175 lines
5.9 KiB
JSON
175 lines
5.9 KiB
JSON
{
|
||
"namespace": "honeypot-basic",
|
||
"description": "Updated (CIRCL, Seamus Dowling and EURECOM) from Christian Seifert, Ian Welch, Peter Komisarczuk, ‘Taxonomy of Honeypots’, Technical Report CS-TR-06/12, VICTORIA UNIVERSITY OF WELLINGTON, School of Mathematical and Computing Sciences, June 2006, http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-TR-06-12.pdf",
|
||
"version": 4,
|
||
"predicates": [
|
||
{
|
||
"value": "interaction-level",
|
||
"expanded": "Interaction Level",
|
||
"description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services."
|
||
},
|
||
{
|
||
"value": "data-capture",
|
||
"expanded": "Data Capture",
|
||
"description": "Describes the type of data a honeypot is able to capture"
|
||
},
|
||
{
|
||
"value": "containment",
|
||
"expanded": "Containment",
|
||
"description": "Classifies the measures a honeypot takes to defend against malicious activity spreading from itself."
|
||
},
|
||
{
|
||
"value": "distribution-appearance",
|
||
"expanded": "Distribution Appearance",
|
||
"description": "Describes whether the honeypot system appears to be confined to one system or multiple systems."
|
||
},
|
||
{
|
||
"value": "communication-interface",
|
||
"expanded": "Communication Interface",
|
||
"description": "Describes the interfaces one can use to interact directly with the honeypot."
|
||
},
|
||
{
|
||
"value": "role",
|
||
"expanded": "Role in Multi-tier Architecture",
|
||
"description": "Describes in what role the honeypot acts within a multi-tier architecture."
|
||
}
|
||
],
|
||
"values": [
|
||
{
|
||
"predicate": "interaction-level",
|
||
"entry": [
|
||
{
|
||
"value": "high",
|
||
"expanded": "High Interaction Level",
|
||
"description": "Exposed functionality of the honeypot is not limited."
|
||
},
|
||
{
|
||
"value": "medium",
|
||
"expanded": "Medium Interaction Level",
|
||
"description": "Exposed functionality of the honeypot is limited to the service without exposing the full operating system."
|
||
},
|
||
{
|
||
"value": "low",
|
||
"expanded": "low Interaction Level",
|
||
"description": "Exposed functionality being limited. For example, a simulated SSH server of a honeypot is not able to authenticate against a valid login/password combination."
|
||
},
|
||
{
|
||
"value": "none",
|
||
"expanded": "No interaction capabilities",
|
||
"description": "No exposed functionality in the honeypot."
|
||
},
|
||
{
|
||
"value": "adaptive",
|
||
"expanded": "Learns from attack interaction",
|
||
"description": "Learns from attack interaction"
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"predicate": "data-capture",
|
||
"entry": [
|
||
{
|
||
"value": "network-capture",
|
||
"expanded": "Network capture",
|
||
"description": "The honeypot collects raw network capture."
|
||
},
|
||
{
|
||
"value": "events",
|
||
"expanded": "Events",
|
||
"description": "The honeypot collects data about something that has happened or took place, a change in state."
|
||
},
|
||
{
|
||
"value": "attacks",
|
||
"expanded": "Attacks",
|
||
"description": "The honeypot collects malicious activity."
|
||
},
|
||
{
|
||
"value": "intrusions",
|
||
"expanded": "Intrusions",
|
||
"description": "The honeypot collects malicious activity that leads to a security failure."
|
||
},
|
||
{
|
||
"value": "none",
|
||
"expanded": "None",
|
||
"description": "The honeypot does not collect events, attacks, or intrusions."
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"predicate": "containment",
|
||
"entry": [
|
||
{
|
||
"value": "block",
|
||
"expanded": "Block",
|
||
"description": "Attacker’s actions are identified and blocked. The attack never reaches the target."
|
||
},
|
||
{
|
||
"value": "defuse",
|
||
"expanded": "Defuse",
|
||
"description": "The attack reaches the target, but is manipulated in a way that it fails against the target."
|
||
},
|
||
{
|
||
"value": "slow-down",
|
||
"expanded": "Slow Down",
|
||
"description": "Attacker is slowed down in his actions of spreading malicious activity."
|
||
},
|
||
{
|
||
"value": "none",
|
||
"expanded": "None",
|
||
"description": "No action is taken to limit the intruder’s spread of malicious activity against other systems."
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"predicate": "distribution-appearance",
|
||
"entry": [
|
||
{
|
||
"value": "distributed",
|
||
"expanded": "Distributed",
|
||
"description": "The honeypot is or appears to be composed of multiple systems."
|
||
},
|
||
{
|
||
"value": "stand-alone",
|
||
"expanded": "Stand-Alone",
|
||
"description": "The honeypot is or appears to be one system."
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"predicate": "communication-interface",
|
||
"entry": [
|
||
{
|
||
"value": "network-interface",
|
||
"expanded": "Network Interface",
|
||
"description": "The honeypot can be directly communicated with via a network interface."
|
||
},
|
||
{
|
||
"value": "hardware-interface",
|
||
"expanded": "Non-Network Hardware Interface",
|
||
"description": "Examples: Printer port, CDROM drives, USB connections."
|
||
},
|
||
{
|
||
"value": "software-api",
|
||
"expanded": "Software API",
|
||
"description": "The honeypot can be interacted with via a software API."
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"predicate": "role",
|
||
"entry": [
|
||
{
|
||
"value": "server",
|
||
"expanded": "Server",
|
||
"description": "The honeypot is passively awaiting requests from clients."
|
||
},
|
||
{
|
||
"value": "client",
|
||
"expanded": "Client",
|
||
"description": "The honeypot is actively initiating requests to servers."
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|