Since attackers in a network cannot always be identified immediately and hacking methods tend to evolve faster than security features do, Microsoft proposes to trap intruders even in personal networks in honeypots.
Honeypots are not new, but we typically hear about them as part of research projects or as part of criminal investigations. However, if it works on the high-end, it may work for the average home user as well. Future home networks could be equipped with a honeypot and Microsoft now has a patent for this feature.
Current honeypots rely on IP address bait, which often results in a hacker attempting to connect to multiple IP addresses. However, these tactics may change and become more complex over time and Microsoft believes there is a need to enable honeypots to run at a content or application level in a network environment rather than at the IP level. The advantage would be a much greater customization and personalization level that reaches through from the administrator to the end user.
According to the patent, which was filed in June 2008 and awarded on May 15, 2012, honeypots could be configured as bait to attract hackers and include fake data, contacts, emails and other documents. This strategy could help a network to automatically identify possible hacking activity, block access to actual data, and notify a network administrator. Since no user would actually be interested in accessing such honeypotted resources, the system could easily determine hacking activity, Microsoft said.
"The honeypot is implemented in an extensible manner so that virtually any resource may be honeypotted to apply honeypot benefits to resources beyond static IP addresses in order to improve both the breadth of information leakage prevention and the detection of malicious attacks," the patent states.
Such a technique may become especially interesting not just for home networks, but as a standard feature in cloud service accounts. Service subscribers would be able to set their own honeypots within their space enable the service provider to detect malicious activity much faster and much more reliably.