. Virtual honeypots are divided into two main types according to the interaction level with attackers: 1. Low-interaction honeypots. 2. High-interaction honeypots. 2.1.1 Low-interaction honeypots. Low-interaction honeypots are specific systems that emulate services, networks, TCP devices or any other element of a real system, but without being real. There is a meta system behind, invisible for the attacker, which is pretending to be anything for which it is programmed to be. They do not need to behave exactly like a system or service. They usually emulate a service, and provide answers to a simple subset of requests. For instance, a honeypot Honeypots, monitoring attackers simulating an email server can pretend to be accepting connections and allow writing an email on them, although actually it will never be sent.

Low-interaction honeypots does not usually aim to catch real attackers, but automated tools. However, automated systems such as automatic exploitation software, worms or viruses, specially crafted to carry out a certain action on a service, will not detect anything unusual. They will do their job trying to exploit some vulnerability, the honeypot
Department of C.S.E 2 T.C.E, GADAG

Deception Methodology in Virtual Honeypots will pretend to be exploited and the honeypot administrator will obtain the desired information. Low-interaction honeypots has the problem that it is more complex to discover new forms of attacks in them. They are prepared to simulate certain attacked services and to respond in a specific way for the attacker to think it has achieved their target. However, it can never behave in ways for which it is not programmed, for instance to simulate the exploitation of new types of threats. Low-interaction honeypots tools are Back Officer, LeBrea, Specter, Homemade honeypots and Honeyd.

Honeyd Honeyd is also known as honeypot daemon. This is again an open source honeypot primarily designed for Unix systems but now has Windows compatibility too. Honeyd works similar to LaBrea in the sense that it monitors all the unused IP addresses and whenever there is a request for connection to these addresses it interacts with the source machine. However, certain features are vital to note. Firstly, you dont have to create any port listener or utility for ports you need to monitor. Honeyd has built in capabilities for this. It can listen on all TCP and UDP ports and can detect some ICMP activity as well.

Merits of honeyd Full maintenance and support is provided by various other mailing lists at a nominal charge. Ease in configuration. Can monitor any TCP and UDP ports and entire networks.

Demerits of honeyd As it is a low-interaction honeypot, it cannot provide real operating solutions for adversaries to play with. No built-in support for alerts, nor mechanism for capturing extensive sessions.

Department of C.S.E

T.C.E, GADAG

Deception Methodology in Virtual Honeypots LeBrea It is also called sticky honeypot. The main purpose of LaBrea is to hold attackers for a pre-established amount of time, which could be infinite as well. In this way, it is a lowinteraction production honeypot with not many bells and whistles.

Merits of LaBrea Tarpits a malicious connection and thus stops other machines to get infected. A tool for deception, obfuscation and deviation for the white-hat community. Easy to set up and configure Open source

Demerits of LaBrea Consult your lawyer before deploying. The author of LaBrea, Tom Liston, came to know about Illinois state law after deploying it and had to get the server shifted for deploying LaBrea. Only runs on Unix based systems and understands TCP and ICMP only. As its open source, support is not provided.

Specter Specter is a commercial product and it is another 'low interaction' production honeypot. It is similar to BOF in that it emulates services, but it can emulate a far greater range of services and functionality. In addition, not only can it emulate services, but emulate a variety of operating systems. distinguishing feature of Specter is it is one of the few honeypots meant for Windows platforms. However, although it emulates various operating systems it is still a low-interaction production honeypot. So the basic goal that it serves is to
Department of C.S.E 4 T.C.E, GADAG

Deception Methodology in Virtual Honeypots protect your organisation from malicious activities and not gathering information about them. However, in comparison it suffers from many weaknesses but also displays its stand by counteracting weaknesses of other honeypots like honeyd and LaBrea. Merits of Specter Ease of use and configuration simplicity. Full support provided. Emulates 14 different operating systems. Incident management facility with ability to pinpoint on specific incident. Services can be configured to frighten, bewilder or lure the attacker. Supports major services.

Demerits of Specter Only supports TCP connections. Though it emulates all the major operating systems, can be installed only on windows platforms. Monitors only IP assigned to host machine it sits on, thus no support for unused IP addresses. Costs larger as compared to open source honeypots like honeyd, even extension of upgrade and support period is charged.

2.1.2 High-Interaction Honeypot.

High-interaction honeypots are different, they are usually complex solutions as they involve real operating systems and applications. Nothing is emulated, the attackers are given the real thing. If one wants a Linux honeypot running an FTP server, they build a real Linux
Department of C.S.E 5 T.C.E, GADAG

Deception Methodology in Virtual Honeypots system running a real FTP server. The advantages with such a solution are two fold. First, extensive amounts of information are captured. By giving attackers real systems to interact with, one can learn the full extent of the attackers behavior, everything from new rootkits to international sessions. The second advantage is high-interaction honeypots make no assumptions on how an attacker will behave. Instead, they provide an open environment that captures all activity. This allows high-interaction solutions to learn behavior one otherwise would not expect. An excellent example of this is how a Honeynet captured encoded back door commands on a non-standard IP protocol . However, this also increases the risk of the honeypot as attackers can use these real operating system to attack non-honeypot systems. As result, additional technologies have to be implemented that prevent the attacker from harming other non-honeypot systems. In general, high-interaction honeypots can do everything lowinteraction honeypots can do and much more. However, they can be more complex to deploy and maintain. Examples of high-interaction honeypots include Mantraps and Honeynets.

2.1.2.1 Mantrap Mantrap is a commercial honeypot. Instead of emulating services, Mantrap creates up to four sub-systems, often called 'jails'. These 'jails' are logically discrete operating systems separated from a master operating system. Security administrators can modify these jails just as they normally would with any operating system, to include installing applications of their choice, such as an Oracle database or Apache web server. This makes the honeypot far more flexible, as it can do much more. The attacker has a full operating system to interact with, and a variety of applications to attack. All of this activity is then captured and recorded. Not only can we detect port scans and telnet logins, but we can capture rootkits, application level attacks and a variety of other threats. However, just as far more can be learned, so can more go wrong. Once compromised, the attacker can use that fully functional operating system to attack others. Care must be taken to mitigate this risk. As such, it can be categorized this as a mid-high level of interaction. Also, these honeypots can be used as either a production honeypot (used both in detection and reaction) or a research honeypot to learn more about threats. Merits of Mantrap

Department of C.S.E

T.C.E, GADAG

Deception Methodology in Virtual Honeypots Since a honeypot is a decoy system interacting traffic has to be seen with suspicion. This is the basic principle of ManTrap and it detects unauthorised use and access by means of this. Similar to Specter, ManTrap also contains incident management feature and thus can report and log activities and enhance prioritisation efforts. Provides response mechanisms based on frequency analysis and shuts down machines by monitoring increased hacker activity. Provides stealth monitoring and thus live attack analysis. Detects both host and network based intrusions. Zero-day recognition of unknown exploits and attacks. Reduces false positives to a very large extent.

Demerits of Mantrap Need highly skilled expertise to maintain and deploy these kinds of honeypots. Even with that, the risk involved for getting compromised remains and if these are connected to the production servers a thorough risk analysis has to be done. Although a commercial product, the sole aim of high-interaction honeypots is to gather information and not secure the organisation.

2.1.2.2 Honeynets Honeynets represent the extreme of research honeypots.They are high interaction honeypots, one can learn a great deal, however they also have the highest level of risk. A Honeynet is a network of production systems. Unlike many of the honeypots discussed so far, nothing is emulated. Little or no modifications are made to the honeypots. The idea is to have an architecture that creates a highly controlled network, one where all activity is controlled and captured. Within this network we place our intended victims, real
Department of C.S.E 7 T.C.E, GADAG

Deception Methodology in Virtual Honeypots computers running real applications. The bad guys find, attack, and break into these systems on their own initiative. When they do, they do not realize they are within a Honeynet. This gives the attackers a full range of systems, applications, and functionality to attack. Honeynets and honeypots are usually implemented as parts of larger network intrusiondetection systems. A honeyfarm is a centralized collection of honeypots and analysis

tools."A honeynet is a network of high interaction honeypots that simulates a production network and configured such that all activity is monitored, recorded and in a degree, discretely regulated."

Merits of Honeynet Standard production systems can be used on the honeynet, in order to give the hacker the look and feel of a real system. honeynets that use actual physical computer systems with standard operating systems as honeypots. honeynet is very inexpensive to set up.

Demeris of Honeynet Honeynet cannot be used to attack others. It can only detect intrusions based on the signatures it has stored.

Chapter 3 HONEYPOT FRAMEWORK

Figure below shows a honeypot framework, where the deception plays the key role of honeypot success. Whatever techniques used, deceptive honeypots can be used effectively if they are used in integrated manner with other security tools such as IDS and firewall. Honeypots analysis results can be used to modify the network security tools configuration according to the security policy. It also can include creating of IDS or anti- worms tool
Department of C.S.E 8 T.C.E, GADAG

Deception Methodology in Virtual Honeypots signatures. Moreover, it should have alerting capabilities within this system. The deception technique shown in Figure below can be any of the deception techniques discussed in this survey or combined of various techniques.

Figure 3.1 Honeypot Framework

2.2

Honeypot Usage The various types of honeypots are used to improve both the efficiency and the

effectiveness of countermeasures defensive, and to add new defense line to the network security layer. Networks of honeypots (honeynets) offer comprehensive data about attackers' activities can be used to concentrate on relevant attacks; thus resources can be used more efficiently. Forensic analysis of the data collected by is less likely to have false positive than data collected by network intrusion detection systems (NIDS). Furthermore, honeypots can be used to improve the NIDs by generating new signatures for zero-day attacks and worms.

2.3 Value of Deception in Honeypots

Department of C.S.E

T.C.E, GADAG

Deception Methodology in Virtual Honeypots Honeypots provide a defense mechanism in which they deceive attackers into believing that they are compromising a real production system. Attacker would intelligently attempt to explore the vulnerabilities and try to exploit them. Despite there can be well defenses in place, the attacker always believe that the imperfection always exist somewhere in the system . The correct deployment, monitoring and analysis of these systems help in increasing our understanding of security threats modes of operations and tools in details.

2.4 Deception Objectives in Honeypots Slow down or mitigate attacks. Detect new threat to modify the network configuration, and create NIDS or worm signatures. Investigate and study the attacker's activities.

Chapter 4 HONEYPOTS DECEPTION TECHNIQUES

Using the deception is the basic idea underlying the honeypots development. Method of deception should be sufficient to mislead the adversary and persuade to initiate interaction with the fake system. Figure below shows the general deception technique needs to install virtual honeypots on most of production systems in order to be more effective. The reason behind this will become clear as we move on. The basic need is to design a filter so that all the traffic passing out of a system is monitored. Thus, we need to device a honeypot within the network layer so that all traffic is monitored. From TCP handshake protocol, we can state that whenever a
Department of C.S.E 10 T.C.E, GADAG

Deception Methodology in Virtual Honeypots system tries to make connection to another it is bound to send SYN package to the destination. So if we are able to count these SYN packets and limit the rate during infection we have accomplished our task. However, in TCP at the application level a socket is opened when a connection needs to be sent out. Once this is done the Transport layer forms SYN packets and sends it. If a corresponding SYN/ACK packet is not received within certain time it resends the SYN packet again. These retrials are done until the socket doesnt time out, in which case the application is notified. In our model, we count these retried SYN packets as separate connection aswell. This is not going to affect the results as during a worm or virus infection the SYN packet sent rate would be much more even than the addition of true SYN packets and retrials.

Figure 4.1 Deception technique in virtual honeypot

The different deception techniques used by the different virtual honeypots tools are 4.1 Deception Service The basic form of virtual honeypots is to listen to simulated service port and raise appropriate alerts once certain threshold is exceeded. Deception services are specially designed to listen on an IP service port and respond to network requests. If the attacker access to the simulated service, the administrator can obtain the logs of attacker's movements. The best example for deception service could be Fred Cohen's Deception Toolkit (DTK) .The release of the DTK led to a series of follow-on tools with advanced deception products as Honeyd from the Honeynet project. In Honeyd, virtual honeypot is created with a network stack that look like a real operation system on which all TCP ports see to be running services.
Department of C.S.E 11 T.C.E, GADAG

Deception Methodology in Virtual Honeypots Honeyd simulates operation systems at TCP/IP stack level, allowing to deceive Nmap and X_probe into believing that the honeypot is real operating system . 4.2 Operating System Emulation The honeypots can be deployed using virtual machines which emulates complete operating system. Vmware, UML, and Argos are three examples of such honeypots. This system has no conventional task in the network; thus any traffic to the honeypot system is suspicious by default. Monitoring tools should be used to monitor the honeypot. In addition, traffic must be controlled to prevent the attacker from using the honeypots to launch further attacks. 4.3 Vulnerability Emulation Instead of emulating the whole operating system or the network service, we emulate only the relevant vulnerable parts of a service. To develop the honeypots we need to provide some information at certain offsets in the network flow during the exploitation process. Such technique might be sufficient to lure the attacker and worms without consuming a lot of computing and memory resources. Nepenthes is an example of honeypots that use this technique. Nepenthes uses several vulnerability modules which represent the main part of the Nepenthes platform. Vulnerability modules simulate known vulnerabilities in Microsoft Windows. An incoming exploitation attempt is triggered, and the actual payload can be received, which is then passed to analyzer modules.

4.4 Connection Tarpitting A tarpit is a service on a computer system that delays incoming connections as long as possible. This technique was developed as a defense against a computer worm and other network abuses as spamming and broad scanning. The foundation of this technique is based on the fact that is such threats are less effective if they take long time. Tom Liston developed the original tarpitting honeypot LaBrea. LaBrea use tarpitting technique along with deception services technique. LaBrea can protect an entire network with a tarpit runs from a single machine. The machine listens for unanswered ARP requests (indicating unused addresses), then response to those requests, receives a SYN packet, it establishes a connection by completing the TCP three-way handshake and then stalls the connection. LaBrea supports two different ways of slowing down a connection:
Department of C.S.E 12 T.C.E, GADAG

Deception Methodology in Virtual Honeypots Throttling: LaBrea accepts new connections but advertise a very small receiver window. The receiver window instructs the sender to not send more data per packets than the window allow. When throttling, connection still make progress, albeit slowly. Persistent capture: LaBrea advertise a TCP receiver window size of 0 and instructs the sender to wait before sending more data. Periodically, the sender comes back and sends window probe packets to determine if the windows have opened up again. This state can persist indefinitely. 4.5 Traffic Redirection This technique works by re-routing traffic coming to production network to pass through honeypots according to the security policy generated by system administrator. This technique may include changing the packet formatting. Honeypots can be either in proximity or remotely located. There are various models to redirector honeypots: Redirect traffic which is destined to unused IP's. Redirect suspicious traffic detected by IDS. Various honeypots applications have used this technique such as honeypot farms, hybrid honeypots and shadow honeypots. In hybrid honeypot approach, high and low interactive are combined to obtain the advantage of each type.

4.6 Digital Bait Digital Bait is fake digital entity created by the administrators for discovering the adversary. Honeytoken is an example of this approach. Honeytoken is a honeypot that is not a computer. The term of honeytoken was first presented by Augusto Paes de Barros (2003) on the honeypots mailing list, A honeytoken can be anything from a mail with false information or counterfeits database entries. Whenever someone accesses a honeytoken the unauthorized access shows that there is potential threat. One example of honeytoken is a false credit card number, it could be embedded into database, or some other type of repository. An IDS signature, such as Snort, could be used to detect when that honeytoken is accessed.

Department of C.S.E

13

T.C.E, GADAG

Deception Methodology in Virtual Honeypots

Chapter 5

Department of C.S.E

14

T.C.E, GADAG

Deception Methodology in Virtual Honeypots

COMPARISION AND ANALYSIS

5.1 Risk When applied to honeypots, risk means the ability of adversary to compromise or attacks productive systems using the honeypot. As we mention in the previous section,risk level involved in both service deception, and emulation is low comparing to operating system emulation as the attacking process interact with emulation. Therefore, honeypots which use virtual machine as Vmware should be carefully safeguarded to mitigate the risk.

Using the traffic redirection techniques involves low potential risk, as honeypots do not passively capture traffic from the network, thus they do not have to be physically connected to the network, they only have to be virtually on the network. Therefore, the possibility of using honeypots resources again other victims is mitigated. However, the users' privacy issue might be problem, since false positives might yield legitimate traffic to pass through honeypot farms, If that traffic contains confidential information exposed to nonadministrators, this may lead to security breach.

5.2 Effectiveness Effectiveness is the degree of accomplishment of the intended purpose of the honeypot. Evaluating the deception technique of honeypots is not stealthy process. However, there are some measurements to evaluate the effectiveness of honeypots: The ability to deceive the attacker scanning tools like Nmap and Nessus. This depends on the implementation rather than the deception technique itself. The time and effort consumed by attacker to realize that he is attacking non-real system. The amount of collected data: The earlier honeypots which use deception service undergo the localism of deception where the placement of honeypots and how to be attractive to the attacker require deep study , Thus the later techniques try to monitor more traffic to catch attacks. They have used two approaches to increase the amount of collected data:

Department of C.S.E

15

T.C.E, GADAG

Deception Methodology in Virtual Honeypots

1) To redirect traffic. This is the key purpose of using traffic redirection technique.

2) To simulate many virtual IP addresses on the network. This technique can be applied by honeypots which use service or vulnerability emulation by filling a large address space.

5.3 Invisibility The invisibility here means preventing the attacker from knowing that he is attacking fake system. Invisibility is an important aspect can measure success of the deception. The ideal defensive deception allows an attacker to proceed in a manner that the attacker's intelligence effort appears to meet expectations without being able to recognize the deception in place. However, most of the defensive deception techniques are not feature-rich in terms of invisibility and detection.

5.4 Fidelity Fidelity means the realism provided by a honeypot to an adversary .In contrast to service and vulnerability emulation, emulating a complete operating system provides a system based on dedicated physical machine without limitation; thus this provides highest fidelity. Honeytokens module should not look suspicious to the attacker and contain reallooking information.

Department of C.S.E

16

T.C.E, GADAG

Deception Methodology in Virtual Honeypots

Table 5.1 Comparision of Different Deception Technique

5.4 Needed Resources Figure shows the amount of resources required to implement each deception techniques. As the deception technique is getting more complicated, more resources required for the deployment.Traffic redirection needs more resources as that most of hybrid honeypots use different deception levels; some of them use combined approaches of low and high interactive honeypots. Despite the traffic redirection technique is considered to be the most consuming of resources, the infrastructure required for "traffic redirection" is merely a couple of re-routing switches and virtual honeypots; this clarifies that the honeypots cost is still not high even though if we use the most effective techniques. On the other hand, the resource needed for implementing the honeytoken is still not clear; as there is no infrastructure needed, no signatures to update, no constant monitoring required. However, they gain all the advantages of honeypots as they themselves are a part of honeypots.

Department of C.S.E

17

T.C.E, GADAG

Deception Methodology in Virtual Honeypots

Figure 5.1 Comparison of Resource Needed to Implement the Various Deception Techniques

Department of C.S.E

18

T.C.E, GADAG

Deception Methodology in Virtual Honeypots

Chapter 6

APPLICATIONS

6.1 Fault tolerance for securing e-government

Securing E-government networks is similar to other networks. Many approaches like cryptography, PKI, firewalls, digital signatures are employed in these networks. However, as mentioned above, E-government is an inter-networked government. In most of the cases, government agencies in a country are connected to each other for communicating the information about citizens. This is one of the main differences between government networks and business networks. Because, the businesses are competitor and do not disclose their network to each other, but in most of the governments, co-operation is more critical than competition. So we can use this connectedness to set up a honeynet.

6.2 Raising Security Awareness

Many people are not aware of the security risks their computer system faces. Further, they jeopardize their personal or company data. An attacker has an interest in concealing his or her activities to be able to keep access to a compromised system. Todays operating systems are insecure when they come freshly out-of-the-box and need to be patched. This is mainly due to the pace that security vulnerabilities are discovered. If an unprotected system is connected to the Internet simply to download the needed security fixes, it might get comprised in that short period of timepossibly unnoticed by the user of the system. Honeynets can serve to make such threats visible. By its nature, a honeynet is closely monitored so that researchers can see what is going on under the hood.

Department of C.S.E

19

T.C.E, GADAG

Deception Methodology in Virtual Honeypots

6.3 Detecting and Countering Worms

Honeypots are ideally suited to intercept traffic from adversaries that randomly scan the network. This is especially true for Internet worms that use some form of random scanning for new targets. A virtual honeypot deployment can be used to detect new worms and how to launch active counter measures against infected machines once a worm has been identified. To intercept probes from worms, virtual honeypots are instrumented on unallocated network addresses. The probability of receiving a probe depends on the number of infected machines, the worm propagation chance and the number of deployed honeypots. The worm propagation chance depends on the worm propagation algorithm, the number of vulnerable hosts and the size of the address space.

6.4 Education
We have incorporated the university honeynet into one of our undergraduate network security classes. We use the honeynet to provide realistic compromises for the students to work with. The students analyze data from a honeynet and perform forensics on the data to determine what happened. In addition to using the honeynet data directly in the classroom, we have used the honeynet capabilities for training students for

participation in security exercises.

6.5 Network Decoys

The traditional role of a honeypot is that of a network decoy. The framework can be used to instrument the unallocated addresses of a production network with virtual honeypots. Adversaries that scan the production network can potentially be confused and deterred by the virtual honeypots. In conjunction with a NIDS. The resulting network traffic may help in getting early warning of attacks.

Department of C.S.E

20

T.C.E, GADAG

Deception Methodology in Virtual Honeypots

Chapter 7

CONCLUSION
The advanced techniques and skills of hackers have led to emersion of new security tools and approaches. Honeypots are one of these growing computer security technologies. The main idea behind the honeypots is to use deception to collect data about attacker's activities and procedures. Various deception methods which were discussed contribute in diverting the attacker attention from the real system to consume his time and effort. Several tools have been deployed using different deceptive approaches, some of these tools used combined deception techniques. They have different architecture and methodologies. This study provided a brief summery about each deception approach, and comparison among of them showed their different capabilities, advantages, and drawbacks. Simple honeypots provide simple deception technique; more sophisticated honeypots -which might use various deceptive tools and layers- shown to be more effective. Thus, the defensive deception process is essential and must be oriented in defeating the attacker's intelligence process. Uptodate, it is believed the most effective approach to reroute the productive network traffic to honeypots. "Traffic redirection" can be effective technique as it overcomes the narrow view of other techniques where honeypots only able to see the traffic pass through, and as can use along other deception techniques. In the future, this may help us to combine between the various techniques to obtain new and more realistic honeypots.

Department of C.S.E

21

T.C.E, GADAG

Deception Methodology in Virtual Honeypots

REFERENCES
[1] A.Cenys, D.Rainys,L.Radvilavicius and N. Goranin, Implementation of Honeytoken Module In DBMS Oracle 9ir2 Enterprise Edition for Internal Malicious Activity

Detection, IEEE Computer Society's TC on Security and Privacy ,2005 [2] A. D. Lakhani, Deception techniques using Honeypots. MSc Thesis, ISG, Royal Holloway, University of London, 2003. [3] F. Cohen, The Use of Deception Techniques: Honeypots and Decoys, University of New Haven, The Handbook of Information Security, Volume III, Parti: 181 [4] Honeynet Project, Know Your Enemy: Defining Virtual Honey-nets. 2003. URL: http://old.honeynet.org/papers/virtual/ [5] I. Mokube and M..Adams, Honeypots: Concepts, Approaches, and Challenges, ACM Southeast Regional Conference,Proceedings of the 45th annual, Winston-Salem, North Carolina ,Pages 321 - 326 ,2007 [6] K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytis, Detecting Targeted Attacks Using Shadow Honeypots, Proceedings 14th USENIX Security Symposium, Pages 129-144, 2005 [7] L. Oudot and T. Holz , Defeating Honeypots: Network Issues, Part 2, Security Focus, 2004. http://www.securityfocus.com/infocus/1803 [8] L. Spitzner, Honeytokens: The Other Honeypot, Security Focus, 2003. URL:http://www.securityfocus.com/infocus/1713 [9] N. Provos and T. Holz, Virtual Honeypots: From Botnet Tracking to Intrusion Detection, Addisn-Wesley, 2008

Department of C.S.E

22

T.C.E, GADAG