Intrusion detection systems (IDS) are used to monitor network activities for attackers. Reports are generated and alerts signalled to the owner or manager of the specific network. An intrusion detection system that responds to an attack, for example by blocking traffic using a firewall, may be referred to as an intrusion prevention system (IPS) or an intrusion detection and prevention system (IDPS). In some implementations, attacker traffic is detected by and/or routed to one or more honeypots.
Honeypots are network decoys that attract attackers with the aim of distracting the attackers from more valuable production machines on a network. Honeypots are often deployed within a network using unallocated addresses, and providing services and/or data to engage attackers. Because a honeypot has no production value and typically sits at an unallocated address, every attempt to contact a honeypot is suspect. This means that honeypots can be used to identify attacks, and consequently honeypots also enable the gathering of information about attacker behaviour and attacker identification while an attacker is exploiting a honeypot. Attackers, in turn, try to avoid honeypots by looking at behaviour (such as the services provided) to assess the likelihood of a target in a network being a honeypot.
Physical honeypots are real machines with their own IP addresses, and are therefore expensive to implement. Virtual honeypots, on the other hand, require fewer physical machines thereby reducing the cost. The operating system and services provided by a honeypot are configured according to the activity on the network and the intended purpose of the particular honeypot at that time. Because it is challenging, complex and time consuming to configure honeypots, dynamic virtual honeypots are used to automate configuration processes. Dynamic honeypots are able to discover the network (e.g. by fingerprinting), decide what honeypot configuration to use and then create and configure the honeypots.
Multiple honeypots can be combined to form a “honeynet”—a decoy network set up with intentional vulnerabilities. As with individual honeypots, the honeynet enables the owner/manager to observe and analyse an attacker's activities and use the gleaned information to strengthen the system's security mechanisms.
Background material relating in general to the technical field can be found in WO2012/011070 A1, US2015/0229656 A1, U.S. Pat. No. 8,661,102, US20060242701 US2007271614, US2007192863, US2011214182, US2013152199, US2015106889, US2016080414, US2016065614, US2006212942, JP2005004617, US20040128543 and US2010269175.
Any discussion of documents, acts, materials, devices, articles or the like which has been included in the present specification is not to be taken as an admission that any or all of these matters form part of the prior art base or were common general knowledge in the field relevant to the present disclosure as it existed before the priority date of each claim of this application.