A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks

This paper proposes a hybrid and adaptable honeypot-based approach that improves the currently deployed IDSs for protecting networks from intruders. The main idea is to deploy low-interaction honeypots that act as emulators of services and operating systems and have them direct malicious traffic to high-interaction honeypots, where hackers engage with real services. The setup permits for recording and analyzing the intruder's activities and using the results to take administrative actions toward protecting the network. The paper describes the basic components, design, operation, implementation and deployment of the proposed approach, and presents several performance and load testing scenarios. Implementation and performance plus load testing show the adaptability of the proposed approach and its effectiveness in reducing the probability of attacks on production computers. (C) 2006 Elsevier Ltd. All rights reserved.