Presented by
Download
1 / 22

Network of Affined Honeypots: More Than An Infrastructure - PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on
  • Presentation posted in: General

presented by Spiros Antonatos antonat@ics.forth.gr Distributed Computing Systems Lab Institute of Computer Science FORTH. Network of Affined Honeypots: More Than An Infrastructure. Roadmap. A little about the project What are honeypots? The NoAH approach Architecture overview Argos

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

Network of Affined Honeypots: More Than An Infrastructure

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


presented by

Spiros Antonatos

antonat@ics.forth.gr

Distributed Computing Systems Lab

Institute of Computer Science

FORTH

Network of Affined Honeypots: More Than An Infrastructure


Roadmap

A little about the project

What are honeypots?

The NoAH approach

Architecture overview

Argos

Honey@home

Conclusions/discussion

Terena Networking Conference 2007


The NoAH project

  • Three years project

    • April 2005 until March 2008

  • Funded from the Research Infrastructures Programme of the European Union

  • 4 Work Packages

  • FORTH is coordinator

Terena Networking Conference 2007


What problem we face

  • Malware: worms, viruses, keyloggers, spyware…

  • Malware spreads fast

    • Faster than we can react

    • Thousands of hosts can be infected in a few minutes

  • We need information about the cyberattacks so as to build effective defenses

Terena Networking Conference 2007


Project goals

Gather and analyse information about the nature of Internet cyberattacks

Develop an infrastructure to detect and provide early warning of such attacks

Security monitoring based on honeypot technology

Terena Networking Conference 2007


What are honeypots?

Computer systems that do not run production services

Listen to unused IP addresses

Intentionally made vulnerable

Closely monitored to analyse attacksdirected at them

We can identify two typesof honeypots: low-interactionand high-interaction

Terena Networking Conference 2007


Low- and high-interaction honeypots

  • Low-interaction honeypots emulate services using scripts

    + Lightweight processes, able to cover large network space

    -Emulation cannot provide a high level of interaction with attackers

  • High-interaction honeypots do not perform emulation, they run real services

    - Heavyweight processes, able to cover small network space

    + Provide the highest level of interaction with attackers

  • NoAH uses the advantages of both types

Terena Networking Conference 2007


The NoAH architecture

Terena Networking Conference 2007


Low-interaction honeypot: Honeyd

  • Most popular and widely-used low-interaction honeypot

  • Emulates thousands of IP addresses

    • Performs network stack emulation

  • Highly configurable and lightweight

  • An efficient mechanism to filter out unestablished and uninteresting connections

    • Port scans, SSH brute-force attacks, etc

  • Interesting connections are forwarded to high-interaction honeypots

Terena Networking Conference 2007


High-interaction honeypot: Argos

  • Emulates entire PC systems

    • OS agnostic, run on commodity hardware

    • Based on the Qemu emulator

  • Key idea: data coming from the network should never be executed

  • Tracks network data throughout execution

    • Memory tainting technique

  • Detect illegal uses of network data

    • Jump targets, function pointers, instructions, system call arguments

  • Argos is able to detect all exploit attempts, including 0-days!

Terena Networking Conference 2007


Argos Overview

NIC

Applications

Forensics

Guest OS

Argos emulator

Signature

post-processing

Host OS

Detect attack and log state

Correlate data

Signature

Log

Terena Networking Conference 2007


http://www.few.vu.nl/argos

Terena Networking Conference 2007


Beyond honeypots: Honey@Home

Honeypots listen to unused IP space of the organization they are hosted to

This space is limiting to provide results fast and accurately

NoAH tries to empower people to participate

Bring NoAH to home users with Honey@home

Terena Networking Conference 2007


Honey@home

  • Lightweight tool that runs in the background

  • Monitors an unused IP address

    • Usually taken by DHCP

  • All traffic to that unused address isforwarded to our central honeypots

  • No configuration, install and run!

  • Both Windows and Linux platforms

Terena Networking Conference 2007


Honey@home in action

1

Running at the background

2

Creating a new virtual interface

3

Getting an IP address from DHCP server

Terena Networking Conference 2007


Backend architecture

  • Honey@home clients connect to NoAH honeypots

  • Honeyd acts as front-end to filter out scans

  • Honeyd hands off connection to Argos

  • Attacker thinks she communicates with honey@home user but in reality Argos is providing the answers

Attack

Forward

Handoff

Attacker

Honey@home

Honeyd

NoAH core


Challenges

  • Identity of clients and honeypots must remain hidden

    • Attackers can flood black space with junk traffic once identity is revealed

    • TOR is a network that can provide the desired anonymization

  • Automatic installation of clients must be prevented

    • Else attacker would massively deploy mockup clients

    • Registration with CAPTCHA techniques is used

Terena Networking Conference 2007


www.honeyathome.org

Terena Networking Conference 2007


How can an organization participate?

  • We view an organization as a regular user that possesses large unused space

  • A specialized version of honey@home is implemented

    • No TOR involved, organization is a trusted entity (unlike home users)

  • Only configuration needed is to declare the unused address space

  • Honey@home will forward all traffic to that space (funneling)

Terena Networking Conference 2007


Publications

  • Deliverables can be found at http://www.fp6-noah.org/publications/

  • 5 conference papers

    • Usenix Security 05, SIGOPS 2006, DIMVA ’06, RAID’06

  • Various articles and presentations

    • ERCIM news, local press

Terena Networking Conference 2007


Conclusions

NoAH is a distributed architecture based on low- and high-interaction honeypots

Argos is able to detect all exploits, including zero-days

NoAH empowers non-experts to the battlefield of cyberattacks

Honey@home enables unfamiliar users to effortlessly participate to NoAH

Terena Networking Conference 2007


Questions

Terena Networking Conference 2007


ad
  • Login