1 / 18

A VIRTUAL HONEYPOT FRAMEWORK

A VIRTUAL HONEYPOT FRAMEWORK. Author : Niels Provos Publication: Usenix Security Symposium 2004. Presenter: Hiral Chhaya for CAP6103. Security Situation. We’re unable to make secure computer systems or even measure their security. New vulnerabilities kept being exploited

barts
Download Presentation

A VIRTUAL HONEYPOT FRAMEWORK

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium 2004. Presenter: Hiral Chhaya for CAP6103

  2. Security Situation • We’re unable to make secure computer systems or even measure their security. • New vulnerabilities kept being exploited • Exploit automation and massive global scanning for vulnerabilities to compromise computer systems • We use “Honeypot” as one way to get early warnings of new vulnerabilities

  3. Introduction • What Is Honeypot ???? Defunation--A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. • Has no production value; • Used for monitoring, detecting and analyzing attacks • Does not solve a specific problem • Honeypots have a low false positive rate

  4. Classification • By level of interaction • High • Low • By Implementation • Virtual • Physical

  5. What is Honeyd • Honeyd: A virtual honeypotapplication, which allows us to createthousands of IP addresses with virtual machines and corresponding network services.

  6. What Can Honeyd Do ??? • Simulate TCP and UDP services • Support ICMP • Handle multiple IP addresses simultaneously • Simulate arbitrary network topologies • Support topologically dispersed address spaces • Support network tunneling for load sharing

  7. HONEYD DESIGN • Receiving Network Data • Architecture • Personality Engine • Routing Topology • Logging

  8. RECEIVING NETWORK DATA • Ways for Honeyd to receives traffic for its virtual honeypots • Special route lead data to honeyd host • Proxy ARP for honeypots

  9. ARCHITECTURE • Configuration database • Central packet dispatcher • Protocol handles • Personality engine • Option routing component

  10. PERSONALITY ENGIN • To fool fingerprinting tools • Uses fingerprint databases by • Nmap, for TCP, UDP • Xprobe, for ICMP • Introduces changes to the headers of every outgoing packet before sent to the network

  11. ROUTING TOPOLOGY • Simulates virtual network topologies; • Some honeypots are also configured as routers • Latency and loss rate for each edge is configured; • Support network tunneling and traffic redirection;

  12. How To CONFIGURE • Each virtual honeypot is configured with a template. • Commands: • Create: Creates a new template • Set: • Assign personality (fingerprint database) to a template • Specify default behavior of network protocols • Block: All packets dropped • Reset: All ports closed by default • Open: All ports open by default • Add: Specify available services • Proxy: Used for connection forwarding • Bind: Assign template to specific IP address

  13. Logging • Honeyd supports several ways of logging network activity. • Honeyd creat connection logs to report attempted and completed connections for all protocols. • Honeyd can be runs in conjunction with a NIDS.

  14. APPLICATIONS • Network decoys • Spam Prevention

  15. CONCLUSION • Honeyd has many advantages over NIDS • Collects more useful information • Detects vulnerabilities not yet understood • Less likely leads to high false positives • Cheats the fingerprint tools • Effective network decoys • Detecting and immunizing new worms • Spam prevention

  16. WEAKNESSES • Limit interaction only at network level • Not simulate the whole OS • Adversaries never gain full access to systems • Limited number of simulated services and protocols • What if the warm is smart to cheat us? Honeyd will become attackers.

  17. HOW TO IMPROVE • Combine Honeyd with high-interaction virtual honeypots using User Mode Linux or VMware to have a better forensic analysis of the attacker; • Cheat more fingerprint tools, eg. P0f—passive analyze the network traffic; • Simulate more services and protocols, eg. has a better TCP state machine.

  18. THANK YOU !!!!!

More Related