Merge pull request #79 from michael-hamm/master

Honeypot basic taxonomy
2018-01-03 13:55:41 +01:00 · 2018-01-03 13:55:41 +01:00 · 23af924390
parent db95d757a9 7a358b6d8f
commit 23af924390
1 changed files with 154 additions and 0 deletions
--- a/honeypot-basic/machinetag.json
+++ b/honeypot-basic/machinetag.json
@ -0,0 +1,154 @@
+{
+  "namespace": "honeypot-basic",
+  "description": "Christian Seifert, Ian Welch, Peter Komisarczuk, ‘Taxonomy of Honeypots’, Technical Report CS-TR-06/12, VICTORIA UNIVERSITY OF WELLINGTON, School of Mathematical and Computing Sciences, June 2006, http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-TR-06-12.pdf",
+  "version": 1,
+  "predicates": [
+    {
+      "value": "interaction-level",
+      "expanded": "Interaction Level",
+      "description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services."
+    },
+    {
+      "value": "data-capture",
+      "expanded": "Data Capture",
+      "description": "Describes the type of data a honeypot is able to capture"
+    },
+    {
+      "value": "containment",
+      "expanded": "Containment",
+      "description": "Classifies the measures a honeypot takes to defend against malicious activity spreading from itself."
+    },
+    {
+      "value": "distribution-appearance",
+      "expanded": "Distribution Appearance",
+      "description": "Describes whether the honeypot system appears to be confined to one system or multiple systems."
+    },
+    {
+      "value": "communication-interface",
+      "expanded": "Communication Interface",
+      "description": "Describes the interfaces one can use to interact directly with the honeypot."
+    },
+    {
+      "value": "role",
+      "expanded": "Role in Multi-tier Architecture",
+      "description": "Describes in what role the honeypot acts within a multi-tier architecture."
+    }
+  ],
+  "values": [
+    {
+      "predicate": "interaction-level",
+      "entry": [
+        {
+          "value": "high",
+          "expanded": "High Interaction Level",
+          "description": "Exposed functionality of the honeypot is not limited."
+        },
+        {
+          "value": "low",
+          "expanded": "low Interaction Level",
+          "description": "Exposed functionality being limited. For example, a simulated SSH server of a honeypot is not able to authenticate against a valid login/password combination"
+        }
+      ]
+    },
+    {
+      "predicate": "data-capture",
+      "entry": [
+        {
+          "value": "events",
+          "expanded": "Events",
+          "description": "The honeypot collects data about something that has happened or took place, a change in state."
+        },
+        {
+          "value": "attacks",
+          "expanded": "Attacks",
+          "description": "The honeypot collects malicious activity."
+        },
+        {
+          "value": "intrusions",
+          "expanded": "Intrusions",
+          "description": "The honeypot collects malicious activity that leads to a security failure."
+        },
+        {
+          "value": "none",
+          "expanded": "None",
+          "description": "The honeypot does not collect events, attacks, or intrusions."
+        }
+      ]
+    },
+    {
+      "predicate": "containment",
+      "entry": [
+        {
+          "value": "block",
+          "expanded": "Block",
+          "description": "Attacker’s actions are identified and blocked. The attack never reaches the target."
+        },
+        {
+          "value": "defuse",
+          "expanded": "Defuse",
+          "description": "The attack reaches the target, but is manipulated in a way that it fails against the target."
+        },
+        {
+          "value": "slow-down",
+          "expanded": "Slow Down",
+          "description": "Attacker is slowed down in his actions of spreading malicious activity."
+        },
+        {
+          "value": "none",
+          "expanded": "None",
+          "description": "No action is taken to limit the intruder’s spread of malicious activity against other systems."
+        }
+      ]
+    },
+    {
+      "predicate": "distribution-appearance",
+      "entry": [
+        {
+          "value": "distributed",
+          "expanded": "Distributed",
+          "description": "The honeypot is or appears to be composed of multiple systems."
+        },
+        {
+          "value": "stand-alone",
+          "expanded": "Stand-Alone",
+          "description": "The honeypot is or appears to be one system."
+        }
+      ]
+    },
+    {
+      "predicate": "communication-interface",
+      "entry": [
+        {
+          "value": "network-interface",
+          "expanded": "Network Interface",
+          "description": "The honeypot can be directly communicated with via a network interface."
+        },
+        {
+          "value": "hardware-interface",
+          "expanded": "Non-Network Hardware Interface",
+          "description": "Examples: Printer port, CDROM drives, USB connections."
+        },
+        {
+          "value": "software-api",
+          "expanded": "Software API",
+          "description": "The honeypot can be interacted with via a software API."
+        }
+      ]
+    },
+    {
+      "predicate": "role",
+      "entry": [
+        {
+          "value": "server",
+          "expanded": "Server",
+          "description": "The honeypot is passively awaiting requests from clients."
+        },
+        {
+          "value": "client",
+          "expanded": "Client",
+          "description": "The honeypot is actively initiating requests to servers."
+        }
+      ]
+    }
+  ]
+}