NoAH: Network of Affine Honeypots

Computer networks have become vital infrastructure for virtually all organizations. Unfortunately, they have also become both source and victim of increasingly sophisticated attacks. `Worms' especially are hard to fight, as they are autonomous, self-replicating programs that may spread across the world in minutes (`flash worms'), leaving no time for human administrators to respond in a timely fashion. Instead, an Intrusion Detection System (IDS) is needed that is able to cope with current and future worms.

The NoAH project will perform the technical preparatory work towards the implementation of a European Infrastructure of Affine Honeypots. The Infrastructure will consist of a Network of Honeypots that will be able to collaborate towards studying, identifying, and responding to cyberattacks, including both those attacks that were previously encountered, as well as new types of attacks. This infrastructure will provide a wealth of information about the way cyberattackers operate within the European cyberspace. Such information can be used by a wide variety of stakeholders including security administrators, security researchers, Security Emergency Response Teams, the European Network and Information Security Agency, National CyberSecurity Agencies, and many more in order to be able to defend the European Cyberspace in the most effective way.

The problem

Recently, we have been witnessing an increasing amount of cyberattacks over the Internet. Viruses, Worms, Exploits, Trojan Horses, and Denial-of-Service attacks continue to plague our networks and to attack our systems at an alarming rate. For example, a couple of years ago, most of the world were astonished to learn that more than 4,000 Denial-of-Service (DoS) attacks are being launched on the Internet every week1. Besides DoS attacks, malicious self-replicating programs, better known as worms, continue to plague our networks, to multiply rapidly, and to have the ability to cause damage of unprecedented magnitude. For example, in January 2003, the Sapphire Worm infected more than 75,000 computers in less than 30 minutes. In addition to worms, viruses continue to multiply and to gain access to our personal life, passwords, and bank accounts. The BugBear-B virus for example, during the summer of 2003 hit several computers on the Internet where it installed a keyboard logger2 that was able to steal passwords and gain access to secret information, including banking accounts and personal email messages.

Fortunately, the computer and network security industry has developed a number of products that can help us defend against cyberattacks. Such products include firewalls, antivirus systems, intrusion detection systems (IDSs), and intrusion prevention systems (IPSs). Although these products can provide a decent level of protection, their effectiveness is limited to identifying only known forms of cyberattacks. For example, although an antivirus system can identify all known forms of viruses, it is usually helpless when confronted with a new type of virus. So far, new cyberattacks were studied by security experts in security laboratories. After studying each new cyberattack for several hours or even days, the security experts provided updates to the antivirus and intrusion detection systems, which from that point onwards are able to recognize and stop the new form of the attack. However, new forms of cyberattacks, such as the previously mentioned Sapphire worm, are able to propagate very rapidly, leaving very little (if any) time for human intervention. That is, it is not possible for humans to manually study a worm such as Sapphire and update the antivirus and Intrusion Detection Systems before the worm hits practically all computers on the Globe. To prevent damage caused by new and rapidly spreading cyberattacks, we need to develop new security systems that must be able to recognize new types of cyberattacks quickly and automatically without any human intervention.

The solution: a European Network of Affine Honeypots

In order to be able to capture and recognize new types of cyberattacks, security experts have developed honeypots. A honeypot is a computer system that does not serve any ordinary users and does not provide any advertised service. Since it has no users, a honeypot should neither receive nor generate any traffic under ordinary conditions. If the honeypot receives or generates traffic, this is probably because it has been attacked (or compromised). Effectively, a honeypot is a decoy system that lures attackers into compromising it. However, each attack against a honeypot is logged so that security administrators will be able to study and analyze it. Once security administrators analyze an attack they will be able to produce immunization metrics against it. Over the last four years, security experts have been using honeypots in order to study attackers by capturing the development of their attack while this was being planned, discussed, and deployed.

Although honeypots deliver information that is very accurate and usually consists only of cyberattack-related activity, their major disadvantage is that they have a very narrow field of view. That is, they are able to provide information only about the attacks they receive themselves. For example, if their neighbor computer is heavily under attack, honeypots would not notice it, before they are being attacked themselves. Thus, although honeypots have the potential to identify cyberattacks, each one of them lacks the critical mass needed to make fast and accurate decisions regarding recognition and spread of new cyberattacks. For example, suppose that an organization deploys a single honeypot, and that a new worm starts to spread. Then, it may take a long time before the worm attacks the honeypot: on the average, the worm will attack half the computers on the Internet before attacking this particular honeypot. At that time, it would probably be too late to take countermeasures against the worm: the worm would have hit half of the organizations systems on the average. Fortunately, the more honeypots an organization deploys, the faster it is before the worm hits any of the honeypots. For example, if an organization deploys k honeypots, then on the average, at least one of them will be hit after about 1/k of the vulnerable machines on the Internet have been infected. For example, if an organization deploys 1,000 honeypots, then approximately one of them will detect the new cyberattack after about only 1 thousandth of the vulnerable machines has been hit. However, deploying and managing such a large number of honeypots may be very difficult for a single organization. Moreover, the locality of IP addresses that these honeypots will share within a single organization will probably make them less effective, since they will cover a narrow local subset of the Internet.

In NoAH, we propose to study the feasibility and perform the necessary technical preparatory work towards building an Infrastructure consisting of a European Network of Affine honeypots. This will be a network of honeypots that cooperate and exchange information in order to effectively combat cyberattacks.

Contact details

For more information about the NoAH project, contact Herbert Bos.