While the Internet has had great successes in facilitating communications between computer systems and enabling electronic commerce, home users and users in computer networks such as enterprise and corporate networks connected to the Internet have been under almost constant attack by hackers seeking to disrupt their operation. Many of the attacks seek to exploit vulnerabilities of the application programs, operating systems, and other computer programs executing on those computer systems. Some of the destructive methods of attacking a computer system have been to infect the computer system with software that is designed specifically to damage or disrupt the computer system. And a growing threat in the information security domain is data leakage where attacks are implemented to retrieve valuable information from the system.
When an attacker (i.e., either a human hacker or software) invades a computer system, the integrity of the computer system may become greatly compromised. Malware commonly includes computer worms, viruses, Trojan horses, spyware, and so forth. Some malware behaves nefariously, such as by illicitly collecting and transmitting personal information. Some malware can hijack resources needed by operating system components or use these resources to subvert the security of the operating system. For example, such malware can cause an unprotected network resource to open a TCP/IP (Transport Control Protocol/Internet Protocol) port that allows the hacker to access the system's resources.
Hackers increasingly utilize automated scanning methods to identify IP addresses in order to find vulnerable victims. Once a victim is located, a common type of malware acquires computer systems or resources—i.e., targets—in order to propagate itself using the acquisitions. For example, the malware could be a worm that launches a self-propagating attack that exploits a vulnerability of a computer system by taking control and using that computer system to find other computer systems with the same vulnerability and launch attacks (i.e., sending the same worm) against them.
Various techniques have been developed and used to help detect the presence of such malware but unfortunately, detection of some malware has proved to be difficult. One technique attempts to set a trap, called a “honeypot” to detect the unauthorized use of network resources. A honeypot outwardly appears like any other computer system but is closely monitored. Typically, honeypots are configured to mimic real systems that a hacker would like to break into, but are designed to limit the hacker's access to other network resources. The honeypot can act as a decoy to lure hackers in order to understand their activities and better understand the vulnerabilities of a security system. In addition, when a hacker stepping into a honeypot is detected, steps can be taken to stop the hacker from accessing the real, non-honeypotted resources in a network. Well designed honeypots will fool a hacker into believing that the legitimate resources are being hacked into and the hacker will not realize that the activities are being monitored.
When the honeypot is accessed by the hacker, the monitoring system assumes that this is a malicious access and blocks the intruder while alerting the administrator. For example, unused IP addresses in the enterprise, such as a subnet, can be set up as the “bait” for one or more honeypots in order to detect attacks. The computer systems that are configured as honeypots at these IP addresses will typically not provide any real services other than to record the activities of the hacker. These honeypots are designed to wait for and detect unauthorized access of the IP addresses. The theory behind creating honeypots is that a worm or automated program used by a hacker for scanning IP addresses is going to step on the honeypot and become detected.
While honeypots can be effective in detecting and blocking malicious access to resources, the current IP address bait relies, in large part, on the hacker, worm or automated program blindly attempting to connect to multiple IP addresses. As hackers become more sophisticated in their methods of acquiring targets, these honeypots are becoming less successful at detecting sophisticated attacks.
This Background is provided to introduce a brief context for the Summary and Detailed Description that follow. This Background is not intended to be an aid in determining the scope of the claimed subject matter nor be viewed as limiting the claimed subject matter to implementations that solve any or all of the disadvantages or problems presented above.