Proceedings of the Class of 2006 Senior Conference, pages 45–52,Computer Science Department, Swarthmore Collegec2005Sweeter HoneynetsKenneth PattonDecember 2005AbstractThe honeynet is a new technology used in thefield of computer security for researching the ac-tions of hackers. While honeynets have the po-tential to give us great insight into the hackerworld, recent studies have shown that the rateof data collection by honeynets is far from op-timal. This paper first discusses the motivationfor using honeynets to track hacker’s activitiesas well as a brief background on honeynets andthe various types of hackers in the world. Then,solutions to the problem of increasing honeynettraffic are presented. The primary solution thatthe author develops is using a webserver as bait,and the steps needed to implement this approachare discussed in detail. Two additional meth-ods are also presented as alternatives - advertis-ing through hacker chatrooms and online con-tests. The author concludes that all three ofthese methods are feasible and intends to im-plement them for experimental confirmation.1 IntroductionWith computer systems playing a larger role insociety today, computer security is now more im-portant than ever to protect the confidentiality,integrity, and availability of digital information.Computer systems are also becoming increas-ingly complex, making it difficult to insure sys-tem security when hundreds of applications arerun on a regular basis with just as many runningin the background continuously. In addition, ap-plication developers typically possess a releaseand patch mentality in order to minimize thetime to market, increasing the numb e r of soft-ware bugs that external computer crackers canuse to compromise a host system.Due to the prevalence of hackers on the in-ternet today, we recognize the need to researchthe methods that hackers use to compromise tar-get systems. There are many different tech-niques employed by hackers to compromise ex-ternal computers; these range from code analy-sis and the manual design of tools to the lesssophisticated downloading of automated scriptsfrom the internet. Ideally we would like to ob-tain information about all the different types ofattacks that hackers employ, although the lesssophisticated attacks are generally more preva-lent.In order to track the actions of hackers, weneed a strategy for allowing hackers to do theirwork while they are unknowingly observed. Onetool that is used to facilitate this is known as ahoneynet. In a honeynet, a single secure com-puter monitors a group of insecure ”bait” com-puters that are waiting to be compromised byexternal hackers. While still a relatively youngtechnology, honeynets help facilitate researchinto computer crimes b e cause they present hack-ers with an otherwise undisturbed environment,which makes it simple to identify what trafficand actions on a computer in the honeynet aredue to hackers.There are typically two types of honeynets inuse today: production honeynets and rese archhoneynets. Production honeynets are simplehoneynets used to capture limited amounts ofinformation, often employed by companies tohelp protect more valuable systems on a net-45work. Research honeynets are more complexentities designed to capture as much informa-tion as possible about the behavior of intrud-ers. Research honeynets are typically not de-signed to protect other systems on the networkin the short-run, but ideally benefit systems inthe future through analyzing the te chniques thathackers use to compromise typical machines. Alltraffic on research honeynets is known to be in-trusive in nature because they have no other in-tended purpose, which makes it e asier to analyzea hacker’s behavior.However, as research honeynets are typi-cally unadvertised, they attract relatively lowamounts of traffic. In a recent study [1], the av-erage amount of time it took an unpatched Linuxsystem connected to the internet to become com-promised was approximately 3 months. Whiledata collected from individual break-ins is cer-tainly valuable, with such sparse occurrences itis questionable whether this is the best methodfor collecting data. Instead, by making the hon-eypots more visible through ac tively advertisingthem, we can draw more hacker activity at thecost of additional legitimate traffic. As an ex-ample, by placing a webserver on a honeypotand designing a simple but enticing website thatdraws a small amount of web traffic, we present abigger target for typical hackers than an anony-mous machine on the network. Unfortunatelythis has the drawback that not all of the traf-fic on the machine will be illicit, but since weknow exactly what traffic to expect it should notbe difficult to filter out attacks on the machine.Standard web browsers that request valid pagesof the website will not be considered attack traf-fic, but web requests for invalid pages and non-http traffic will be considered attack traffic.2 Background2.1 HackersThere are a number of different types of hack-ers, each with different motivations and meth-ods of attacking a remote computer. We clas-sify as hackers individuals who, through director indirect action, causes a machine to behavein a manner other than intended by the owner.Often this results in the hacker gaining controlover the system, but we still classify individualswho make the machine behave abnormally butdo not gain control of the system as hackers (forexample, due to DDoS attacks). Here we try toclassify the different types of hackers that mighttypically be encountered by a system on the in-ternet and their motives. A more in-depth clas-sification of hackers is presented by Marc Rogersin [5].The Accidental HackerAn accidental hacker is a user who, withoutprevious intent, unknowingly compromisesor disrupts the normal behavior of a suppos-edly secure computer. The user may realizethe result of their actions after the fact butgenerally will not try to exploit the vulner-ability that they found. Obviously such auser has no prior motives, which makes itdifficult to attract these accidental hackers.Generally if a system vulnerability can betaken advantage of accidentally, it is a seri-ous threat to the security of the computerand be prone to intentional exploitation byless scrupulous hackers. Since break-ins dueto accidental hackers are often due to glaringsecurity holes and occur sporadically, theyhave little research value when focusing ontypical hacker threats.Worm and Virus