Presented by
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

Network of Affined Honeypots: More Than An Infrastructure PowerPoint PPT Presentation


  • 85 Views
  • Uploaded on
  • Presentation posted in: General

presented by Spiros Antonatos [email protected] Distributed Computing Systems Lab Institute of Computer Science FORTH. Network of Affined Honeypots: More Than An Infrastructure. Roadmap. A little about the project What are honeypots? The NoAH approach Architecture overview Argos

Download Presentation

Network of Affined Honeypots: More Than An Infrastructure

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Network of affined honeypots more than an infrastructure

presented by

Spiros Antonatos

[email protected]

Distributed Computing Systems Lab

Institute of Computer Science

FORTH

Network of Affined Honeypots: More Than An Infrastructure


Roadmap

Roadmap

A little about the project

What are honeypots?

The NoAH approach

Architecture overview

Argos

[email protected]

Conclusions/discussion

Terena Networking Conference 2007


The noah project

The NoAH project

  • Three years project

    • April 2005 until March 2008

  • Funded from the Research Infrastructures Programme of the European Union

  • 4 Work Packages

  • FORTH is coordinator

Terena Networking Conference 2007


What problem we face

What problem we face

  • Malware: worms, viruses, keyloggers, spyware…

  • Malware spreads fast

    • Faster than we can react

    • Thousands of hosts can be infected in a few minutes

  • We need information about the cyberattacks so as to build effective defenses

Terena Networking Conference 2007


Project goals

Project goals

Gather and analyse information about the nature of Internet cyberattacks

Develop an infrastructure to detect and provide early warning of such attacks

Security monitoring based on honeypot technology

Terena Networking Conference 2007


What are honeypots

What are honeypots?

Computer systems that do not run production services

Listen to unused IP addresses

Intentionally made vulnerable

Closely monitored to analyse attacksdirected at them

We can identify two typesof honeypots: low-interactionand high-interaction

Terena Networking Conference 2007


Low and high interaction honeypots

Low- and high-interaction honeypots

  • Low-interaction honeypots emulate services using scripts

    + Lightweight processes, able to cover large network space

    -Emulation cannot provide a high level of interaction with attackers

  • High-interaction honeypots do not perform emulation, they run real services

    - Heavyweight processes, able to cover small network space

    + Provide the highest level of interaction with attackers

  • NoAH uses the advantages of both types

Terena Networking Conference 2007


The noah architecture

The NoAH architecture

Terena Networking Conference 2007


Low interaction honeypot honeyd

Low-interaction honeypot: Honeyd

  • Most popular and widely-used low-interaction honeypot

  • Emulates thousands of IP addresses

    • Performs network stack emulation

  • Highly configurable and lightweight

  • An efficient mechanism to filter out unestablished and uninteresting connections

    • Port scans, SSH brute-force attacks, etc

  • Interesting connections are forwarded to high-interaction honeypots

Terena Networking Conference 2007


High interaction honeypot argos

High-interaction honeypot: Argos

  • Emulates entire PC systems

    • OS agnostic, run on commodity hardware

    • Based on the Qemu emulator

  • Key idea: data coming from the network should never be executed

  • Tracks network data throughout execution

    • Memory tainting technique

  • Detect illegal uses of network data

    • Jump targets, function pointers, instructions, system call arguments

  • Argos is able to detect all exploit attempts, including 0-days!

Terena Networking Conference 2007


Argos overview

Argos Overview

NIC

Applications

Forensics

Guest OS

Argos emulator

Signature

post-processing

Host OS

Detect attack and log state

Correlate data

Signature

Log

Terena Networking Conference 2007


Http www few vu nl argos

http://www.few.vu.nl/argos

Terena Networking Conference 2007


Beyond honeypots honey@home

Beyond honeypots: [email protected]

Honeypots listen to unused IP space of the organization they are hosted to

This space is limiting to provide results fast and accurately

NoAH tries to empower people to participate

Bring NoAH to home users with [email protected]

Terena Networking Conference 2007


Honey@home

[email protected]

  • Lightweight tool that runs in the background

  • Monitors an unused IP address

    • Usually taken by DHCP

  • All traffic to that unused address isforwarded to our central honeypots

  • No configuration, install and run!

  • Both Windows and Linux platforms

Terena Networking Conference 2007


Honey@home in action

[email protected] in action

1

Running at the background

2

Creating a new virtual interface

3

Getting an IP address from DHCP server

Terena Networking Conference 2007


Backend architecture

Backend architecture

  • [email protected] clients connect to NoAH honeypots

  • Honeyd acts as front-end to filter out scans

  • Honeyd hands off connection to Argos

  • Attacker thinks she communicates with [email protected] user but in reality Argos is providing the answers

Attack

Forward

Handoff

Attacker

[email protected]

Honeyd

NoAH core


Challenges

Challenges

  • Identity of clients and honeypots must remain hidden

    • Attackers can flood black space with junk traffic once identity is revealed

    • TOR is a network that can provide the desired anonymization

  • Automatic installation of clients must be prevented

    • Else attacker would massively deploy mockup clients

    • Registration with CAPTCHA techniques is used

Terena Networking Conference 2007


Www honeyathome org

www.honeyathome.org

Terena Networking Conference 2007


How can an organization participate

How can an organization participate?

  • We view an organization as a regular user that possesses large unused space

  • A specialized version of [email protected] is implemented

    • No TOR involved, organization is a trusted entity (unlike home users)

  • Only configuration needed is to declare the unused address space

  • [email protected] will forward all traffic to that space (funneling)

Terena Networking Conference 2007


Publications

Publications

  • Deliverables can be found at http://www.fp6-noah.org/publications/

  • 5 conference papers

    • Usenix Security 05, SIGOPS 2006, DIMVA ’06, RAID’06

  • Various articles and presentations

    • ERCIM news, local press

Terena Networking Conference 2007


Conclusions

Conclusions

NoAH is a distributed architecture based on low- and high-interaction honeypots

Argos is able to detect all exploits, including zero-days

NoAH empowers non-experts to the battlefield of cyberattacks

[email protected] enables unfamiliar users to effortlessly participate to NoAH

Terena Networking Conference 2007


Questions

Questions

Terena Networking Conference 2007


  • Login