Anomaly based intrusion detection for network monitoring using a dynamic honeypot.

ANOMALY BASED INTRUSION DETECTION FOR NETWORK MONITORING USING A DYNAMIC HONEYPOT Jeff Hieb November 10, 2004 This thesis proposes a network based intrusion detection approach using anomaly detection and achieving low configuration and maintenance costs. A honeypots is an emerging security tool that has several beneficial characteristics, one of which is that all traffic to it is anomalous. A dynamic honeypot reduces the configuration and maintenance costs of honeypot deployment. An anomaly based intrusion detection system with low configuration and maintenance costs can be constructed by simply observing the egress and ingress to a dynamic honeypot. This thesis explores the design and implementation of a dynamic honeypot using a variety of publicly available tools. The main contributions of the design consist of a database containing network relevant information and a dynamic honeypot engine that generates honeypot configurations from the relevant network information. The thesis also explores a simple intrusion detection system built around the dynamic honeypot. These systems were experimentally implemented and preliminary testing identified anomalous traffic, though in some cases it was not necessarily intrusive. In one instance the dynamic honeypot based intrusion detection system identified an intrusion, which was not detected by conventional means.