1 / 21

A Virtual Honeypot Framework

A Virtual Honeypot Framework. Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire. Honeyd’s Contributions. Provides an alternative technique for detecting attacks Extremely low-cost option for honeypots

hedya
Download Presentation

A Virtual Honeypot Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Virtual Honeypot Framework Niels ProvosGoogle, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire

  2. Honeyd’s Contributions • Provides an alternative technique for detecting attacks • Extremely low-cost option for honeypots • A model framework for low-interaction honeypots.

  3. Agenda 1. Introduction of Honeypots 2. Honeyd 3. Critique of Honeyd 4. Recent Work 5. Honeyd’s Contributions

  4. What are Honeypots? • Monitored computer system with the hopes of being probed, attacked, and compromised. • Monitors all incoming and outgoing data. • Any contact is considered suspicious. • Can support any OS with any amount of functionality.

  5. Honeypots’ Goals • Capture information about attacks • System vulnerabilities • System responses • Capture information about attackers • Attack methods • Scan patterns • Identities • Be attacked!

  6. Etymology of Honeypots • Winnie-the-Pooh • His desire for pots of honey lead him to various predicaments • Cold War terminology • Female communist agent vs. Male Westerner • Outhouses • “Honey” : euphemism for waste • Attackers are flies attracted to honey’s stench

  7. Physical vs. Virtual Honeypots • Physical Honeypot: • Real machine • Runs one OS to be attacked • Has its own IP address • Virtual Honeypot: • Virtual machine on top of a real machine • Can run a different OS than the real machine • Real machine responds to network traffic sent to the virtual machine

  8. Physical vs. Virtual Honeypots Physical Honeypots Virtual Honeypots Internet Internet

  9. Virtual Honeypot Types • High-Interaction: • Simulates all aspects of an OS • Can be compromised completely • Low-Interaction • Simulates some parts of an OS • Example: Network Stack • Simulates only services that cannot lead to complete system compromise

  10. Honeyd • A virtual honeypot framework • Can simulate different OS’s at once • Each honeypot allocated its own IP address • Low-Interaction • Only the network stack is simulated • Attackers only interact with honeypots at the network level • Supports TCP and UDP services • Handles ICMP message as well.

  11. Honeyd: The Architecture • Configuration Database • Central Packet Dispatch • Protocol handlers • Personality Engine • Routing Component (optional)

  12. Personality Engine • Virtual Honeypots Personality: • The network stack behavior of a given operating system • Personality Engine alters outgoing packets to mimic that VH’s OS • Changes protocol headers • Used to thwart fingerprinting tools: • Example: Xprobe and Nmap

  13. Routing Options • Proxy ARP • Configured Routing • Routing Tables • Routing Trees • Generic Routing Encapsulation • Network Tunneling • Load balancing

  14. Experiments • Virtual Honeypots for every detectable fingerprint in Nmap were used. • 600 distinct fingerprints • Each VH had one port open to run a web server. • Nmap was tested against the address space allocated for all the VH’s • 555 fingerprints were correctly identified • 37 fingerprints list possible OS’s • 8 were failed to be identified

  15. Applications • Network Decoys • Lure attackers to virtual honeypots, not real machines • Detecting and Countering Worms • Capture packets sent by worms • Use large amounts of VH’s across large address space • Spam Prevention • Monitor open proxy servers and open mail relays • Forward suspicious data to spam filters

  16. Conclusions • Honeyd is a framework for supporting multiple virtual honeypots • Mimics OS network stack behaviors to trick attackers • Provides a tool for network security research • Network decoy • Spam • Worm detection

  17. Honeyd’s Strengths • Supports an array of different OS network stacks • Fool attackers • Can support a large number of VH’s for large address spaces • Easily configurable to test various security issues • Routing configuration • OS options

  18. Honeyd’s Weaknesses • Low-Interaction • Only network stacks were implemented • Not all OS services available • Not all system vulnerabilities cannot be tested • Personality Engine is not 100% • The 37 failed identifications • Could leave clues to attackers of which sections are honeypots.

  19. Future Work • Implement Middle-Interaction • Increase the number of OS services per VH • Experiment with honeyd’s and physical honeypots on same network • Increase stability of personality engine

  20. Related Current Work • Middle-Interaction • mwcollect • nepenthes • The Honeynet Project • Raise Awareness • Teach and Inform • Research

  21. Honeyd’s Contributions • Provides an alternative technique for detecting attacks • Detecting worms, attackers, and spam • Extremely low-cost option for honeypots • Cost of physical honeypots vs. virtual • A model framework for low-interaction honeypots. • Simulates only an OS’s network stack • Can cover large amounts of IP addresses

More Related