Active defence through deceptive IPS

Modern security mechanisms such as Unified Threat Management (UTM), Next-Generation Firewalls and Security Information and Event Management (SIEM) have become more sophisticated over recent years, promising advanced security features and immediate mitigation of the most advanced threats. While this appears promising, in practice even this cutting-edge technology often fails to protect modern organisations as they are being targeted by attacks that were previously unknown to the security industry. Most security mechanisms are based on a database of previously known attack artefacts (signatures) and they will fail on slightly modified or new attacks. The need for threat intelligence is in complete contrast with the way current security solutions are responding to the threats they identify, as they immediately block them without attempting to acquire any further information. In this report, we present and evaluate a security mechanism that operates as an intrusion prevention system which uses honeypots to deceive an attacker, prevent a security breach and which allows the potential acquisition of intelligence on each intrusion attempt. a aThis article is published online by Computer Weekly as part of the 2017 Royal Holloway information security thesis series http://www.computerweekly.com/ehandbook/Active-defence-through-deceptive-IPS. It is based on an MSc dissertation written as part of the MSc in Information Security at the ISG, Royal Holloway, University of London. The full thesis is published on the ISG’s website at https://www.royalholloway.ac.uk/isg/.