Computer Networking/Internet Security: Use of a "honeypot" computer to analyse intrusion techniques Title: The Gathering and Analysis of Honeypot Data in Computer Security Objective: The purpose of this project is to analyze the tools and strategies that internet hackers and their scripts use through the use of the honeypot tactic. The development of tools for analysis is both an intermediate step in the process of completing this lab and a valuable end result. Justification: The sheer amount of information contained electronically increases every day, and with this, so does the vulnerability of that information to compromise by an outside, unknown, unwanted intruder. Computer security is an ever-growing field of study and deserves a great deal of our attention. This project hopes to use the data gained by learning intruders' strategies to improve methods of protection and possibly reveal an entirely new method of attack which we can now protect against. Besides the immediate benefits of learning an attacker's tools, the mastery of the honeypot tactic and development of tools to this end can aid the field of computer security by making honeypots more effective, easier to deploy, and harder to detect for intruders. Description: A honeypot is a computer designed specifically to be attacked. The honeypot should have no valuable information or connections so that compromise of the honeypot is meaningless. By letting the honeypot get compromised by scripts and worms, but maintaining a log of activity through multiple layers on the system, one can learn many things about how the attacks are actually carried out. This project would consist of a few phases: 1) Deploy the honeypot, set it up, get it ready, etc. 2) Do preliminary analysis to learn how to routinely do analysis and find out what to expect 3) Develop tools based on preliminary analysis to automate the data gathering process and filter out legitimate internet traffic 4) Coallate data into real information that can be used for real system defense Limitations: The project takes little space and is flexible enough to accomodate slow-downs or speed-ups in schedule. The project would require a low-end computer to be dedicated to the project and stripped of lots of it's connections to TJ, and the useful data on that computer must be transferred somewhere else. This may be somewhat difficult to do. Another problem, ironically, is security. It is possible for even the safest system to be compromised with a clever or determined attacker, and a honeypot is somewhat less than the safest. This is why honeypots are stripped of their usefulness. Even so, the honeypot could possibly be taken over by the bad guys and used for their purposes. The chance of this happening can vary, for there are two things to be weighted here: how much risk one is willing to accept and how much information one wants to get out of this honeypot. I could make the risk very very small, but this would render the honeypot somewhat useless. Thus I need to do some more research into honeypots, security, and the internet, and a happy medium between value and risk needs to be found. If no such medium can be found that is acceptable to everyone, I can circumvent this problem by maintaining the honeypot on my own dime at home, while doing analysis and devleoping tools at TJ. I would like to do that only as a last resort, however.