Intrusion Detection using Honeypots - PowerPoint PPT Presentation

emily
intrusion detection using honeypots n.
Skip this Video
Loading SlideShow in 5 Seconds..
Intrusion Detection using Honeypots PowerPoint Presentation
Download Presentation
Intrusion Detection using Honeypots

play fullscreen
1 / 9
Download Presentation
Intrusion Detection using Honeypots
555 Views
Download Presentation

Intrusion Detection using Honeypots

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines

  2. What is a honeypot? • A closely monitored network decoy serving several purposes • Distract adversaries from vulnerable machines • Provide early warning (new attack &exploits) • Allow in-depth examination of adversaries during and after exploitation

  3. Problems and Solution • Physical machines are expensive and costly to maintain • Attacks can corrupt machines • Destroy box • Destroy software • Solution • Honeyd or similar product

  4. Honeyd • A program that can simulate multiple operating systems and multiple IPs • One box can run many honeypots • Simulate network stack of all OS • Provide arbitrary routing • Simulate stack • Can only monitor connection and compromise

  5. Why Honeyd is better? • NIDS requires signatures of known attack • With Honeyd all traffic is saved and can be viewed later so there is no worries about new means of exploit being unregistered • Honeypot has no value so all traffic is suspect therefore less false positives are found

  6. Honeyd + Virtual Machine • Honeyd can only simulate the TCP/IP stack • Combined with a virtual machine the hacker now can try exploits on the whole operating system • Can detect and learn about all new types of exploits and dangers as opposed to just connection

  7. Design • Honeyd will reply to network packets whose destination IP address belongs to one of the simulated honeypots • Router receives packet and sends it on via iptables • Honeypots can be set behind multiple firewalls

  8. Combination • Honeyd alone cannot provide us with enough information to prevent future attacks • Combined with a VM we can now register the new method of the attack and what attacker was after • New attack methods can potentially lead to more violent attacks

  9. Conclusion • Since all traffic is monitored no attack goes unnoticed • With VM we can build new defense for real systems • Great flexibility and record keeping is possible