In addition to maintaining the rules, someone must respond to the alerts. Sometimes signatures may also match valid activity, meaning that responding to alerts first requires determining whether the alert is the result of an intrusion or unexpected, but valid, system activity. All of these require highly trained personnel to carry out (Skoudis, 2002). The implication here is, and as our company's ICT director confirmed, that current intrusion detection systems are somewhat limited in capacity. This does not mean that current intrusion systems are not effective but only they are not as effective as required. Within the context of the stated, it is commonly held that anomaly detection will ultimately prove more valuable and robust because it has the potential to identify previously unknown intrusions or attacks. It is, thus, that the corporation is currently investigating the implementation of honeypots.
Honeypots are new security technologies that, while not a replacement for traditional intrusion detection systems, address some of the weaknesses of intrusion detection systems (Spitzner, 2003). As their only purpose is to be attacked, all traffic to the honeypot can be considered an intrusion or an anomaly of some sort. For this reason there is no need to separate normal traffic from anomalous; this makes any data collected from a honeypot of high value. Added to that, since honeypots have no production value, no resource or person should be communicating with them, and therefore any activity arriving at a honeypot is likely to be a probe, scan, or attack. Their value comes from their potential ability to capture scans, probes, attacks, and other malicious activity (Spitzner, 2003).
There are three types of honeypots: low interaction, medium interaction, and high interaction. In order to collect information a honeypot must interact with the attacker, and the level of interaction refers to the degree of interaction the honeypot has with a potential attacker (Spitzner, 2003). A low interaction honeypot provides minimal service, like an open port. A medium interaction honeypot simulates basic interactions like asking for a login and password, but providing no actual service to log into. High interaction honeypots offer a fully functioning service or operating system, which can potentially be compromised (Spitzner, 2003).
Honeypots have also been shown to be effective against Internet worms. Laurent Oudot (2006) demonstrated how MSBlast could be detected and captured using Honeyd and some simple scripts. He also showed how worm propagation can be slowed using Honeyd to attract the worms attention and then respond very slowly to its requests. Using scripts, Oudot demonstrated how a honeypot could even launch a counter attack against a worm outbreak, either by isolating services or network segments, or by abusing the same vulnerability the worm used and then trying to kill the worm process.
Honeypots do face several important challenges: 1) honeypots are totally unaware of attacks not directed at them, 2) they must avoid being fingerprinted because if an attacker can easily identify honeypots their usefulness will be severely limited, and 3) like so many security technologies, they require configuring and maintaining by a knowledgeable person (Spitzner, 2003).
Honeypots, because of their very nature, excel at detection. What makes them most attractive in the area of detection is the fact that they