1 / 28

Agenda

Agenda. 1. Honeypot. 2. Honeypot types. 3. Client Honeypot. Related work. 4. Challenges of low interaction client honeypots. 5. Honeyware. 6. 7. Honeyware overcoming client honeypot challenges. Honeyware architecture. 8. Honeyware experiment. 9. Hybrid system. 1 0. Honeypot.

parker
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Agenda 1 Honeypot 2 Honeypot types 3 Client Honeypot Related work 4 Challenges of low interaction client honeypots 5 Honeyware 6 7 Honeyware overcoming client honeypot challenges Honeyware architecture 8 Honeyware experiment 9 Hybrid system 10

  2. Honeypot What is Honeypot? “security resource whose value lies in being probed, attacked or compromised” (Spitzner 2003) Main difference between a honeypot and other security techniques (Firewall, IDS) The log files reveal the traffic of the attacker without any false positives that could be logged from a firewall or an IDS

  3. Honeypot Honeypot types Passive Active (Client Honeypot) Passive Honeypot 1 Use of a very vulnerable system or services, or possibly simulating them, then waiting to detect any attacker trying to crack the system Active Honeypot 2 The client Honeypot acts as a client and interacts with the server to study it and determine if an attack has happened

  4. Honeypot Honeypot types High Interaction Honeypot A Low Interaction Honeypot B

  5. Related work HoneyC A • Developed by Christian Seifert. • Examine the web page code via Snort SpyBye B • Developed by Niels Prvos. • Uses the ClamAV anti-virus engine to check web pages. Monkey-Spider C • Developed by Ali Ikinci.

  6. Honeyware Honeyware a new low interaction client honeypot tool which aims to combine the benefits of web-based technology that run on local or remote servers, it gives the user the ability to scan the target server with some of web browsers and to scan the target with five different scan engines.

  7. Honeyware Honeyware Challenges • Detect Drive-By Download exploits. • Study and analyse malicious code. • Detect more malicious web pages by using a hybrid system with a high interaction client honeypot. • Detect modern web-based malicious exploit tools such as Mpack and IcePack. • IP tracking. • Geolocation dependence.

  8. Challenges of low interaction client honeypots web-based malicious framework 1 Mpack IcePack

  9. Challenges of low interaction client honeypots web-based malicious framework 1

  10. Challenges of low interaction client honeypots IP tracking 1 • Track the IP address of visitors • If a client honeypot tries to visit a malicious website running the Mpack tool with the IP tracking feature enabled, it will not detect any malicious behaviour and may assume the site is clean

  11. Challenges of low interaction client honeypots Geo-location dependence 2 • This feature, provided by a number of malware tools, will cause the malware only to affect visitors from certain countries, while behaving normally with visitors from other countries.

  12. Honeyware Honeyware 1. Web browsers 2. Scan Engine 3. Honeyware Client 4. Crawling

  13. Honeyware overcoming client honeypot challenges Honeyware Client

  14. Honeyware overcoming client honeypot challenges Honeyware Client Geolocation-dependent A

  15. Honeyware overcoming client honeypot challenges Honeyware Client IP tracking B Mpack web-based exploit tool

  16. Honeyware overcoming client honeypot challenges Honeyware Client IP tracking B Mpack’s attack method using visitor browser product and version Mpack web-based exploit tool

  17. Honeyware overcoming client honeypot challenges Honeyware Client IP tracking B First request between Honeyware and target. The send/receive between Honeyware and its client. Send multiple requests to the target, to simulate the usual human visitor behaviour. Second request, to get the target web page after the multiple requests. Compare both requests to detect any changes.

  18. Honeyware architecture Honeyware architecture

  19. Honeyware architecture Honeyware user agent

  20. Honeyware architecture Honeyware Screenshot 1 2

  21. Honeyware experiment Honeyware experiment The experiment scenario involved 94 URLs collected from a search engine of which 84 were malicious and 10 benign VS Capture-HPC (High interaction client honeypot) Honeyware (Low interaction client honeypot)

  22. Honeyware experiment Honeyware experiment

  23. Honeyware experiment Honeyware experiment

  24. Honeyware Limitations Slow 1 • Approximately 1 minute to scan a target. • Reduce time by: • Select few scan engines. • Separate the scan & interact engine from PHP (Use Perl or Shell and then pass the result to Honeyware ) Not able to detect 0-day exploits 2

  25. Hybrid system The hybrid system starts by scanning all URLs with Capture-HPC and then forwards all benign URLs from Capture-HPC to Honeyware to scan.

  26. Honeyware future work Plug-in simulation 1 Intrusion detection system (IDS) 2 Honeyware Crawling 3 Improve Honeyware client 4 Honeyware Project http://www.sourceforge.net/projects/honeyware

More Related