Anomaly-based intrusion monitoring using a dynamic honeypot

A recent addition to the intrusion detection product line is a new technology called a honeypot. A honeypot provides an attacker with resources that appear to be actual production systems that are in reality decoy systems designed to be attacked. Observing interaction with the honeypot facilitates the observation and analysis of attacks and the detection of anomalies. This paper discusses the design of a dynamic honeypot. The dynamic honeypot configures, deploys, and maintains virtual honeypots on a network, using passive probing and dynamic templates to customize the virtual honeypots to the network and react differently depending on the source of the connection. This paper also discusses the design and implementation of a simple intrusion monitoring system using the dynamic honeypot. During initial testing an exploit attempt that was not detected by conventional intrusion detection was detected by the dynamic honeypot monitoring system.