This document describes the design of the NoAH containment environment. The environment, known as Argos, is intended for use in a high-interaction honeypot that runs real services on any operating system. Unlike most other systems, we do not require the traffic arriving at the honeypot to be suspect to begin with, as Argos is designed to detect zero-day attacks.

Increasing usage of Internet and computer networks by individuals and organizations and also attackers’ usage of new methods and tools in an attempt to endanger network security, have led to the emergence of a wide range of threats to networks. A honeypot is one of the basic techniques employed for network security improvement. It is basically designed to be attacked so as to get the attackers’...

Honeypot has been an invaluable tool for the detection and analysis of network-based attacks by either human intruders or automated malware in the wild. The insights obtained by deploying honeypots, especially high-interaction ones, largely rely on the monitoring capability on the honeypots. In practice, based on the location of sensors, honeypots can be monitored either internally or externall...

Server honeypots are static systems, setup to monitor attacks on research and production networks. Static honeypots are unable to represent the dynamic nature of today’s networks where different numbers of hardware devices and hosts running various operating systems are online at a particular time and frequently join and leave a network. A single static server honeypot presents a particular ope...

Intelligence on mobile threats is a valuable asset. Honeypots showed to provide a good resource to gain threat intelligence in other areas. Unfortunately, current malware largely relies on social engineering to infect smartphones. Recently, attacks against smartphones have shifted towards local communication interfaces. These trends make traditional honeypot concepts unsuitable. We propose a no...

The honeypot has emerged as an effective tool to provide insights into new attacks and current exploitation trends. Though effective, a single honeypot or multiple independently operated honeypots only provide a limited local view of network attacks. Deploying and managing a large number of coordinating honeypots in different network domains will not only provide a broader and more diverse view...

A honeypot is a decoy computer system used in network security to waste the time and resources of attackers and to analyze their behaviors. While there has been significant research on how to design honeypot systems, less is known about how to use honeypots strategically in network defense. Based on formal deception games, we develop two game-theoretic models that provide insight into how valua...

In the past several years there has been extensive research into honeypot technologies, primarily for detection and information gathering against external threats. However, little research has been done for one of the most dangerous threats, the advance insider, the trusted individual who knows your internal organization. These individuals are not after your systems, they are after your informa...

This paper is about deploying Distributed Honeypot System that captures and analyze the attacks on different operating system on Eucalyptus Iaas cloud. The file based security is proposed and implemented on data to make data access secure on virtual machines and physical system in cloud. This makes the private cloud deployment secure enough due to three layers of security provided by virtualiza...

An SSH honeypot can be used to study the activities of an attacker by logging the full SSH session. In this paper we present an interactive visualization system that can be used by network security experts to visually analyze large sets of SSH honeypot data. By using different visualizations and interaction techniques the expert can explore SSH sessions and quickly find related sessions which w...