Honey@home: A New Approach to Large-Scale Threat Monitoring

Honeypots have been proven to be very useful for accurately detecting attacks, including zero-day threats, at a reasonable cost and with zero false positives. However, there are two pressing problems with existing approaches. The first problem is that timely detection requires deployment of honeypots in a large fraction of the network address space, which many organizations or ISPs cannot afford. The second problem is that attackers are evolving, and it has been shown that it is not difficult for them to identify honeypots and develop blacklists to avoid them when launching a new attack. In response to these problems, we propose a new architecture that enables large-scale deployment at low cost, while making it harder for attackers to maintain accurate blacklists. The Honey@home architecture relies on communities of regular users installing a lightweight honeypot that monitors unused IP addresses and ports. Since it does not require the static allocation of valuable chunks of network address space, and considering the success of other community-based approaches such as seti@home and folding@home, our approach is well-suited for creating a large-scale honeypot infrastructure at low cost. Since participation in the system is dynamic as users come and go, it becomes harder for attackers to maintain accurate blacklists. In this paper we discuss the current design of the Honey@home architecture, a preliminary implementation and describe the design issues that we faced especially with respect to infrastructure robustness, the challenges we have to deal with and the effectiveness of our approach.