NoAH: Network of Affine HoneypotsNoAH: Network of Affine HoneypotsComputer networks have become vital infrastructure for virtually all organizations. Unfortunately, they have also become both source and victim of increasingly sophisticated attacks. `Worms' especially are hard to fight, as they are autonomous, self-replicating programs that may spread across the world in minutes (`flash worms'), leaving no time for human administrators to respond in a timely fashion. Instead, an Intrusion Detection System (IDS) is needed that is able to cope with current and future worms.
The NoAH project will perform the technical preparatory work towards the implementation of a European Infrastructure of Affine Honeypots. The Infrastructure will consist of a Network of Honeypots that will be able to collaborate towards studying, identifying, and responding to cyberattacks, including both those attacks that were previously encountered, as well as new types of attacks. This infrastructure will provide a wealth of information about the way cyberattackers operate within the European cyberspace. Such information can be used by a wide variety of stakeholders including security administrators, security researchers, Security Emergency Response Teams, the European Network and Information Security Agency, National CyberSecurity Agencies, and many more in order to be able to defend the European Cyberspace in the most effective way.
Fortunately, the computer and network security industry has developed a number of products that can help us defend against cyberattacks. Such products include firewalls, antivirus systems, intrusion detection systems (IDSs), and intrusion prevention systems (IPSs). Although these products can provide a decent level of protection, their effectiveness is limited to identifying only known forms of cyberattacks. For example, although an antivirus system can identify all known forms of viruses, it is usually helpless when confronted with a new type of virus. So far, new cyberattacks were studied by security experts in security laboratories. After studying each new cyberattack for several hours or even days, the security experts provided updates to the antivirus and intrusion detection systems, which from that point onwards are able to recognize and stop the new form of the attack. However, new forms of cyberattacks, such as the previously mentioned Sapphire worm, are able to propagate very rapidly, leaving very little (if any) time for human intervention. That is, it is not possible for humans to manually study a worm such as Sapphire and update the antivirus and Intrusion Detection Systems before the worm hits practically all computers on the Globe. To prevent damage caused by new and rapidly spreading cyberattacks, we need to develop new security systems that must be able to recognize new types of cyberattacks quickly and automatically without any human intervention.
In order to be able to capture and recognize new types of cyberattacks, security experts have developed honeypots. A honeypot is a computer system that does not serve any ordinary users and does not provide any advertised service. Since it has no users, a honeypot should neither receive nor generate any traffic under ordinary conditions. If the honeypot receives or generates traffic, this is probably because it has been attacked (or compromised). Effectively, a honeypot is a decoy system that lures attackers into compromising it. However, each attack against a honeypot is logged so that security administrators will be able to study and analyze it. Once security administrators analyze an attack they will be able to produce immunization metrics against it. Over the last four years, security experts have been using honeypots in order to study attackers by capturing the development of their attack while this was being planned, discussed, and deployed.
Although honeypots deliver information that is very accurate and
usually consists only of cyberattack-related activity, their major
disadvantage is that they have a very narrow field of view. That is,
they are able to provide information only about the attacks they
receive themselves. For example, if their neighbor computer is heavily
under attack, honeypots would not notice it, before they are being
attacked themselves. Thus, although honeypots have the potential to
identify cyberattacks, each one of them lacks the critical mass needed
to make fast and accurate decisions regarding recognition and spread
of new cyberattacks. For example, suppose that an organization deploys
a single honeypot, and that a new worm starts to spread. Then, it may
take a long time before the worm attacks the honeypot: on the average,
the worm will attack half the computers on the Internet before
attacking this particular honeypot. At that time, it would probably be
too late to take countermeasures against the worm: the worm would have
hit half of the organizations systems on the average. Fortunately, the
more honeypots an organization deploys, the faster it is before the
worm hits any of the honeypots. For example, if an organization
deploys k honeypots, then on the average, at least one of them will be
hit after about 1/k of the vulnerable machines on the Internet have
been infected. For example, if an organization deploys 1,000
honeypots, then approximately one of them will detect the new
cyberattack after about only 1 thousandth of the vulnerable machines
has been hit. However, deploying and managing such a large number of
honeypots may be very difficult for a single organization. Moreover,
the locality of IP addresses that these honeypots will share within a
single organization will probably make them less effective, since they
will cover a narrow local subset of the Internet.
In NoAH, we propose to study the feasibility and perform the necessary technical preparatory work towards building an Infrastructure consisting of a European Network of Affine honeypots. This will be a network of honeypots that cooperate and exchange information in order to effectively combat cyberattacks.