1 / 29

Heat-seeking Honeypots: Design and Experience

CS-558. Heat-seeking Honeypots: Design and Experience. John P. John, Fang Yu,  Yinglian Xie ,  Arvind  Krishnamurthy, and Martín Abadi . Smyrnaki Ourania. Goal. Attackers search for vulnerable servers . Aim to understand the behavior of attackers : How they find them Compromise

wren
Download Presentation

Heat-seeking Honeypots: Design and Experience

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS-558 Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, YinglianXie, Arvind Krishnamurthy, and MartínAbadi. SmyrnakiOurania

  2. Goal • Attackers search for vulnerable servers. • Aim to understand the behavior of attackers: • How they find them • Compromise • misuse vulnerable servers

  3. Introduction • Present in the paper heat-seeking honeypots that: • attract attackers • generate and deployautomatically honeypot pages Output: • Analyze logs in order to identify attack patterns

  4. Design of Heat Seeking honeypots • Heat Seeking honeypots consist of 4 components • 1. Obtaining attacker queries • 2. Creation of honeypot pages • 3. Advertisinghoneypot pages to attackers • 4. Detecting malicious traffic (whitelist approach)

  5. 1. Obtaining attacker queries How do attackers find Web servers? 1st approach • perform brute-force port scanning on the internet. 2nd approach • Make use of Internet search engines.

  6. 1. Obtaining attacker queries • 2nd approach  try to attract attackers that perform malicious queries • E.g. query a php vulnerability: phpizabi v0.848b c1 hfp1 • Results: • List of Web sites that have that php vulnerability

  7. 1. Obtaining attacker queries How can we obtain these malicious queries? • SbotMiner and SearchAudit to automatically identify malicious queries from attackers in the Bing log.

  8. 2. Creation of honeypot pages Given the query used by the attacker, how do we create an appropriate honeypot? • 1st approach Install vulnerable Web Software • Manually Install Web Applications that were frequently targeted. • Each application placed in a different VM. • But why? • If one VM gets compromised, it will not affect the working of the other applications.

  9. 2. Creation of honeypot pages When is an application compromised? New files added or application files have been compromised Disadvantage Manually identify and set up software

  10. 2. Creation of honeypot pages 2nd approach Set up web pages matching the query • Instead of setting up the actual software, we can create similar pages that are similar to the ones created by the software. (AUTOMATICALLY) • Issue the malicious query to the Bing and Google search engines and collect the results URLS.

  11. 2. Creation of honeypot pages Crawler fetches the Web pages at these URLs, along with the other elements require to render these pages (e.g. images,css) • Strip all Javascript content and rewrite all links of the page to point to the local versions. • Log all information of a visit to a database

  12. 3. Advertise Honeypots to Attackers • Submit URLS of honeypot pages to search engines • Add links to other public Web pages to point to additional links not prominently visible to regular users. But why? • Legitimate sites shall not lose traffic from ordinary users

  13. Architecture of Heat-Seeking Honeypot

  14. 4. Detecting malicious traffic Log all visits to our local heat-seeking honeypots. Process log and automatically extract attack traffic. Honeypots receive legitimate traffic and malicious traffic  since our honeypots are publicly accessible. 2 kinds of legitimate traffic: • Search engines – Crawlers • Regular users, ordinary users

  15. Identify Crawlers-malicious traffic How can we identify crawler traffic? Looking for known user agent strings Disadvantage: Does not always work! Why? User agent string easily spoofed, attackers can use a well known string to avoid detection.

  16. Identify Crawlers-malicious traffic Crawlers visit static and dynamic links. Dynamic links generated by the real software. Static links refer to automatically generated honeypots.

  17. Distinguishing traffic • From honeypot logs we observed that most of the attackers are not targeting the static pages. • Try to access non-existent files that were not publicly accessed.

  18. Distinguishing traffic • Whitelist approach • Each site master enumerates the list of dynamic and static links. • This set is considered as Whitelist. • Requests to links that are not in the Whitelist are considered malicious.

  19. Distinguishing Traffic: Crawler visits

  20. Crawler visits:Detecting Dynamic Links More that 200 Software Honeypot pages that contain dynamic links have been crawled by 3 search engines.

  21. Fraction of pages visited by ASes Anyone visiting more than Threshold > 75% is considered a crawler, while others are considered legitimate users to reach their honeypot pages. • e

  22. How often each Crawler visits Honeypot Pages

  23. Attacker visits Most popular page with over 10.000 visits was for site running Joomla, a CMS.

  24. Top 10 Countries where attacker IP addresses are located

  25. Comparing Honeypots • Web Server  no hostname, access only its IP address. Not in the index of any search engine or crawler • Vulnerable Software  installed 4 commonly targeted Web applications. Publicly accessible on the Internet. Crawled and indexed by Web sites. • Heat-seeking Honeypot pages Simply HTML pages,wrapped in php script that performs logging. Crawled and indexed by Web sites. (96 pages)

  26. Results

  27. Results Categories of Attacks

  28. Conclusion • Present heat-seeking honeypots, which generate honeypot pages automatically. • Captured a variety of attacks including: password guesses,software installation attempts, SQL-injection attacks, remote file inclusion attacks, and cross-site scripting (XSS) attacks. • Heat-seeking honeypots and their use can effectively inform appropriate monitoring and defenses.

More Related