280 likes | 388 Views
Agenda. 1. Honeypot. 2. Honeypot types. 3. Client Honeypot. Related work. 4. Challenges of low interaction client honeypots. 5. Honeyware. 6. 7. Honeyware overcoming client honeypot challenges. Honeyware architecture. 8. Honeyware experiment. 9. Hybrid system. 1 0. Honeypot.
E N D
Agenda 1 Honeypot 2 Honeypot types 3 Client Honeypot Related work 4 Challenges of low interaction client honeypots 5 Honeyware 6 7 Honeyware overcoming client honeypot challenges Honeyware architecture 8 Honeyware experiment 9 Hybrid system 10
Honeypot What is Honeypot? “security resource whose value lies in being probed, attacked or compromised” (Spitzner 2003) Main difference between a honeypot and other security techniques (Firewall, IDS) The log files reveal the traffic of the attacker without any false positives that could be logged from a firewall or an IDS
Honeypot Honeypot types Passive Active (Client Honeypot) Passive Honeypot 1 Use of a very vulnerable system or services, or possibly simulating them, then waiting to detect any attacker trying to crack the system Active Honeypot 2 The client Honeypot acts as a client and interacts with the server to study it and determine if an attack has happened
Honeypot Honeypot types High Interaction Honeypot A Low Interaction Honeypot B
Related work HoneyC A • Developed by Christian Seifert. • Examine the web page code via Snort SpyBye B • Developed by Niels Prvos. • Uses the ClamAV anti-virus engine to check web pages. Monkey-Spider C • Developed by Ali Ikinci.
Honeyware Honeyware a new low interaction client honeypot tool which aims to combine the benefits of web-based technology that run on local or remote servers, it gives the user the ability to scan the target server with some of web browsers and to scan the target with five different scan engines.
Honeyware Honeyware Challenges • Detect Drive-By Download exploits. • Study and analyse malicious code. • Detect more malicious web pages by using a hybrid system with a high interaction client honeypot. • Detect modern web-based malicious exploit tools such as Mpack and IcePack. • IP tracking. • Geolocation dependence.
Challenges of low interaction client honeypots web-based malicious framework 1 Mpack IcePack
Challenges of low interaction client honeypots web-based malicious framework 1
Challenges of low interaction client honeypots IP tracking 1 • Track the IP address of visitors • If a client honeypot tries to visit a malicious website running the Mpack tool with the IP tracking feature enabled, it will not detect any malicious behaviour and may assume the site is clean
Challenges of low interaction client honeypots Geo-location dependence 2 • This feature, provided by a number of malware tools, will cause the malware only to affect visitors from certain countries, while behaving normally with visitors from other countries.
Honeyware Honeyware 1. Web browsers 2. Scan Engine 3. Honeyware Client 4. Crawling
Honeyware overcoming client honeypot challenges Honeyware Client
Honeyware overcoming client honeypot challenges Honeyware Client Geolocation-dependent A
Honeyware overcoming client honeypot challenges Honeyware Client IP tracking B Mpack web-based exploit tool
Honeyware overcoming client honeypot challenges Honeyware Client IP tracking B Mpack’s attack method using visitor browser product and version Mpack web-based exploit tool
Honeyware overcoming client honeypot challenges Honeyware Client IP tracking B First request between Honeyware and target. The send/receive between Honeyware and its client. Send multiple requests to the target, to simulate the usual human visitor behaviour. Second request, to get the target web page after the multiple requests. Compare both requests to detect any changes.
Honeyware architecture Honeyware architecture
Honeyware architecture Honeyware user agent
Honeyware architecture Honeyware Screenshot 1 2
Honeyware experiment Honeyware experiment The experiment scenario involved 94 URLs collected from a search engine of which 84 were malicious and 10 benign VS Capture-HPC (High interaction client honeypot) Honeyware (Low interaction client honeypot)
Honeyware experiment Honeyware experiment
Honeyware experiment Honeyware experiment
Honeyware Limitations Slow 1 • Approximately 1 minute to scan a target. • Reduce time by: • Select few scan engines. • Separate the scan & interact engine from PHP (Use Perl or Shell and then pass the result to Honeyware ) Not able to detect 0-day exploits 2
Hybrid system The hybrid system starts by scanning all URLs with Capture-HPC and then forwards all benign URLs from Capture-HPC to Honeyware to scan.
Honeyware future work Plug-in simulation 1 Intrusion detection system (IDS) 2 Honeyware Crawling 3 Improve Honeyware client 4 Honeyware Project http://www.sourceforge.net/projects/honeyware