Advanced Honeypot Architecture for Network Threats Quantification

Simple item page
dc.contributor.advisorCukier, Michelen_US
dc.contributor.authorBerthier, Robin Gen_US
dc.contributor.departmentReliability Engineeringen_US
dc.contributor.publisherDigital Repository at the University of Marylanden_US
dc.contributor.publisherUniversity of Maryland (College Park, Md.)en_US
dc.date.accessioned2009-07-02T05:53:30Z
dc.date.available2009-07-02T05:53:30Z
dc.date.issued2009en_US
dc.description.abstractToday's world is increasingly relying on computer networks. The increase in the use of network resources is followed by a rising volume of security problems. New threats and vulnerabilities are discovered everyday and affect users and companies at critical levels, from privacy issues to financial losses. Monitoring network activity is a mandatory step for researchers and security analysts to understand these threats and to build better protections. Honeypots were introduced to monitor unused IP spaces to learn about attackers. The advantage of honeypots over other monitoring solutions is to collect only suspicious activity. However, current honeypots are expensive to deploy and complex to administrate especially in the context of large organization networks. This study addresses the challenge of improving the scalability and flexibility of honeypots by introducing a novel hybrid honeypot architecture. This architecture is based on a Decision Engine and a Redirection Engine that automatically filter attacks and save resources by reducing the size of the attack data collection and allow researchers to actively specify the type of attack they want to collect. For a better integration into the organization network, this architecture was combined with network flows collected at the border of the production network. By offering an exhaustive view of all communications between internal and external hosts of the organization, network flows can 1) assist the configuration of honeypots, and 2) extend the scope of honeypot data analysis by providing a comprehensive profile of network activity to track attackers in the organization network. These capabilities were made possible through the development of a passive scanner and server discovery algorithm working on top of network flows. This algorithm and the hybrid honeypot architecture were deployed and evaluated at the University of Maryland, which represents a network of 40,000 computers. This study marks a major step toward leveraging honeypots into a powerful security solution. The contributions of this study will enable security analysts and network operators to make a precise assessment of the malicious activity targeting their network.en_US
dc.format.extent2991587 bytes
dc.format.mimetypeapplication/pdf
dc.identifier.urihttp://hdl.handle.net/1903/9204
dc.language.isoen_US
dc.subject.pqcontrolledComputer Scienceen_US
dc.subject.pquncontrolledhoneypoten_US
dc.subject.pquncontrolledhybrid architectureen_US
dc.subject.pquncontrollednetwork attacken_US
dc.subject.pquncontrollednetwork monitoringen_US
dc.subject.pquncontrollednetwork securityen_US
dc.subject.pquncontrolledquantificationen_US
dc.titleAdvanced Honeypot Architecture for Network Threats Quantificationen_US
dc.typeDissertationen_US

Files

Original bundle
Now showing 1 - 1 of 1
Thumbnail Image
Name:
Berthier_umd_0117E_10310.pdf
Size:
2.85 MB
Format:
Adobe Portable Document Format
Download

Collections

UMD Theses and Dissertations
Mechanical Engineering Theses and Dissertations