If Lance Spitzner has his way, network defenders will get sweeter on the "honeypot"--a traditional method of detecting online intruders.

Spitzner and two dozen members of the Honeynet Project hope new changes to the group's open-source honeypot technology will help the method become much more popular among security companies and others. The technology is designed to help users forge their own honeypots--faked computers and networks that serve as decoys for discovering online miscreants.

The changes, to be outlined in a paper that will be published online Monday, were described in a speech Spitzner gave here at the CanSecWest security show. The new features will help honeypots become harder for intruders to detect and easier to deploy for companies and even home users.

"It's an arms race," said Spitzner, founder of the Honeynet Project. "We are coming up with new stuff, and the bad guys will look at it. We are staying ahead of 99 percent of the crowd."

Honeypots solve a major problem of intrusion-detection systems, which frequently flag innocuous network traffic as a potential attack. These "false positives," as they're called, make the systems difficult to manage. They also create a "crying wolf" situation, in which genuine threats can be overlooked.

Honeypots can solve the problem because they only detect data sent to a specific server--one that, because it's fake, shouldn't have any data sent to it at all.

"Honeypots have no authorized activity, so if anyone interacts with (one) then you know (the interaction) is most likely malicious," said Spitzner, adding that such considerations make the warnings generated by honeypots very valuable.

Full Article:
CNet News