{ "namespace": "honeypot-basic", "description": "Updated (CIRCL and Seamus Dowling) from Christian Seifert, Ian Welch, Peter Komisarczuk, ‘Taxonomy of Honeypots’, Technical Report CS-TR-06/12, VICTORIA UNIVERSITY OF WELLINGTON, School of Mathematical and Computing Sciences, June 2006, http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-TR-06-12.pdf", "version": 3, "predicates": [ { "value": "interaction-level", "expanded": "Interaction Level", "description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services." }, { "value": "data-capture", "expanded": "Data Capture", "description": "Describes the type of data a honeypot is able to capture" }, { "value": "containment", "expanded": "Containment", "description": "Classifies the measures a honeypot takes to defend against malicious activity spreading from itself." }, { "value": "distribution-appearance", "expanded": "Distribution Appearance", "description": "Describes whether the honeypot system appears to be confined to one system or multiple systems." }, { "value": "communication-interface", "expanded": "Communication Interface", "description": "Describes the interfaces one can use to interact directly with the honeypot." }, { "value": "role", "expanded": "Role in Multi-tier Architecture", "description": "Describes in what role the honeypot acts within a multi-tier architecture." } ], "values": [ { "predicate": "interaction-level", "entry": [ { "value": "high", "expanded": "High Interaction Level", "description": "Exposed functionality of the honeypot is not limited." }, { "value": "low", "expanded": "low Interaction Level", "description": "Exposed functionality being limited. For example, a simulated SSH server of a honeypot is not able to authenticate against a valid login/password combination" }, { "value": "none", "expanded": "No interaction capabilities", "description": "No exposed functionality in the honeypot." }, { "value": "adaptive", "expanded": "Learns from attack interaction", "description": "Learns from attack interaction" } ] }, { "predicate": "data-capture", "entry": [ { "value": "network-capture", "expanded": "Network capture", "description": "The honeypot collects raw network capture." }, { "value": "events", "expanded": "Events", "description": "The honeypot collects data about something that has happened or took place, a change in state." }, { "value": "attacks", "expanded": "Attacks", "description": "The honeypot collects malicious activity." }, { "value": "intrusions", "expanded": "Intrusions", "description": "The honeypot collects malicious activity that leads to a security failure." }, { "value": "none", "expanded": "None", "description": "The honeypot does not collect events, attacks, or intrusions." } ] }, { "predicate": "containment", "entry": [ { "value": "block", "expanded": "Block", "description": "Attacker’s actions are identified and blocked. The attack never reaches the target." }, { "value": "defuse", "expanded": "Defuse", "description": "The attack reaches the target, but is manipulated in a way that it fails against the target." }, { "value": "slow-down", "expanded": "Slow Down", "description": "Attacker is slowed down in his actions of spreading malicious activity." }, { "value": "none", "expanded": "None", "description": "No action is taken to limit the intruder’s spread of malicious activity against other systems." } ] }, { "predicate": "distribution-appearance", "entry": [ { "value": "distributed", "expanded": "Distributed", "description": "The honeypot is or appears to be composed of multiple systems." }, { "value": "stand-alone", "expanded": "Stand-Alone", "description": "The honeypot is or appears to be one system." } ] }, { "predicate": "communication-interface", "entry": [ { "value": "network-interface", "expanded": "Network Interface", "description": "The honeypot can be directly communicated with via a network interface." }, { "value": "hardware-interface", "expanded": "Non-Network Hardware Interface", "description": "Examples: Printer port, CDROM drives, USB connections." }, { "value": "software-api", "expanded": "Software API", "description": "The honeypot can be interacted with via a software API." } ] }, { "predicate": "role", "entry": [ { "value": "server", "expanded": "Server", "description": "The honeypot is passively awaiting requests from clients." }, { "value": "client", "expanded": "Client", "description": "The honeypot is actively initiating requests to servers." } ] } ] }