heat seeking honeypots design and experience n.
Skip this Video
Loading SlideShow in 5 Seconds..
Heat-seeking Honeypots: Design and Experience PowerPoint Presentation
Download Presentation
Heat-seeking Honeypots: Design and Experience

Loading in 2 Seconds...

play fullscreen
1 / 29

Heat-seeking Honeypots: Design and Experience - PowerPoint PPT Presentation

  • Uploaded on

CS-558. Heat-seeking Honeypots: Design and Experience. John P. John, Fang Yu,  Yinglian Xie ,  Arvind  Krishnamurthy, and Martín Abadi . Smyrnaki Ourania. Goal. Attackers search for vulnerable servers . Aim to understand the behavior of attackers : How they find them Compromise

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Heat-seeking Honeypots: Design and Experience

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
heat seeking honeypots design and experience


Heat-seeking Honeypots: Design and Experience

John P. John, Fang Yu, YinglianXie, Arvind Krishnamurthy, and MartínAbadi.


  • Attackers search for vulnerable servers.
  • Aim to understand the behavior of attackers:
  • How they find them
  • Compromise
  • misuse vulnerable servers
  • Present in the paper heat-seeking honeypots that:
  • attract attackers
  • generate and deployautomatically honeypot pages


  • Analyze logs in order to identify attack patterns
design of heat seeking honeypots
Design of Heat Seeking honeypots
  • Heat Seeking honeypots consist of 4 components
  • 1. Obtaining attacker queries
  • 2. Creation of honeypot pages
  • 3. Advertisinghoneypot pages to attackers
  • 4. Detecting malicious traffic (whitelist approach)
1 obtaining attacker queries
1. Obtaining attacker queries

How do attackers find Web servers?

1st approach

  • perform brute-force port scanning on the internet.

2nd approach

  • Make use of Internet search engines.
1 obtaining attacker queries1
1. Obtaining attacker queries
  • 2nd approach  try to attract attackers that perform malicious queries
  • E.g. query a php vulnerability: phpizabi v0.848b c1 hfp1
  • Results:
  • List of Web sites that have that php vulnerability
1 obtaining attacker queries2
1. Obtaining attacker queries

How can we obtain these malicious queries?

  • SbotMiner and SearchAudit to automatically identify malicious queries from attackers in the Bing log.
2 creation of honeypot pages
2. Creation of honeypot pages

Given the query used by the attacker, how do we create an appropriate honeypot?

  • 1st approach

Install vulnerable Web Software

  • Manually Install Web Applications that were frequently targeted.
  • Each application placed in a different VM.
  • But why?
  • If one VM gets compromised, it will not affect the working of the other applications.
2 creation of honeypot pages1
2. Creation of honeypot pages

When is an application compromised?

New files added or application files have been compromised


Manually identify and set up software

2 creation of honeypot pages2
2. Creation of honeypot pages

2nd approach

Set up web pages matching the query

  • Instead of setting up the actual software, we can create similar pages that are similar to the ones created by the software. (AUTOMATICALLY)
  • Issue the malicious query to the Bing and Google search engines and collect the results URLS.
2 creation of honeypot pages3
2. Creation of honeypot pages

Crawler fetches the Web pages at these URLs, along with the other elements require to render these pages (e.g. images,css)

  • Strip all Javascript content and rewrite all links of the page to point to the local versions.
  • Log all information of a visit to a database
3 advertise honeypots to attackers
3. Advertise Honeypots to Attackers
  • Submit URLS of honeypot pages to search engines
  • Add links to other public Web pages to point to additional links not prominently visible to regular users.

But why?

  • Legitimate sites shall not lose traffic from ordinary users
4 detecting malicious traffic
4. Detecting malicious traffic

Log all visits to our local heat-seeking honeypots.

Process log and automatically extract attack traffic.

Honeypots receive legitimate traffic and malicious traffic  since our honeypots are publicly accessible.

2 kinds of legitimate traffic:

  • Search engines – Crawlers
  • Regular users, ordinary users
identify crawlers malicious traffic
Identify Crawlers-malicious traffic

How can we identify crawler traffic?

Looking for known user agent strings

Disadvantage: Does not always work!


User agent string easily spoofed, attackers can use a well known string to avoid detection.

identify crawlers malicious traffic1
Identify Crawlers-malicious traffic

Crawlers visit static and dynamic links.

Dynamic links generated by the real software.

Static links refer to automatically generated honeypots.

distinguishing traffic
Distinguishing traffic
  • From honeypot logs we observed that most of the attackers are not targeting the static pages.
  • Try to access non-existent files that were not publicly accessed.
distinguishing traffic1
Distinguishing traffic
  • Whitelist approach
  • Each site master enumerates the list of dynamic and static links.
  • This set is considered as Whitelist.
  • Requests to links that are not in the Whitelist are considered malicious.
crawler visits detecting dynamic links
Crawler visits:Detecting Dynamic Links

More that 200 Software Honeypot pages that contain dynamic links have been crawled by 3 search engines.

fraction of pages visited by ases
Fraction of pages visited by ASes

Anyone visiting more than Threshold > 75% is considered a crawler,

while others are considered legitimate users to reach their honeypot pages.

  • e
attacker visits
Attacker visits

Most popular page with over 10.000 visits was for site running Joomla, a CMS.

comparing honeypots
Comparing Honeypots
  • Web Server  no hostname, access only its IP address. Not in the index of any search engine or crawler
  • Vulnerable Software  installed 4 commonly targeted Web applications. Publicly accessible on the Internet. Crawled and indexed by Web sites.
  • Heat-seeking Honeypot pages Simply HTML pages,wrapped in php script that performs logging.

Crawled and indexed by Web sites. (96 pages)

  • Present heat-seeking honeypots, which generate honeypot pages automatically.
  • Captured a variety of attacks including:

password guesses,software installation attempts, SQL-injection attacks, remote file inclusion attacks, and cross-site scripting (XSS) attacks.

  • Heat-seeking honeypots and their use can effectively inform appropriate monitoring and defenses.