To see the other types of publications on this topic, follow the link: Honeypots.
Dissertations / Theses on the topic 'Honeypots'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Honeypots.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Akkaya, Deniz, and Fabien Thalgott. "Honeypots in network security." Thesis, Linnaeus University, School of Computer Science, Physics and Mathematics, 2010. http://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-6600.
Full textAbstract:
Day by day, more and more people are using internet all over the world. It is becoming apart of everyone’s life. People are checking their e-mails, surfing over internet, purchasinggoods, playing online games, paying bills on the internet etc. However, while performingall these things, how many people know about security? Do they know the risk of beingattacked, infecting by malicious software? Even some of the malicious software arespreading over network to create more threats by users. How many users are aware of thattheir computer may be used as zombie computers to target other victim systems? Astechnology is growing rapidly, newer attacks are appearing. Security is a key point to getover all these problems. In this thesis, we will make a real life scenario, using honeypots.Honeypot is a well designed system that attracts hackers into it. By luring the hackerinto the system, it is possible to monitor the processes that are started and running on thesystem by hacker. In other words, honeypot is a trap machine which looks like a realsystem in order to attract the attacker. The aim of the honeypot is analyzing, understanding,watching and tracking hacker’s behaviours in order to create more secure systems.Honeypot is great way to improve network security administrators’ knowledge and learnhow to get information from a victim system using forensic tools. Honeypot is also veryuseful for future threats to keep track of new technology attacks.
2
Yahyaoui, Aymen. "Testing deceptive honeypots." Thesis, Monterey, California: Naval Postgraduate School, 2014. http://hdl.handle.net/10945/44032.
Full textAbstract:
Approved for public release; distribution is unlimitedDeception can be a useful defensive technique against cyber attacks. It has the advantage of unexpectedness to attackers and offers a variety of tactics. Honeypots are a good tool for deception. They act as decoy computers to confuse attackers and exhaust their time and resources. The objective of this thesis was to test the effectiveness of some honeypot tools in real networks by varying their location and virtualization, and by adding more deception to them. We tested both a web honeypot tool and an SSH honeypot tool. We deployed the web honeypot in both a residential network and at the Naval Postgraduate School network; the NPS honeypot attracted more attackers. Results also showed that the virtual honeypots received attacks from more unique IP addresses, and that adding deception to the web honeypot generated more interest by attackers. For the purpose of comparison, we used examined log files of a legitimate website www.cmand.org. The traffic distributions for the web honeypot and the legitimate website showed similarities, but the SSH honeypot was different. It appears that both honeypot tools are useful for providing intelligence about cyber-attack methods.
3
Christoffersen, Dag, and Bengt Jonny Mauland. "Worm Detection Using Honeypots." Thesis, Norwegian University of Science and Technology, Department of Telematics, 2006. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-9454.
Full textAbstract:
This thesis describes a project that utilizes honeypots to detect worms. A detailed description of existing worm detection techniques using honeypots is given, as well as a study of existing worm propagation models. Simulations using some of these worm propagation models are also conducted. Although the results of the simulations coincide with the collected data from the actual outbreak of a network worm, they also conclude that it is difficult to produce realistic results prior to a worm outbreak. A worm detection mechanism called HoneyComb is incorporated in the honeypot setup installed at NTNU, and experiments are conducted to evaluate its effectiveness and reliability. The mechanism generated a large amount of false positives in these experiments, possibly due to an error discovered in the implementation of the detection algorithm. An architecture using honeypots for detection of unknown worms is proposed. This architecture is based on a combination of two recently published systems with the extension referred to as a Known-Attack (KA) filter. By using this filter, it is believed that the amount of traffic needed to be processed by the honeypot sensors will be considerably reduced.
4
Bergande, Eirik Falk Georg, and Jon Fjeldberg Smedsrud. "Using Honeypots to Analyze Bots and Botnets." Thesis, Norwegian University of Science and Technology, Department of Telematics, 2007. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-9566.
Full textAbstract:
In this Master thesis we will perform honeypot experiments where we allow malicious users access to systems and analyze their behaviour. Our focus will be on botnets, and how attackers progress to infect systems and add them to their botnet. Our experiments will include both high-interaction honeypots where we let attackers manually access our system, and low interaction-honeypots where we receive automated malware. The high-interaction honeypots are normal Linux distributions accessing the internet through a Honeywall that captures and controls the data flow, while the low-interaction honeypots are running the Nepenthes honeypot. Nepenthes acts by passively emulating known vulnerabilities and downloading the exploiting malware. The honeypots have been connected to both the ITEA and UNINETT networks at NTNU. The network traffic filtering on the IP addresses we have received, has been removed in order to capture more information. Installing the honeypots is a rather complicated matter, and has been described with regard to setup and configuration on both the high and low interaction honeypots. Data that is captures has been thoroughly analyzed with regard to both intent and origin. The results from the high-interaction honeypots focus on methods and techniques that the attackers are using. The low-interaction honeypot data comes from automated sources, and is primary used for code and execution analysis. By doing this, we will gain a higher degree of understanding of the botnet phenomenon, and why they are so popular amongst blackhats. During the experiments we have captures six attacks toward the high-interaction honeypots which have all been analyzed. The low-interaction honeypot, Nepenthes, has captured 56 unique malware samples and of those 14 have been analysed. In addition there has been a thorough analysis of the Rbot.
5
Almotairi, Saleh Ibrahim Bakr. "Using honeypots to analyse anomalous Internet activities." Thesis, Queensland University of Technology, 2009. https://eprints.qut.edu.au/31833/1/Saleh_Almotairi_Thesis.pdf.
Full textAbstract:
Monitoring Internet traffic is critical in order to acquire a good understanding of threats to computer and network security and in designing efficient computer security systems. Researchers and network administrators have applied several approaches to monitoring traffic for malicious content. These techniques include monitoring network components, aggregating IDS alerts, and monitoring unused IP address spaces. Another method for monitoring and analyzing malicious traffic, which has been widely tried and accepted, is the use of honeypots. Honeypots are very valuable security resources for gathering artefacts associated with a variety of Internet attack activities. As honeypots run no production services, any contact with them is considered potentially malicious or suspicious by definition. This unique characteristic of the honeypot reduces the amount of collected traffic and makes it a more valuable source of information than other existing techniques. Currently, there is insufficient research in the honeypot data analysis field. To date, most of the work on honeypots has been devoted to the design of new honeypots or optimizing the current ones. Approaches for analyzing data collected from honeypots, especially low-interaction honeypots, are presently immature, while analysis techniques are manual and focus mainly on identifying existing attacks. This research addresses the need for developing more advanced techniques for analyzing Internet traffic data collected from low-interaction honeypots. We believe that characterizing honeypot traffic will improve the security of networks and, if the honeypot data is handled in time, give early signs of new vulnerabilities or breakouts of new automated malicious codes, such as worms. The outcomes of this research include: • Identification of repeated use of attack tools and attack processes through grouping activities that exhibit similar packet inter-arrival time distributions using the cliquing algorithm; • Application of principal component analysis to detect the structure of attackers’ activities present in low-interaction honeypots and to visualize attackers’ behaviors; • Detection of new attacks in low-interaction honeypot traffic through the use of the principal component’s residual space and the square prediction error statistic; • Real-time detection of new attacks using recursive principal component analysis; • A proof of concept implementation for honeypot traffic analysis and real time monitoring.
6
Lim, Sze Li Harry. "Assessing the effects of honeypots on cyber-attackers." Thesis, Monterey, Calif. : Naval Postgraduate School, 2006. http://bosun.nps.edu/uhtbin/hyperion.exe/06Dec%5FLim%5FSze.pdf.
Full text
7
Alosefer, Yaser. "Analysing web-based malware behaviour through client honeypots." Thesis, Cardiff University, 2012. http://orca.cf.ac.uk/29469/.
Full textAbstract:
With an increase in the use of the internet, there has been a rise in the number of attacks on servers. These attacks can be successfully defended against using security technologies such as firewalls, IDS and anti-virus software, so attackers have developed new methods to spread their malicious code by using web pages, which can affect many more victims than the traditional approach. The attackers now use these websites to threaten users without the user’s knowledge or permission. The defence against such websites is less effective than traditional security products meaning the attackers have the advantage of being able to target a greater number of users. Malicious web pages attack users through their web browsers and the attack can occur even if the user only visits the web page; this type of attack is called a drive-by download attack. This dissertation explores how web-based attacks work and how users can be protected from this type of attack based on the behaviour of a remote web server. We propose a system that is based on the use of client Honeypot technology. The client Honeypot is able to scan malicious web pages based on their behaviour and can therefore work as an anomaly detection system. The proposed system has three main models: state machine, clustering and prediction models. All these three models work together in order to protect users from known and unknown web-based attacks. This research demonstrates the challenges faced by end users and how the attacker can easily target systems using drive-by download attacks. In this dissertation we discuss how the proposed system works and the research challenges that we are trying to solve, such as how to group web-based attacks into behaviour groups, how to avoid attempts at obfuscation used by attackers and how to predict future malicious behaviour for a given web-based attack based on its behaviour in real time. Finally, we have demonstrate how the proposed system will work by implementing a prototype application and conducting a number of experiments to show how we were able to model, cluster and predict web-based attacks based on their behaviour. The experiment data was collected randomly from online blacklist websites.
8
Wagener, Gérard. "Self-Adaptive Honeypots Coercing and Assessing Attacker Behaviour." Phd thesis, Institut National Polytechnique de Lorraine - INPL, 2011. http://tel.archives-ouvertes.fr/tel-00627981.
Full textAbstract:
Information security communities are always talking about "attackers" or "blackhats", but in reality very little is known about their skills. The idea of studying attacker behaviors was pioneered in the early nineties. In the last decade the number of attacks has increased exponentially and honeypots were introduced in order to gather information about attackers and to develop early-warning systems. Honeypots come in different flavors with respect to their interaction potential. A honeypot can be very restrictive, but this implies only a few interactions. However, if a honeypot is very tolerant, attackers can quickly achieve their goal. Choosing the best trade-off between attacker freedom and honeypot restrictions is challenging. In this dissertation, we address the issue of self-adaptive honeypots that can change their behavior and lure attackers into revealing as much information as possible about themselves. Rather than being allowed simply to carry out attacks, attackers are challenged by strategic interference from adaptive honeypots. The observation of the attackers' reactions is particularly interesting and, using derived measurable criteria, the attacker's skills and capabilities can be assessed by the honeypot operator. Attackers enter sequences of inputs on a compromised system which is generic enough to characterize most attacker behaviors. Based on these principles, we formally model the interactions of attackers with a compromised system. The key idea is to leverage game-theoretic concepts to define the configuration and reciprocal actions of high-interaction honeypots. We have also leveraged machine learning techniques for this task and have developed a honeypot that uses a variant of reinforcement learning in order to arrive at the best behavior when facing attackers. The honeypot is capable of adopting behavioral strategies that vary from blocking commands or returning erroneous messages, right up to insults that aim to irritate the intruder and serve as a reverse Turing Test distinguishing human attackers from machines. Our experimental results show that behavioral strategies are dependent on contextual parameters and can serve as advanced building blocks for intelligent honeypots. The knowledge obtained can be used either by the adaptive honeypots themselves or to reconfigure low-interaction honeypots.
9
Wagener, Gérard. "Self-Adaptive Honeypots Coercing and Assessing Attacker Behaviour." Electronic Thesis or Diss., Vandoeuvre-les-Nancy, INPL, 2011. http://www.theses.fr/2011INPL037N.
Full textAbstract:
Les communautés de la sécurité informatique parlent de "pirates informatiques", mais en réalité, très peu est connu au sujet de leurs compétences. Durant la dernière décennie, le nombre d'attaques a augmenté de façon exponentielle et les pots de miels ont été alors introduits afin de recueillir des informations sur les attaquants. Ces pots de miel viennent en des saveurs différentes en fonction de leur potentiel d'interaction. Cette thèse abordera le paradigme des pots de miel adaptatifs pouvant changer leur comportement dans l’intention de tromper les attaquants en dévoilant le plus de renseignements possibles sur eux-mêmes. Plutôt que d'être autorisé simplement pour effectuer des attaques, les attaquants sont confrontés à des interférences stratégiques. En utilisant des critères mesurables, les compétences et les capacités de l'attaquant peuvent être évaluées par des pots de miel adaptatifs. Nous avons modélisé les interactions des attaquants. L'idée clé derrière la modélisation des interactions des attaquants élaborée dans cette thèse est d'utiliser la théorie des jeux pour définir la configuration d'un pot de miel adaptatif. Nous avons utilisé des mécanismes d'apprentissage par renforcement dans le but de trouver le meilleur comportement face à des attaquants. Un pot de miel adaptatif est capable d'adopter des stratégies comportementales au niveau de l’exécution de commandes par l'attaquant. Nos résultats expérimentaux montrent que ces stratégies dépendent des paramètres contextuels qui peuvent ainsi servir pour construire des pots de miel intelligentsInformation security communities are always talking about "attackers" but in reality very little is known about their skills.In the last decade the number of attacks has increased exponentially and honeypots were introduced in order to gather information about attackers. Honeypots come in different flavors with respect to their interaction potential. Choosing the best trade-off between attacker freedom and honeypot restrictions is challenging. In this dissertation, we address the issue ofself-adaptive honeypots that can change their behavior and lure attackers into revealing as much information as possible about themselves. Rather than being allowed simply to carry out attacks, attackers are challenged by strategic interference from adaptive honeypots. The observation of the attackers' reactions is particularly interesting and, using derivedmeasurable criteria, the attacker's skills and capabilities can be assessed by the honeypot operator. We formally model the interactions of attackers with a compromised system. The key idea is to leverage game-theoretic concepts to define the configuration and reciprocal actions of high-interaction honeypots. We have also leveraged reinforcement learningmachine learning in order to arrive at the best behavior when facing attackers. Our experimental results show that behavioral strategies are dependent on contextual parameters and can serve as advanced building blocks forintelligent honeypots
10
Chairetakis, Eleftherios, Bassam Alkudhir, and Panagiotis Mystridis. "Deployment of Low Interaction Honeypots in University Campus Network." Thesis, Högskolan i Halmstad, Sektionen för Informationsvetenskap, Data– och Elektroteknik (IDE), 2013. http://urn.kb.se/resolve?urn=urn:nbn:se:hh:diva-22141.
Full textAbstract:
Large scale networks face daily thousands of network attacks. No matter the strength of the existing security defending mechanisms, these networks remain vulnerable, as new tools and techniques are being constantly developed by hackers. A new promising technology that lures the attackers in order to monitor their malicious activities and divulge their intentions is emerging with Virtual Honeypots. In the present thesis, we examine an extensive security mechanism based on three different open source low interaction honeypots. We implement this mechanism at our university campus network in an attempt to identify the potential threats and methods used against our network. The data gathered by our honeypots reveal valuable information regarding the types of attacks, the vulnerable network services within the network and the malicious activities launched by attackers.
11
Salam, Haris. "Cyber Ranges: A design and implementation of Virtual Honeypots." Thesis, KTH, Kommunikationsnät, 2013. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-137108.
Full textAbstract:
Traditionally, many devices such as firewalls, secured servers, computer networks,hosts and routers. But with rapid technological advancements, securityfor the virtual world also needed improvement. As they say need is the motherof all inventions; such a need lead to the creation of Honey pots. Today,Honeypots are gaining attention and the usage of these systems is increasing.Honeypots are, essentially traps, set to detect, deflect, or in some manner counteractattempts to access and use information systems. They mostly consistof a network device that appears to be part of the network, but it is actuallyseparated and monitored by security researchers continuously to review theactivities.This thesis covers the commercial design, implementation and future directionsof these systems. An introduction to the topic is given, explaining basicsecurity concepts and vulnerabilities and flaws that lead to attacks.We set-up a set of vulnerable environment and virtual routers, where thelearners could practice offensive and defensive security techniques for cyberwarfare. A simulation was created; several machines and routers were connectedtogether. Each router is deliberately set-up so that it has (security) vulnerabilities.Practitioners will be required to penetrate in those routers and systems. Theseranges are specifically designed for the defense sector and it caters the internetand network security.
12
Kulle, Linus. "Intrusion Attack & Anomaly Detection in IoT Using Honeypots." Thesis, Malmö universitet, Fakulteten för teknik och samhälle (TS), 2020. http://urn.kb.se/resolve?urn=urn:nbn:se:mau:diva-20676.
Full textAbstract:
This thesis is presented as an artifact of a project conducted at MalmöUniversity IoTaP LABS. The Internet of Things (IoT) is a growing field and its usehas been adopted in many aspects of our daily lives, which has led todigitalization and the creation of smart IoT ecosystems. However, with the rapidadoption of IoT, little or no focus has been put on the security implications,device proliferations and its advancements. This thesis takes a step forward toexplore the usefulness of implementing a security mechanism that canproactively be used to aid understanding attacker behaviour in an IoTenvironment. To achieve this, this thesis has outlined a number of objectivesthat ranges from how to create a deliberate vulnerability by using honeypots inorder to lure attacker’s in order to study their modus operandi. Furthermore,an Intrusion Attack Detection (Model) has been constructed that has aided withthis implementation. The IAD model, has been successfully implemented withthe help of interaction and dependence of key modules that have allowedhoneypots to be executed in a controlled IoT environment. Detailed descriptionsregarding the technologies that have been used in this thesis have also beenexplored to a greater extent. On the same note, the implemented system withthe help of an attack scenario allowed an attacker to access the system andcircumnavigate throughout the camouflaged network, thereafter, the attacker’sfootprints are mapped based on the mode of attack. Consequently, given thatthis implementation has been conducted in MAU environment, the results thathave been generated as a result of this implementations have been reportedcorrectly. Eventually, based on the results that have been generated by thesystem, it is worth to note that the research questions and the objective posedby the thesis have been met.
13
Ponten, Austin. "Evaluation of Low-Interaction Honeypots on the University Network." Thesis, Linnéuniversitetet, Institutionen för datavetenskap (DV), 2017. http://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-66885.
Full textAbstract:
This project studies the three honeypot solutions Honeyd,Dionaea, and Kippo. Eval-uating the solutions themselves, and observing their implementation into the university campus network. The investigation begins with the understanding of how a honeypot works and is useful as an extra security layer, following with an implementation of said three honeypot solutions and the results that follow after a period of days. After the data has been collected, it shows that the majority of malicious activity surrounded communication services, and an evaluation of the three honeypot solutions showed Honeyd as the best with its scalability and reconfigurability.
14
Duong, Binh T. "Comparisons of attacks on honeypots with those on real networks." Thesis, Monterey, Calif. : Springfield, Va. : Naval Postgraduate School ; Available from National Technical Information Service, 2006. http://library.nps.navy.mil/uhtbin/hyperion/06Mar%5FDuong.pdf.
Full text
15
Steding-Jessen, Klaus. "Uso de honeypots para o estudo de spam e phishing." Instituto Nacional de Pesquisas Espaciais, 2008. http://urlib.net/sid.inpe.br/mtc-m18@80/2008/08.18.19.02.
Full textAbstract:
Este trabalho propoe uma infra-estrutura extensível de sensores, baseada em honeypots, para estudar o problema do spam e do phishing, de modo a obter dados mais detalhados sobre o problema. Esta infra-estrutura permite a correlação desses dados com aqueles capturados por outros sensores, também com base em honeypots. Um protótipo desta infra-estrutura foi implementado e teve enfoque em obter dados sobre o abuso de relays e proxies abertos, a obtenção de endereços de email em sites Internet, a coleta de URLs enviadas através de mensagens de pop-up e a correlação de todos estes dados com atividades relacionadas com spam, capturadas pelo Consórcio Brasileiro de Honeypots. Este protótipo esteve em operação por diversos meses e coletou dados sobre vários aspectos do problema do spam, permitindo a obteção de um conjunto de métricas que auxiliam a compreensão da situação no Brasil. Os resultados da operação deste protótipo mostram a intensidade do abuso de relays e proxies abertos em redes brasileiras, a origem e o destino destes spams, os indícios de envio a partir de máquinas infectadas e as características do harvesting de endereços de email. Como resultado da análise destes dados sao apresentadas propostas de mitigação para os problemas observados.This work presents an extensible honeypot-based infrastructure to study the spam and phishing problem in order to obtain more detailed data on it. This infrastructure allows the correlation of the former data with data captured by other sensors also based on honeypots. A prototype of this infrastructure was implemented with the aim of obtaining data about the following: abuse of open relays and open proxies, email address harvesting, pop-up spam, and the correlation of these data with spam-related activities captured by the Brazilian Honeypots Alliance. This prototype was in operation for several months and collected data on several aspects of the spam problem. This allowed the generation of metrics to help understand the spam problem in Brazil. The obtained results show the magnitude of open relays and open proxies abuse in Brazilian networks, the source and the destination of these spams, the evidence of spam being sent from infected computers, and the characteristics of email harvesting. As a result of the analysis, some mitigation techniques for the observed problems are proposed.
16
Semrau, Florian. "Honeypots Aufbau und Integration in ein Testnetzwerk, Analyse der Leistungsmerkmale." Saarbrücken VDM Verlag Dr. Müller, 2007. http://d-nb.info/991172094/04.
Full text
17
Barbato, Luiz Gustavo Cunha. "Monitoração de atividades em máquinas preparadas para serem comprometidas (Honeypots)." Instituto Nacional de Pesquisas Espaciais, 2004. http://urlib.net/sid.inpe.br/jeferson/2004/07.22.15.13.
Full textAbstract:
Até algum tempo atrás, segurança de sistemas de informação era sinonimo exclusivamente de proteção, assumindo sempre uma posição puramente defensiva. Hoje em dia, essa mentalidade vem mudando. Medidas reativas vem ajudando a melhorar a segurança de sistemas, com o uso de máquinas preparadas para serem comprometidas (honeypots) visando o aprendizado das técnicas adotadas pelos invasores com os próprios invasores. Com base nesta nova visao de segurança de sistemas de informação, este trabalho tem como objetivo o desenvolvimento de um sistema capaz de monitorar de forma impercept ível, todas as atividades dos invasores nos honeypots, transmitindo essas informações para estações de monitoração.Not long ago, information systems security was closely associated with passive protection, always assuming a purely defensive stance. Nowadays, this approach is changing. Reactive measures are helping to improve systems security, with the use of hosts prepared to be compromised (honeypots) providing information about the techniques used by the attackers, from the attackers themselves. Based on this new approach to information systems security, the present work aims to develop a system to stealthily monitor all the attackers activities in the honeypots and transfer this information to monitoring stations.
18
Guerra, Pedro Henrique Calais. "Identificação e caracterização de campanhas de spam a partir de honeypots." Universidade Federal de Minas Gerais, 2009. http://hdl.handle.net/1843/BUBD-9JTMUS.
Full textAbstract:
This work presents a methodology for the characterization of spamming strategies based on the identification of spam campaigns. To deeply understand how spammers abuse network resources and obfuscate their messages, an aggregated analysis of spam messages is not enough. Grouping spam messages into campaigns is important to unveil behaviors that cannot be noticed when looking at the whole set of spams collected. We propose a spam identification technique based on a frequent pattern tree, which naturally captures the invariants on message content and detect messages that differ only due to obfuscated fragments. The technique was able to group 350 million messages into 57,851 distinct campaigns. After that, we characterize these campaigns both in terms of content obfuscation and exploitation of network
resources. Our methodology includes the use of attribute association analysis: by applying an association rule mining algorithm, we were able to determine co-occurrence of campaign attributes that unveil different spamming strategies. In particular, we found strong relations
between the origin of the spam and how the network was abused, between operating systems and types of abuse and patterns that describe how spammers chain machines over the Internet
to conceal their identities. Data was collected from low-interaction honeypots emulating open proxies and open relays, traditionally abused by spammers. The data collected from these emulators created a vantage point of spams from inside the network, before the messages were delivered to recipients, and that allowed the determination of the different strategies adopted by spammers to deliver their messages.Este trabalho apresenta uma metodologia para caracterização de estratégias de disseminação de spams a partir da identificação de campanhas. Para entender com profundidade como spammers abusam os recursos da rede e constróem suas mensagens, uma análise agregada das mensagens de spam não é suficiente. O agrupamento de mensagens de spam em suas respectivas campanhas permite revelar comportamentos que não poderiam ser percebidos ao considerar o conjunto de mensagens como um todo. Este trabalho propõe uma técnica para identificação de campanhas de spam baseada na construção de uma Árvore de Padrões Frequentes, capaz de capturar os invariantes no conteúdo das mensagens e detectar mensagens que diferem apenas por características ofuscadas e variadas aleatoriamente por spammers. A técnica foi capaz de agrupar um conjunto de 350 milhões de mensagens em 57.851 campanhas distintas. Em seguida, essas campanhas foram caracterizadas em termos de seus conteúdos e da forma como exploram recursos da rede. A partir da aplicação de algoritmos de mineração de regras de associação, foi possível determinar co-ocorrência de atributos das campanhas que revelam diferentes estratégias de disseminação de spams. Em particular, foram determinadas relações significativas entre a origem do spam e a forma como ele é disseminado na rede, entre sistemas operacionais e tipos de abuso e na forma como spammers encadeiam abusos entre máquinas na rede para entregar mensagens enquanto mantém anonimato. Os dados utilizados no trabalho foram coletados a partir de honeypots de baixa-interatividade que emulam proxies e relays abertos, comumente abusados por spammers. A coleta dos dados por esses emuladores estabeleceu uma visão do tráfego de spams antes que as mensagens fossem entregues aos destinatários, o que permitiu a determinação das diferentes estratégias de entrega de mensagens empregadas por spammers.
19
Cabral, Warren. "Architectural analysis and customised deployment of deceptive cowrie and conpot honeypots." Thesis, Edith Cowan University, Research Online, Perth, Western Australia, 2021. https://ro.ecu.edu.au/theses/2468.
Full textAbstract:
Honeypots are progressively becoming a fundamental cybersecurity tool to detect, prevent, and record new threats and attack methodologies used by attackers to penetrate systems. A honeypot is a deceptive or fake computer system that presents itself as a real computer system with actual sensitive information. A range of open-source honeypots are available today, such as Cowrie and Conpot, which can be easily downloaded and deployed within minutes—with default settings. Cowrie is a medium-interaction secure shell (SSH) and Telnet honeypot intended to log brute force and shell interaction attacks. In contrast, Conpot is a low-interaction SCADA honeypot, which attempts to mimic an active SCADA system. These honeypots operate on a standardised configuration file that encompass options for deployment such as hostnames, IPs, network services, protocols, applications, and fingerprint information. These options are convoluted and must be used in an integrated and granular fashion to make the deception presented by the honeypot to be plausible and effective. The current issue with the default configurations is that it is easily detected by adversaries using default parameters, automated scripts and scanners such as Shodan and NMAP. Nonetheless, cybersecurity specialists deploy most honeypots with default configurations. This is because modern systems do not provide a standard framework for optimal deployment of these honeypots based on the various configuration options available to produce a non-default configuration. Hence, default honeypot deployments are counterproductive and a surplus network resources and personnel.
A quantitative empirical learning approach driven by a quasi-experimental methodology was undertaken to develop a solid understanding about the deceptive capabilities of the Cowrie and Conpot honeypots. This was accomplished by developing a framework created from the analysis of numerous Cowrie and Conpot configurations and linking these artefacts to their deceptive potential. This framework provides for customised honeypot configuration, thereby enhancing their functionality to achieve a high degree of deceptiveness and realism. Thereafter, these configured honeypots were then deployed in association with banners and firewall rules to prevent Shodan and NMAP detections and to prevent attackers from acknowledging default parameters. The results of these deployments show an exponential increase in attackerhoneypot interaction in comparison to their subsequent default implementations. In turn, they inform and educate cybersecurity audiences how important it is to deploy honeypots with advanced deceptive configurations to bait cybercriminals and mitigate counterproductive distributions.
20
Kedrowitsch, Alexander Lee. "Deceptive Environments for Cybersecurity Defense on Low-power Devices." Thesis, Virginia Tech, 2017. http://hdl.handle.net/10919/86164.
Full textAbstract:
The ever-evolving nature of botnets have made constant malware collection an absolute necessity for security researchers in order to analyze and investigate the latest, nefarious means by which bots exploit their targets and operate in concert with each other and their bot master.
In that effort of on-going data collection, honeypots have established themselves as a curious and useful tool for deception-based security. Low-powered devices, such as the Raspberry Pi, have found a natural home with some categories of honeypots and are being embraced by the honeypot community. Due to the low cost of these devices, new techniques are being explored to employ multiple honeypots within a network to act as sensors, collecting activity reports and captured malicious binaries to back-end servers for later analysis and network threat assessments. While these techniques are just beginning to gain their stride within the security community, they are held back due to the minimal amount of deception a traditional honeypot on a low-powered device is capable of delivering.
This thesis seeks to make a preliminary investigation into the viability of using Linux containers to greatly expand the deception possible on low-powered devices by providing isolation and containment of full system images with minimal resource overhead. It is argued that employing Linux containers on low-powered device honeypots enables an entire category of honeypots previously unavailable on such hardware platforms. In addition to granting previously unavailable interaction with honeypots on Raspberry Pis, the use of Linux containers grants unique advantages that have not previously been explored by security researchers, such as the ability to defeat many types of virtual environment and monitoring tool detection methods.Master of Science
21
Watkins, Trevor U. "Is Microsoft a Threat to National Security? Policy, Products, Penetrations, and Honeypots." Connect to resource online, 2009. http://rave.ohiolink.edu/etdc/view?acc_num=ysu1244659206.
Full text
22
Kula, Michal Damian. "Implementing Honeypots to Build Risk Profiles for IoT Devices in a Home-Based Environment." Thesis, Luleå tekniska universitet, Institutionen för system- och rymdteknik, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:ltu:diva-86513.
Full textAbstract:
Honeypots have been implemented in network security for years now, from the simplesystems where they could only mimic one vulnerable service and gather information aboutan intruder they have morphed in to advanced and complicated environments.Unfortunately, hackers have not left that untouched, and constantly try to detect honeypotsbefore being caught. This ongoing battle can be damaging to unexperienced internet users,who have no idea about securing devices in their small home-based network environment.The purpose of this research is to perform a technical study using IoT devices placed in a homeenvironment in a specially separated segment, and capture traffic between them and externalagents. This data is then analysed and used to build risk profiles of tested IoT devices aimingto provide security recommendations.The results indicate creating risk profiles for IoT devices could be used to gather more preciseinformation about external attacks and provide instant answer to what type of attacks couldbe generated against a selected IoT device. More development would be required to improvethis process, this includes redesign of the network and an automatic software-based toolcapable of generating risk profiles.
23
Akif, Omar Zeyad. "Secure authentication procedures based on timed passwords, honeypots, honeywords and multi-factor techniques." Thesis, Brunel University, 2017. http://bura.brunel.ac.uk/handle/2438/16124.
Full textAbstract:
A time-based password generating technique has been adopted and applied to protect sensitive datasets as the first technique used in this thesis. It specifically mitigates attacks and threats by adding time as a part of the password, which is generated using the shift-key. This in turn raises the possible combinations for the password and enhances the system's security. The Password Quality Indicator (PQI) was implemented to evaluate security improvement. Results showed that contemporary password techniques were up to 200% more secure than the traditional methods. The second method, 'honeypot', is based on web-session management. The authentication process is triggered if the web-session is initiated correctly when the first webpage is requested; legitimate users must perform the correct session through a precise links' sequence to be compatible with the session management that has been saved in the server side. The honeypot will present a sequence of links to lure the attacker into performing the authentication procedure directly from the login box. When compared to conventional methods, it was found that using the new method has improved user security by 200%. Additionally, a multi-factor authentication approach was tested, where combination of the timing password and the honeypot techniques was used. The outcomes were calculated and the results demonstrated that the passwords' strength was enhanced when using and increasing the number of links and the quantity of dwell time periods as a result of probabilities and complication. This approach yielded passwords that are 300% more secure than traditional methods would generate. Finally, a honeywords-generation method (decoy passwords) was also applied to detect attacks against the databases of hashed passwords. With an aim of achieving flatness, the original password for each user account was stored with many honeywords in order to confuse and mislead cyber-attackers. This technique relies on the abnormal generation method to achieve flatness among real password. A survey involving 820 participants was conducted to quantify how many users were able to recognise the real password among several honeywords. The results have shown that the new generation method was an improvement on traditional methods by 89.634% and attained sufficient flatness to confuse the attackers.
24
Ferreira, Pedro Henrique Matheus da Costa. "Análise de dados de bases de honeypots: estatística descritiva e regras de IDS." Universidade Presbiteriana Mackenzie, 2015. http://tede.mackenzie.br/jspui/handle/tede/1460.
Full textAbstract:
Made available in DSpace on 2016-03-15T19:37:56Z (GMT). No. of bitstreams: 1
PEDRO HENRIQUE MATHEUS DA COSTA FERREIRA.pdf: 2465586 bytes, checksum: c81a1527d816aeb0b216330fd4267b93 (MD5)
Previous issue date: 2015-03-04Fundação de Amparo a Pesquisa do Estado de São Paulo
A honeypot is a computer security system dedicated to being probed, attacked or compromised. The information collected help in the identification of threats to computer network assets. When probed, attacked and compromised the honeypot receives a sequence of commands that are mainly intended to exploit a vulnerability of the emulated systems. This work uses data collected by honeypots to create rules and signatures for intrusion detection systems. The rules are extracted from decision trees constructed from the data sets of real honeypots. The results of experiments performed with four databases, both public and private, showed that the extraction of rules for an intrusion detection system is possible using data mining techniques, particularly decision trees. The technique pointed out similarities between the data sets, even the collection occurring in places and periods of different times. In addition to the rules obtained, the technique allows the analyst to identify problems quickly and visually, facilitating the analysis process.
Um honeypot é um sistema computacional de segurança dedicado a ser sondado, atacado ou comprometido. As informações coletadas auxiliam na identificação de ameaças computacionais aos ativos de rede. Ao ser sondado, atacado e comprometido o honeypot recebe uma sequência de comandos que têm como principal objetivo explorar uma vulnerabilidade dos sistemas emulados. Este trabalho faz uso dos dados coletados por honeypots para a criação de regras e assinaturas para sistemas de detecção de intrusão. As regras são extraídas de árvores de decisão construídas a partir dos conjuntos de dados de um honeypot real. Os resultados dos experimentos realizados com quatro bases de dados, duas públicas e duas privadas, mostraram que é possível a extração de regras para um sistema de detecção de intrusão utilizando técnicas de mineração de dados, em particular as árvores de decisão. A técnica empregada apontou similaridades entre os conjuntos de dados, mesmo a coleta ocorrendo em locais e períodos de tempos distintos. Além das regras obtidas, a técnica permite ao analista identificar problemas existentes de forma rápida e visual, facilitando o processo de análise.
25
Hoepers, Cristine. "Projeto e implementação de uma infra-estrutura para troca e análise de informações de honeypots e honeynets." Instituto Nacional de Pesquisas Espaciais, 2008. http://urlib.net/sid.inpe.br/mtc-m18@80/2008/08.21.12.34.
Full textAbstract:
Para caracterizar e monitorar atividades maliciosas na Internet, um dos métodos utilizados tem sido a colocação de sensores em espaços de endereçamento não utilizados. Dentre os tipos de sensores empregados para este fim, destacam-se os honeypots, que são recursos de segurança especialmente configurados para coletar informações sobre ataques e cujo valor reside em serem sondados, atacados ou comprometidos. Eles são capazes de coletar informações valiosas sobre os tipos de ataques que ocorrem na Internet e de auxiliar o tratamento de incidentes de segurança. Os trabalhos existentes na área de coleta e análise de dados de honeypots concentram-se na visualização e/ou correlação de dados em uma honeynet específica ou em um conjunto de honeypots que utilizem tecnologias similares. Contudo, é importante realizar uma análise mais completa do tráfego observado entre honeypots e honeynets que utilizem diferentes tecnologias e estejam implantados em diferentes ambientes espalhados ao redor do mundo. De modo a tratar as limitações na área de análise de dados de honeypots e propiciar a interoperabilidade entre diversas tecnologias, este trabalho define dois elementos para formar uma infra-estrutura que permita a análise e correlação desses dados: o Honeypots Information and Data Exchange Format (HIDEF), um formato para troca de dados coletados e de informações sobre a arquitetura e tecnologias usadas por honeypots; e o Honeypots Information and Data Exchange and Analysis System (HIDEAS), sistema que habilita o envio e o recebimento de informações e dados em formatos como o HIDEF. Para validar o formato e o sistema propostos, foi implementado um protótipo e realizado um estudo de caso, que coletou e correlacionou dados de honeypots com tecnologias diferentes, bem como de notificações de incidentes de segurança.Placing sensors in unused Internet address space is one of the techniques used to characterize and monitor malicious activities. Among the diverse types of sensors, honeypots stand out. They are security resources specially configured to collect data about attacks, and whose value lies in being probed, attacked or compromised. Honeypots are able to capture valuable information about Internet attacks and to help computer security incident handling. The related work in the area of honeypots' data collection and analysis is focused on visualization or correlation of data from a unique honeynet or from a set of honeypots that use similar technologies. However, it is very important to make a more complete analysis of the traffic observed among honeypots and honeynets which use different technologies and are deployed in different parts of the world. To address the limitations in the honeypots data analysis area, and to provide interoperability among different technologies, this work presents two elements that comprise an infrastructure that allows the analysis and correlation of honeypots' data: the Honeypots Information and Data Exchange Format (HIDEF), a data format to exchange data collected by honeypots and information about the architecture and technologies used by them; and the Honeypots Information and Data Exchange and Analysis System (HIDEAS), a system that enables sending and receiving information and data represented in formats like HIDEF. To validate the data format and the system proposed a prototype was implemented. This prototype was used in a case study that correlated data from honeypots deployed with different technologies, as well as from security incident reports.
26
Marinakis, Alexandros. "A Systematic Comparison of Default based Versus Hardened IoT Systems Using Honeypots : Master Thesis | Supervisor: Maria Papadaki." Thesis, Luleå tekniska universitet, Institutionen för system- och rymdteknik, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:ltu:diva-83187.
Full textAbstract:
IoT devices provide immense contributions in fields of education, communication, business, science, industrial zones, permeating various aspects of everyday life. Despite these benefits, their diversity, heterogeneity, and rapid development can introduce significant challenges, especially when the secure design has not been incorporated into their software lifecycle. Consequently, they can be targeted by malicious attackers, resulting in important security threats that need to be addressed. The main goal of this research is to explore the benefits of securing IoT devices after deployment, by examining, analyzing, and comparing default vs secure IoT device configurations. This will allow us to make assumptions regarding the differences in behavior, patterns, and motives of the attackers, as well as to measure the performance output between the two environments. To achieve our goal, we make extensive use of honeypot systems simulating the two different environments and collect log data to conclude meaningful information. As a secondary goal, we also explore any potential performance degradation for default vs secure configurations. The produced results suggest that there is a major difference both in terms of how the attackers approach a hardened IoT device/service, and how a device is affected in terms of operability and performance.
27
Prathapani, Anoosha. "Intelligent Honeypot Agents for Detection of Blackhole Attack in Wireless Mesh Networks." University of Cincinnati / OhioLINK, 2010. http://rave.ohiolink.edu/etdc/view?acc_num=ucin1289939348.
Full text
28
Barros, Eduardo Gomes de. "Uso de técnicas de análise de séries temporais para prever o comportamento do ruído de fundo na internet brasileira usando dados do consórcio brasileiro de honeypots." Instituto Nacional de Pesquisas Espaciais, 2010. http://urlib.net/sid.inpe.br/mtc-m19/2010/10.15.13.35.
Full textAbstract:
O tráfego capturado pelos sensores do Consórcio Brasileiro de Honeypots (CBH) revela a existência de um tráfego que existe na Internet independentemente do tipo de máquina sendo usada ou do tipo de serviço sendo prestado: o ruído de fundo todo tráfego não produtivo, seja ele malicioso ou não. As atividades maliciosas que ocorrem na parcela brasileira da Internet estão embutidas neste tráfego. Conhecê-lo, caracterizá-lo e descrevê-lo é um desafio que auxiliará na emissão de alertas precoces, paradigma de segurança necessário para a defesa das infraestruturas críticas de uma Nação que vem complementar o atual, o reativo. A partir dos dados do Consórcio Brasileiro de Honeypots criou-se uma metodologia para sanitização dos mesmos que permitiu que servissem de base para construção de séries temporais. A partir destas séries foi possível a caracterização e a descrição deste tráfego na parcela brasileira da Internet. A modelagem matemática utilizada permitiu a projeção de eventos futuros e a análise de quando alertas precoces devem ser emitidos.The traffic captured by the sensors of the Brazilian Honeypots Alliance (CBH) reveals the existence of a traffic that exists on the Internet regardless of the type of machine or the service being provided: the background noise - all non-productive traffic, whether malicious or not. The malicious activities occurring in the Brazilian portion of the Internet are embedded in this traffic. Know it, characterize it and describe it is a challenge that will help the issue of early warnings, the security paradigm necessary for the protection of Nation's critical infrastructures and which complements the current, the reactive. From the Brazilian Honeypots Alliance data a methodology was created for data sanitization and allowing its use for constructing time series. From these series the characterization and description of the Brazilian Internet traffic was possible. The mathematical model used allows the projection of future events and the analysis of when early warnings should be issued.
29
OLIVEIRA, Antonio Alfredo Pires. "SAMARA SOCIEDADE DE AGENTES PARA A MONITORAÇÃO DE ATAQUES E RESPOSTAS AUTOMATIZADAS." Universidade Federal do Maranhão, 2005. http://tedebc.ufma.br:8080/jspui/handle/tede/388.
Full textAbstract:
Made available in DSpace on 2016-08-17T14:52:58Z (GMT). No. of bitstreams: 1
Antonio Alfredo Pires Oliveira.pdf: 8225871 bytes, checksum: c2e6155a7365443f49c0172bf39c5dac (MD5)
Previous issue date: 2005-06-17The traditional security techniques applied in computer networks try to block attacks (using firewalls) or to detect them as soon as they happen (using Intrusion Detection Systems). Both are of recognized value, however, they have limitations. In that sense, there is to innovate as for techniques and defense tactics, as well as the tools and technologies that complement the traditional mechanisms applied in network and computer security. One of these solutions have been using honeypots (networks traps) to collect information, motives, tactics and tools used in malicious network activities and distributed systems. This research work introduce an architecture for automated incident response, called SAMARA, based on honeypots and intelligent agents, created to support the functional requisites of decoy server and honeynet agents proposed for NIDIA Project Network Intrusion Detection System based on Intelligent Agents [18], but that can be adjust to others detection, prevention and reaction approaches of security incidents in network and distributed systems.
As técnicas tradicionais de segurança aplicadas em redes de computadores tentam bloquear ataques (utilizando firewalls) ou detectá- los assim que eles ocorrem (utilizando Sistemas de Detecção de Intrusos). Ambas são de reconhecido valor, porém, têm seus limites. Nesse sentido, há que se inovar em relação às técnicas e táticas de defesas, bem como em ferramentas e tecnologias que complementem os mecanismos tradicionais aplicados em segurança de redes e computadores. Uma dessas soluções tem sido o uso de honeypots (armadilhas de redes) na coleta de informações, motivos, táticas e ferramentas utilizadas em atividades maliciosas em redes e sistemas distribuídos. Este trabalho introduz a arquitetura de respostas automatizadas a incidentes de segurança, denominada SAMARA, que é baseada em honeypots e agentes inteligentes, concebida para atender os requisitos funcionais dos agentes decoy server e honeynet propostos para o Projeto NIDIA Network Intrusion Detection System based on Intelligent Agents [18], mas que pode se ajustar a outras abordagens de detecção e prevenção e reação a incidentes de segurança em redes e sistemas distribuídos.
30
Medeiros, Jo?o Paulo de Souza. "Identifica??o remota de sistemas operacionais utilizando an?lise de processos aleat?rios e redes neurais artificiais." Universidade Federal do Rio Grande do Norte, 2009. http://repositorio.ufrn.br:8080/jspui/handle/123456789/15287.
Full textAbstract:
Made available in DSpace on 2014-12-17T14:55:36Z (GMT). No. of bitstreams: 1
JoaoPSM.pdf: 2736653 bytes, checksum: 0b1bd7853a47877b24c5f2042e0a5d8e (MD5)
Previous issue date: 2009-06-19Petr?leo Brasileiro SA - PETROBRAS
A new method to perform TCP/IP fingerprinting is proposed. TCP/IP fingerprinting is the process of identify a remote machine through a TCP/IP based computer network. This method has many applications related to network security. Both intrusion and defence procedures may use this process to achieve their objectives. There are many known methods that perform this process in favorable conditions. However, nowadays there are many adversities that reduce the identification performance. This work aims the creation of a new OS fingerprinting tool that bypass these actual problems. The proposed method is based on the use of attractors reconstruction and neural networks to characterize and classify pseudo-random numbers generators
? proposto um novo m?todo para identifica??o remota de sistemas operacionais que operam em redes TCP/IP. Este m?todo possui diversas aplica??es relacionadas ? seguran?a em redes de computadores e ? normalmente adotado tanto em atividades de ataque quanto de defesa de sistemas. O m?todo proposto ? capaz de obter sucesso em situa??es onde diversas solu??es atuais falham, inclusive no tratamento com dispositivos possivelmente vulner?veis ao processo de identifica??o. O novo m?todo realiza a an?lise dos geradores de n?meros aleat?rios usados nas pilhas TCP/IP e, atrav?s do uso de redes neurais artificiais, cria mapas que representam o comportamento destes geradores. Tais mapas s?o usados para compara??o com mapas rotulados que representam sistemas j? conhecidos, concretizando o processo de identifica??o
31
Buriánek, Adam. "Bezpečnostní technologie: Honeypot." Master's thesis, Česká zemědělská univerzita v Praze, 2016. http://www.nusl.cz/ntk/nusl-259876.
Full textAbstract:
The result of the thesis is to characterize the safety technology
honeypots, presentation of their capability to monitor security attacks, finding
motivation of the attackers and their techniques.
The theoretical part of solving the problems of the thesis is based on the study and analysis of mostly foreign expert information resources. The practical part is based on the specification and implementation of the most famous Honeypot on the Internet and the subsequent analysis of logs.
The benefit of the thesis are the results that have been offered and the network
security specialists for analysis and automatic recording of threats to records
third-party servers.
32
Galetka, Josef. "Analýza síťových útoků pomocí honeypotů." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2010. http://www.nusl.cz/ntk/nusl-237123.
Full textAbstract:
This text deals with computer network security using honeypot technology, as a tool of intentional trap for attackers. It closely describes basic thoughts, together with advantages and disadvantages of this concept. The main aim is a low interaction honeypot Honeyd, its functionality and possible extensional features. As a practical part of the text there is a description of principles of implementation Honeyd service scripts, which are represented as a simulation of behavior of computer worm Conficker. Further it describes creation of automated script used for analysis and processing of gathered data, captured during actual deployment of Honeyd in Internet network.
33
Fairbanks, Kevin D. "Forensic framework for honeypot analysis." Diss., Georgia Institute of Technology, 2010. http://hdl.handle.net/1853/33977.
Full textAbstract:
The objective of this research is to evaluate and develop new forensic techniques for use in honeynet environments, in an effort to address areas where anti-forensic techniques defeat current forensic methods. The fields of Computer and Network Security have expanded with time to become inclusive of many complex ideas and algorithms. With ease, a student of these fields can fall into the thought pattern of preventive measures as the only major thrust of the topics. It is equally important to be able to determine the cause of a security breach. Thus, the field of Computer Forensics has grown. In this field, there exist toolkits and methods that are used to forensically analyze production and honeypot systems. To counter the toolkits, anti-forensic techniques have been developed. Honeypots and production systems have several intrinsic differences. These differences can be exploited to produce honeypot data sources that are not currently available from production systems. This research seeks to examine possible honeypot data sources and cultivate novel methods to combat anti-forensic techniques.
In this document, three parts of a forensic framework are presented which were developed specifically for honeypot and honeynet environments. The first, TimeKeeper, is an inode preservation methodology which utilizes the Ext3 journal. This is followed with an examination of dentry logging which is primarily used to map inode numbers to filenames in Ext3. The final component presented is the initial research behind a toolkit for the examination of the recently deployed Ext4 file system. Each respective chapter includes the necessary background information and an examination of related work as well as the architecture, design, conceptual prototyping, and results from testing each major framework component.
34
Pepakayala, Sagar. "Contributions of honeyports to network security." Thesis, Linköping University, Department of Computer and Information Science, 2007. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-9177.
Full textAbstract:
A honeypot is an attractive computer target placed inside a network to lure the attackers into it. There are many advantages of this technology, like, information about attacker's tools and techniques can be fingerprinted, malicious traffic can be diverted away from the real target etc. With the increased activity from the blackhat community day by day, honeypots could be an effective weapon in the
network security administrator's armor. They have been studied rigorously during the past few years as a part of the security
industry's drive to combat malicious traffic. While the whitehats are trying to make honeypots stealthier, blackhats are coming up with techniques to identify them (therefore nullifying any
further use) or worse, use them in their favor. The game is on. The goal of this thesis is to study different architectural issues regarding honeypot deployment, various stages in utilizing honeypots like forensic analysis etc. Other concepts like IDSs and firewalls which are used in conjunction with honeypots are also discussed, because security is about cooperation among different security components. In the security industry, it is customary for whitehats to watch what blackhats are doing and vice versa. So the thesis
discusses recent techniques to defeat honeypots and risks involved in deploying honeypots. Commercial viability of honeypots and business cases for outsourcing honeypot maintenance are presented. A great interest from the security community about honeypots has propelled the research and resulted in various new and innovative applications of honeypots. Some of these applications, which made an impact, are discussed. Finally, future directions in research in honeypot technology are perused.
35
Krula, Jiří. "Monitorování síťových útoků pomocí systémů honeypot." Master's thesis, Česká zemědělská univerzita v Praze, 2016. http://www.nusl.cz/ntk/nusl-259320.
Full textAbstract:
This thesis focuses on the topic of honeypots technology and their use for network
attacks monitoring. It theoretically analyzes the honeypots and their variants honeynet and
honeytoken. The practical part describes how to deploy two open source solutions of
honeypot, Kippo and Dionaea.
Kippo honeypot can be classified, despite its limitations, as a high interactive
honeypot. This solution emulates the SSH service and it is primarily intended for the detection
and capture of brute force attacks on the service.
Dionaea is a honeypot designed primarily for capturing malware. It aims to capture
malware in the trap using the vulnerabilities of offered and exposed network services with the
aim to obtain a copy of the malware for subsequent analysis.
Data obtained from the real deployment of the proposed solutions are presented and
measures in relation to the SIEM instruments are proposed as well as improved security of the
protected network.
36
Řezáč, Michal. "Honeypot pro rodinu bezdrátových komunikačních protokolů IEEE 802.11." Master's thesis, Vysoké učení technické v Brně. Fakulta elektrotechniky a komunikačních technologií, 2020. http://www.nusl.cz/ntk/nusl-413089.
Full textAbstract:
Objective of this master thesis solves possible way of WiFi Honeypot realisation, which is constructed to detecet malicious network activity and attacks in radio environment that uses a set of IEEE 802.11 protocols. A specific configuration was created on the mITX format motherboard and contains scripts and software for data collection, analysis and its evaluation. Based on information and knowledge about specific network attacks it is possible to identify data traffic leading to anomalies and detect possible network attack. The final device was tested in real use for long-term data collection and evaluation of network activity in the given location. This fulfills the main goal of this work, which is implementation of WiFi Honeypot with support for IEEE 802.11 protocols and with possible deployment for real use.
37
Bláha, Lukáš. "Analýza automatizovaného generování signatur s využitím Honeypotu." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2012. http://www.nusl.cz/ntk/nusl-236430.
Full textAbstract:
In this paper, system of automatic processing of attacks using honeypots is discussed. The first goal of the thesis is to become familiar with the issue of signatures to detect malware on the network, especially the analysis and description of existing methods for automatic generation of signatures using honeypots. The main goal is to use the acquired knowledge to the design and implementation of tool which will perform the detection of new malicious software on the network or end user's workstation.
38
Русанов, Г. О., and О. І. Федюшин. "Збір та аналіз даних з мережі Honeypot." Thesis, ХНУРЕ, 2021. https://openarchive.nure.ua/handle/document/15748.
Full textAbstract:
The given work is dedicated to the means of collecting and analyzing the data received from honeypots. The tools and methods used by hackers to achieve their goals ‒ be it a simple challenge or terrorism acts ‒ are constantly changing and new ones appear that might not be publicly known. The data gathered from these honeypots can later be used for analysis which can give the honeypot owners the clue about these methods and tools used by hackers, to be able to protect the real systems against these kinds of attacks.
39
Jacel, Tomasz Wojciech. "Implementation of a honeypot for vehicular communications." Master's thesis, Universidade de Aveiro, 2011. http://hdl.handle.net/10773/6761.
Full textAbstract:
Mestrado em Engenharia Electrónica e TelecomunicaçõesEsta dissertação descreve um estudo de viabilidade para a implementação de um software do tipo pote-de-mel (honeypot) para comunicações veículares Ad-Hoc sem fios baseadas no protocolo WAVE (Wireless Access in Vehicular Environment). Um honeypot é uma ferramenta desenhada para simular falsas redes de computadores, monitorá-los, e capturar todos os eventuais comportamentos maliciosos tais como ataques e tentativas de intrusão. O estudo da solução proposta começa com uma pesquisa de trabalho relacionado e com o estudo dos fundamentos e protocolos das comunicações veículares sem fios, nomeadamente os protocolos IEEE 802.11p e IEEE 1609.2. De seguida é feito um levantamento dos principais problemas de segurança no âmbito das comunicações veículares sem fios e procede-se a uma descrição detalhada da tecnologia de honeypots e é escolhida uma ferramente que irá ser alvo de particular atenção ao longo desta dissertação, o HONEYD. Finalmente, e dado que esta dissertação tem um caracter iminententemente teórico, são descritas as modificações que serão necessárias para adaptar o HONEYD para comunicações veículares sem fios. Isto para o caso de comunicações veículo a veículo, onde é descrita a integração do HONEYD na unidade de bordo (OBU) e para o caso de ce comunicações veículo a infraestrutura de beira de estrada, onde é proposta uma solução para integração do HONEYD na road-side-unit (RSU).
This dissertation is an attempt to implement the honeypot software into highly dynamic Vehicular Ad-hoc Network (VANET).This adhoc network is based on wireless communication between nodes according to the - WAVE (Wireless Access in Vehicular Environment) protocol. A honeypot is a tool designed to simulate fake local computer networks, monitor them, and capture all malicious behavior aimed towards them. This dissertation is in the scope of Intelligent Transportation Systems (ITS) and it provides some contributions to development of security system and hence, road safety. Honeypot solution implemented in VANET would help improve security in the network by attracting, catching and analyzing all malicious attempts to break the security system. The study of proposed solution begins with research and introduction to the main principals of vehicular communication. It is accompanied with system and wireless communication technology description. Presentation of main security issues is also provided. Honeypot software is also presented by deep in-sight look into its types, functionality, architecture, advantages and disadvantages. Via the research the one type of recent available honeypot is chosen and then deeply scrutinized on the basis of implementation into Vehicular Ad-hoc Network. Finally, since this dissertation has theoretical character, to-be changes that should be carried out to implement fully the propose solution are provided. As this work is mainly focused on tailoring and proposing necessary changes to the TCP/IP honeypot software to meet the requirements of WAVE, the hardware tests in real environment as well as creating source code will not be done and are out of scope of this dissertation. Future work should be based on programming necessary modules and putting them into life.
Poniższa praca magisterska jest próbą przystosowania programu typu honeypot do działania w mobilnych sieciach ad-hoc - VANET (Vehicular Ad-hoc Network). Sieć ta oparta jest na bezprzewodowej komunikacji pomiędzy pojazdami zgodnie ze standardem WAVE (Wireless Access in Vehicular Environment). Honeypot jest narzędziem służącym do symulowania topologii sieci komputerowej, monitorowania jej i wychwytywania wszelakich prób włamań do niej. Temat tej pracy magisterskiej mieści się w obszarze działalności stowarzyszenia ITS (Intelligent Transportation Systems). Będzie ona miała wpływ na polepszenie bezpieczeństwa w sieciach VANET i co za tym idzie bezpieczeństwa na drogach. Program honeypot wdrożony w sieciach VANET może w aktywny sposób przyczynić się do poprawienia bezpieczeństwa w sieci, poprzez przyciąganie, wychwytywanie i analizowanie wszelakich prób włamań. Praca ta zaczyna się przeglądem głównych zagadnień dotyczących bezprzewodowej komunikacji pomiędzy pojazdami w sieciach VANET. Szczególny nacisk jest kładziony na bezpieczeństwo w tych sieciach. Zaprezentowana jest również idea programu honeypot zarówno jak i jego rodzaje, funkcjonalność, architektura oraz wady i zalety. Poprzez analizę dostępnych programów służących jako honeypot, został wybrany jeden konkretny - honeyd i poddany dokładnej analizie pod kątem implementacji w sieciach VANET. Jako że ta praca magisterska ma charakter teoretyczny, jej wynikiem jest propozycja funkcjonalności i architektury urządzenia działającego jako honeypot w sieciach VANET. Zaproponowane są również zmiany którym powinien ulec software aby zapewnić pełną komunikację z nowym środowiskiem. Stworzenie kodu źródłowego odpowiadającego tym zmianom oraz testy na sprzęcie są pracą na przyszłość.
40
Berthier, Robin G. "Advanced honeypot architecture for network threats quantification." College Park, Md. : University of Maryland, 2009. http://hdl.handle.net/1903/9204.
Full textAbstract:
Thesis (Ph.D.) -- University of Maryland, College Park, 2009.Thesis research directed by: Reliability Engineering Program. Title from t.p. of PDF. Includes bibliographical references. Published by UMI Dissertation Services, Ann Arbor, Mich. Also available in paper.
41
Karger, David. "Moderní služby honeypot/honeynet pro klasické informační sítě." Master's thesis, Vysoké učení technické v Brně. Fakulta elektrotechniky a komunikačních technologií, 2020. http://www.nusl.cz/ntk/nusl-412981.
Full textAbstract:
This work describes honeypots, their definition, clasification and logging possibilities. In the practical part honeypots are tested for the services that are most often attacked, their installation is performed and tests are made for basic familiarization with the functionality of the honeypot. Furthermore, the honeypot is exposed to the Internet and the obtained data are analyzed.
42
Basam, Dileep Kumar. "Strengthening MT6D Defenses with Darknet and Honeypot capabilities." Thesis, Virginia Tech, 2015. http://hdl.handle.net/10919/64375.
Full textAbstract:
With the ever increasing adoption of IPv6, there has been a growing concern for security and privacy of IPv6 networks. Mechanisms like the Moving Target IPv6 Defense (MT6D) leverage the immense address space available with the new 128-bit addressing scheme to improve security and privacy of IPv6 networks. MT6D allows participating hosts to hop onto new addresses, that are cryptographically computed, without any disruption to ongoing conversations. However, there is no feedback mechanism in the current MT6D implementation to substantiate the core strength of the scheme i.e., to find an attacker attempting to discover and target any MT6D addresses.
This thesis proposes a method to monitor the intruder activity targeting the relinquished addresses to extract information for reinforcing the defenses of the MT6D scheme. Our solution identifies and acquires IPv6 addresses that are being discarded by MT6D hosts on a local network, in addition to monitoring and visualizing the incoming traffic on these addresses. This is essentially equivalent to forming a darknet out of the discarded MT6D addresses. The solution's architecture also includes an ability to deploy a virtual (LXC-based) honeypot on-demand, based on any interesting traffic pattern observed on a discarded address.
With this solution in place, we can become cognizant of an attacker trailing an MT6D-host along the address changes, as well as understanding the composition of attack traffic hitting the discarded MT6D addresses. With the honeypot deployment capabilities, the solution can take the conversation forward with the attacker to collect more information on attacker methods and delay further tracking attempts. The solution architecture also allows an MT6D host to query the solution database for network activity on its relinquished addresses as a JavaScript Object Notation (JSON) object. This feature allows the MT6D host to identify any suspicious activity on its discarded addresses and strengthen the MT6D scheme parameters accordingly. We have built a proof-of-concept for the proposed solution and analyzed the solution's feasibility and scalability.Master of Science
43
Schoeman, Adam. "Amber : a aero-interaction honeypot with distributed intelligence." Thesis, Rhodes University, 2015. http://hdl.handle.net/10962/d1017938.
Full textAbstract:
For the greater part, security controls are based on the principle of Decision through Detection (DtD). The exception to this is a honeypot, which analyses interactions between a third party and itself, while occupying a piece of unused information space. As honeypots are not located on productive information resources, any interaction with it can be assumed to be non-productive. This allows the honeypot to make decisions based simply on the presence of data, rather than on the behaviour of the data. But due to limited resources in human capital, honeypots’ uptake in the South African market has been underwhelming. Amber attempts to change this by offering a zero-interaction security system, which will use the honeypot approach of decision through Presence (DtP) to generate a blacklist of third parties, which can be passed on to a network enforcer. Empirical testing has proved the usefulness of this alternative and low cost approach in defending networks. The functionality of the system was also extended by installing nodes in different geographical locations, and streaming their detections into the central Amber hive.
44
Kubiš, Juraj. "SS7 Honeypoty - proaktivní ochrana proti podvodům v mobilních sítích." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2020. http://www.nusl.cz/ntk/nusl-432453.
Full textAbstract:
This diploma thesis deals with the issue of attacks and fraud against mobile networks, with the main aim being implementation of a honeypot-type tool possessing the ability to respond to these accordingly. Thus, this thesis contains a basic introduction into mobile networks, their topology and commonly used protocols, along with analysis of their general security. This is followed by a clarification of the term honeypot itself, with an explanation of motivations for its deployment into the networks, together with listing of advantages and disadvantages such deployment may bring. The rest of the thesis deals with the actual implementation of such tool, specifically with its design, realisation and testing. This thesis presents a method for responding to the supported frauds, a detailed description of the implementation, configuration and outputs of the tool. The process of testing whether the implementation corresponds to the presented design is described here. The implemented tool is evaluated and its further possible improvements are discussed.
45
Frederick, Erwin E. "Testing a low-interaction honeypot against live cyber attackers." Thesis, Monterey, California. Naval Postgraduate School, 2011. http://hdl.handle.net/10945/5600.
Full textAbstract:
Approved for public release; distribution is unlimited.The development of honeypots as decoys designed to detect, investigate, and counterattack unauthorized use of information systems has produced an "arms race" between honeypots (computers designed solely to receive cyber attacks) and anti-honeypot technology. To test the current state of this race, we performed experiments in which we ran a small group of honeypots, using the low-interaction honeypot software Honeyd, on a network outside campus firewall protection. For 15 weeks, we ran different configurations of ports and service scripts, and simulated operating systems to check which configurations were most useful as a research honeypot and which were most useful as decoys to protect other network users. We analyzed results in order to improve the results for both purposes in subsequent weeks. We did find promising configurations for both purposes; however, good configurations for one purpose were not necessarily good for the other. We also tested the limits of Honeyd software and identified aspects of it that need to be improved. We also identified the most common attacks, most common ports used by attackers, and degree of success of decoy service scripts.
46
OLIVEIRA, Vladimir Bezerra de. "HoneypotLabsac: um Framework de Honeypot Virtual para o Android." Universidade Federal do Maranhão, 2012. http://tedebc.ufma.br:8080/jspui/handle/tede/493.
Full textAbstract:
Made available in DSpace on 2016-08-17T14:53:22Z (GMT). No. of bitstreams: 1
dissertacao Vladimir Bezerra.pdf: 1689359 bytes, checksum: a70169a92374db41ad6ea24d036d2b23 (MD5)
Previous issue date: 2012-06-26FUNDAÇÃO DE AMPARO À PESQUISA DO ESTADO DO PIAUÍ
Mobile devices such as Smartphones, have become indispensable nowadays, due their increased processing power, more room for data storage, batteries with greater time autonomy, connection to wireless networks and 3G networks. . The Android Operating System is a complete platform for mobile devices principally for Smartphones developed by Google in 2008. It is gaining an increasingly global market space, due to its open-source code. Attacks on mobile phones are not a current practice. The first virtual virus called Cabir, was developed in 2004, and it is concerned only the Symbian operating system. Studies show great evolution of digital attacks to the Android operating system. Honeypots (tools that have many features such as deceive the attacker) can be quite useful in the context of network security. They make the attacker think that he is actually interacting with an operating system, but in fact the attacker is being monitored. Therefore, the present thesis is aimed to develop a Framework (framework) to generate a virtual Honeypot at the level of application for the Android operating system. The methodological procedures for the preparation of this work are the: bibliography research articles, essays and literature specific.. In this work, we show that the attacker can be monitored in mobile devices through a Honeypot generated by the framework developed here in order to be used as a tool in network security based on deception. From our experience in this study, we report some essential recommendations points for improving and expanding this work.
Os dispositivos móveis, como os Smartphones, tornaram-se indispensáveis nos dias atuais, devido ao aumento do poder de processamento, maior espaço de armazenamento de dados, baterias com maior autonomia de tempo, conexão a rede wireless e à rede 3g. O Sistema Operacional Android é uma plataforma completa para dispositivos móveis principalmente para aparelhos celulares inteligentes, desenvolvida pela Google em 2008. Ganhando nesse contexto cada vez mais espaço no mercado mundial, devido ser open-source, ou seja, código fonte aberto. Ataques a telefones celulares não é uma prática atual, o primeiro vírus virtual denominado de Cabir, foi desenvolvido em 2004, e visava exclusivamente o sistema operacional Symbiam. Estudos apresentam grande evolução de ataques digitais ao sistema operacional Android. Os Honeypots (ferramentas que dispõem de diversas funcionalidades e que tem como objetivo principal enganar o invasor) podem ser bastante úteis no âmbito de segurança de rede. Eles fazem com que o atacante pense que está interagindo de fato com um sistema operacional, mas na verdade o atacante está sendo monitorado. Neste sentido, o presente trabalho foi realizado com o objetivo de desenvolver um Framework (arcabouço) para gerar Honeypot virtual a nível de aplicação para o sistema operacional Android. Os procedimentos metodológicos para elaboração deste trabalho foram: pesquisa bibliográfica (artigos, dissertações e literaturas especificas). Conclui-se que é possível monitorar o atacante de dispositivos móveis através do Honeypot gerado pelo Framework desenvolvido, de forma a ser usado como uma ferramenta em segurança de redes baseados em iludir. Diante da experiência vivenciada neste estudo, expomos algumas recomendações, pontos imprescindíveis para melhorias do tema abordado, como: mais visibilidade ao Honeypot e ampliação para outros sistemas operacionais móveis.
47
Tamagna-Darr, Lucas. "Evaluating the effectiveness of an intrusion prevention system-honeypot hybrid /." Online version of thesis, 2009. http://hdl.handle.net/1850/10837.
Full text
48
Izagirre, Mikel. "Deception strategies for web application security: application-layer approaches and a testing platform." Thesis, Luleå tekniska universitet, Institutionen för system- och rymdteknik, 2017. http://urn.kb.se/resolve?urn=urn:nbn:se:ltu:diva-64419.
Full textAbstract:
The popularity of the internet has made the use of web applications ubiquitous and essential to the daily lives of people, businesses and governments. Web servers and web applications are commonly used to handle tasks and data that can be critical and highly valuable, making them a very attractive target for attackers and a vector for successful attacks that are aimed at the application layer. Existing misuse and anomaly-based detection and prevention techniques fail to cope with the volume and sophistication of new attacks that are continuously appearing, which suggests that there is a need to provide new additional layers of protection. This work aims to design a new layer of defense based on deception that is employed in the context of web application-layer traffic with the purpose of detecting and preventing attacks. The proposed design is composed of five deception strategies: Deceptive Comments, Deceptive Request Parameters, Deceptive Session Cookies, Deceptive Status Codes and Deceptive JavaScript. The strategies were implemented as a software artifact and their performance evaluated in a testing environment using a custom test script, the OWASP ZAP penetration testing tool and two vulnerable web applications. Deceptive Parameter strategy obtained the best security performance results, followed by Deceptive Comments and Deceptive Status Codes. Deceptive Cookies and Deceptive JavaScript got the poorest security performance results since OWASP ZAP was unable to detect and use deceptive elements generated by these strategies. Operational performance results showed that the deception artifact could successfully be implemented and integrated with existing web applications without changing their source code and adding a low operational overhead.
49
MOURA, Eduardo Henrique de Carvalho. "MODELO DE SEGURANÇA AUTONÔMICA PARA COMPUTAÇÃO EM NUVEM COM USO DE HONEYPOT." Universidade Federal do Maranhão, 2013. http://tedebc.ufma.br:8080/jspui/handle/tede/516.
Full textAbstract:
Made available in DSpace on 2016-08-17T14:53:28Z (GMT). No. of bitstreams: 1
Dissertacao Eduardo Henrique.pdf: 3617295 bytes, checksum: 9340e7d8d280cd0e83cf78ad24f4e7b8 (MD5)
Previous issue date: 2013-11-26Conselho Nacional de Desenvolvimento Científico e Tecnológico
Cloud computing is a new computing paradigm which aims to provide on-demand service. Characteristics such as scalability and availability of infinite resources have attracted many users and companies. As they come along too many malicious users who want to take advantage of this possibility of resource sharing. Also migration networks and servers for cloud means hacking techniques are now destined to cloud-based servers. Attacks can originate until even within the environment, when a virtual machine that is being performed on one of his Vlans is used to probe, capture data or insert server attacks that are instantiated in the cloud. All this combined with a difficult to administer due to the complexity of the infrastructure leaves the safety of the environment to be a critical point. The purpose of this study is to use an autonomic framework with a methodology for disappointment to propose a security model for autonomic computing clouds that assist in the security of servers and instances works against attacks from other instances.
A Computação em Nuvem é um novo paradigma da computação que visa oferecer serviço sob demanda. Suas características como escalabilidade e disponibilidade de recursos infinitos vêm atraindo muitos usuários e empresas. Junto como eles vem também muitos usuários mal intencionados que querem se aproveitar dessa possibilidade de compartilhamento de recurso. Também migração de redes e servidores para nuvem significa que técnicas de invasão estão agora destinados a servidores baseados em nuvem . Ataques podem ser originados ate mesmo dentro do ambiente, quando uma de máquina virtual que esta sendo executada em uma de suas Vlans é utilizada para sondar, capturar dados ou inserir ataques a servidores que estão instanciados na nuvem. Tudo isso aliado a uma difícil administração devido à complexidade da infraestrutura do ambiente deixa a segurança sendo um ponto critico. A proposta desse trabalho é utilizar um framework autonômico juntamente com uma metodologia de decepção para propor um modelo segurança autonômica para nuvens computacionais que auxiliem na segurança de servidores e instâncias works contra ataques oriundos de outras instâncias.
50
Ben, Mustapha Yosra. "Alert correlation towards an efficient response decision support." Thesis, Evry, Institut national des télécommunications, 2015. http://www.theses.fr/2015TELE0007/document.
Full textAbstract:
Les SIEMs (systèmes pour la Sécurité de l’Information et la Gestion des Événements) sont les cœurs des centres opérationnels de la sécurité. Ils corrèlent un nombre important d’événements en provenance de différents capteurs (anti-virus, pare-feux, systèmes de détection d’intrusion, etc), et offrent des vues synthétiques pour la gestion des menaces ainsi que des rapports de sécurité. La gestion et l’analyse de ce grand nombre d’alertes est une tâche difficile pour l’administrateur de sécurité. La corrélation d’alertes a été conçue afin de remédier à ce problème. Des solutions de corrélation ont été développées pour obtenir une vue plus concise des alertes générées et une meilleure description de l’attaque détectée. Elles permettent de réduire considérablement le volume des alertes remontées afin de soutenir l’administrateur dans le traitement de ce grand nombre d’alertes. Malheureusement, ces techniques ne prennent pas en compte les connaissances sur le comportement de l’attaquant, les fonctionnalités de l’application et le périmètre de défense du réseau supervisé (pare-feu, serveurs mandataires, Systèmes de détection d’intrusions, etc). Dans cette thèse, nous proposons deux nouvelles approches de corrélation d’alertes. La première approche que nous appelons corrélation d’alertes basée sur les pots de miel utilise des connaissances sur les attaquants recueillies par le biais des pots de miel. La deuxième approche de corrélation est basée sur une modélisation des points d’application de politique de sécuritéSecurity Information and Event Management (SIEM) systems provide the security analysts with a huge amount of alerts. Managing and analyzing such tremendous number of alerts is a challenging task for the security administrator. Alert correlation has been designed in order to alleviate this problem. Current alert correlation techniques provide the security administrator with a better description of the detected attack and a more concise view of the generated alerts. That way, it usually reduces the volume of alerts in order to support the administrator in tackling the amount of generated alerts. Unfortunately, none of these techniques consider neither the knowledge about the attacker’s behavior nor the enforcement functionalities and the defense perimeter of the protected network (Firewalls, Proxies, Intrusion Detection Systems, etc). It is still challenging to first improve the knowledge about the attacker and second to identify the policy enforcement mechanisms that are capable to process generated alerts. Several authors have proposed different alert correlation methods and techniques. Although these approaches support the administrator in processing the huge number of generated alerts, they remain limited since these solutions do not provide us with more information about the attackers’ behavior and the defender’s capability in reacting to detected attacks. In this dissertation, we propose two novel alert correlation approaches. The first approach, which we call honeypot-based alert correlation, is based on the use of knowledge about attackers collected through honeypots. The second approach, which we call enforcement-based alert correlation, is based on a policy enforcement and defender capabilities’ model