A Holistic Approach Using Honey Communities For Cyber Event Detection and Protection in Communities and Large Distributed Organizations
The United States has U.S. CYBERCOM to protect the U.S. Military Infrastructure and the Department of Homeland Security to protect the nation's critical cyber infrastructures. These organizations deal with wide ranging issues at a national level. This leaves local and state governments to largely fend for themselves in the cyber frontier. My research will focus on how to determine the threat to a community or large organization and what indications and warnings can lead us to suspect a cyber security event impacting the community is underway. A cyber event in terms of this research includes probes of the network, simple brute force attacks, "low and slow" attacks that are not normally detected by Intrusion Detection Systems, and detection of illicit behavior within the network. We will utilize the concept of a collection of Honey Devices (HoneyPots, HoneyNets, HoneyWall) in concert with external protection devices (firewalls, and other perimeter defense devices) and combine them to form a multi-organization concept called a Honey Community. In the Honey Community the Honey Devices are spread throughout the community or large organization and provide data to evaluation nodes that combine the data with input from external perimeter defense devices. The evaluation nodes use data models to develop an overall picture of the system status and can relay that status to higher level nodes to inform IT professionals and Community Leaders of the status of their network. The focus is to reduce the number of days intruders are within the network and to detect intruders without the use of code or behavioral signatures.