Honeybrid: combining low and high interaction honeypots

The goal of this post is to introduce myself and my project: my name is Robin Berthier and I just got my PhD from the University of Maryland. I’ll be working this summer on improving Honeybrid, a hybrid honeypot architecture. I’ve been working with honeypot technologies for the past 4 years, and Honeybrid represents a central part of my dissertation. 

Honeypots are usually divided into two categories according to the level of interaction they provide to attackers. First, we have low interaction honeypots that emulates network services and collect the beginning of attack processes. And then we have high interaction honeypots that are identical to production machines and collect detailed information about attacks. These two types of honeypot offer complementary advantages and limitations. The goal of honeybrid is to combine the best of both world. As such, Honeybrid is a hybrid honeypot solution.

The key for this solution to work is to correctly filter incoming attacks. This task is achieved by something called the decision engine. This engine integrates different attack filtering criteria to allow Honeybrid to collect a large variety of attacks while keeping a high scalability. Attacks which are filtered out are handled by a low interaction front-end. Attacks which are filtered in are transparently redirected to a back-end of high interaction honeypots for further analysis.

The following diagram gives an overview of how Honeybrid interacts with the low and high interaction honeypots:

This filtering/redirection mechanism works pretty well and a prototype of Honeybrid has already been implemented and tested. My objective for this summer is to build a robust application out of it. My first task for this week is to get rid of a memory leak and a data corruption problem. Honeybrid is implemented in C and uses multiple threads, which means it’s going really fast, but access to data structures is often difficult to debug. I will use valgrind to hunt down incorrectly freed variables, and I will study if it would not be better to switch from a threaded environment to an event-based environment.

If you are looking for more information about hybrid honeypots, I would suggest the following publications:

• A hybrid honeypot architecture for scalable network monitoring, by Bailey et Al. (2004)
• GQ: Realizing a System to Catch Worms in a Quarter Million Places, by Cui et Al. (2006)
• SGNET: A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models, by Leita and Dacier (2008)