Top Banner

of 21

A Virtual Honeypot Framework

Feb 05, 2016




A Virtual Honeypot Framework. Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire. Honeyd’s Contributions. Provides an alternative technique for detecting attacks Extremely low-cost option for honeypots - PowerPoint PPT Presentation

  • A Virtual Honeypot FrameworkNiels Provos Google, Inc.The 13th USENIX Security Symposium, August 913, 2004 San Diego, CA Presented by: Sean Mondesire

  • Honeyds ContributionsProvides an alternative technique for detecting attacksExtremely low-cost option for honeypotsA model framework for low-interaction honeypots.

  • Agenda1. Introduction of Honeypots 2. Honeyd 3. Critique of Honeyd 4. Recent Work 5. Honeyds Contributions

  • What are Honeypots?Monitored computer system with the hopes of being probed, attacked, and compromised.Monitors all incoming and outgoing data.Any contact is considered suspicious.Can support any OS with any amount of functionality.

  • Honeypots GoalsCapture information about attacksSystem vulnerabilitiesSystem responsesCapture information about attackersAttack methodsScan patternsIdentitiesBe attacked!

  • Etymology of HoneypotsWinnie-the-PoohHis desire for pots of honey lead him to various predicamentsCold War terminologyFemale communist agent vs. Male WesternerOuthousesHoney : euphemism for wasteAttackers are flies attracted to honeys stench

  • Physical vs. Virtual HoneypotsPhysical Honeypot:Real machineRuns one OS to be attackedHas its own IP addressVirtual Honeypot:Virtual machine on top of a real machineCan run a different OS than the real machineReal machine responds to network traffic sent to the virtual machine

  • Physical vs. Virtual HoneypotsInternetPhysical HoneypotsInternetVirtual Honeypots

  • Virtual Honeypot TypesHigh-Interaction:Simulates all aspects of an OSCan be compromised completelyLow-InteractionSimulates some parts of an OSExample: Network StackSimulates only services that cannot lead to complete system compromise

  • HoneydA virtual honeypot frameworkCan simulate different OSs at onceEach honeypot allocated its own IP addressLow-InteractionOnly the network stack is simulatedAttackers only interact with honeypots at the network levelSupports TCP and UDP servicesHandles ICMP message as well.

  • Honeyd: The ArchitectureConfiguration DatabaseCentral Packet DispatchProtocol handlersPersonality EngineRouting Component (optional)

  • Personality EngineVirtual Honeypots Personality:The network stack behavior of a given operating systemPersonality Engine alters outgoing packets to mimic that VHs OSChanges protocol headersUsed to thwart fingerprinting tools:Example: Xprobe and Nmap

  • Routing OptionsProxy ARPConfigured RoutingRouting TablesRouting TreesGeneric Routing EncapsulationNetwork TunnelingLoad balancing

  • ExperimentsVirtual Honeypots for every detectable fingerprint in Nmap were used.600 distinct fingerprintsEach VH had one port open to run a web server.Nmap was tested against the address space allocated for all the VHs555 fingerprints were correctly identified37 fingerprints list possible OSs8 were failed to be identified

  • ApplicationsNetwork DecoysLure attackers to virtual honeypots, not real machinesDetecting and Countering WormsCapture packets sent by wormsUse large amounts of VHs across large address spaceSpam PreventionMonitor open proxy servers and open mail relaysForward suspicious data to spam filters

  • ConclusionsHoneyd is a framework for supporting multiple virtual honeypotsMimics OS network stack behaviors to trick attackersProvides a tool for network security researchNetwork decoySpam Worm detection

  • Honeyds StrengthsSupports an array of different OS network stacksFool attackersCan support a large number of VHs for large address spacesEasily configurable to test various security issuesRouting configurationOS options

  • Honeyds WeaknessesLow-InteractionOnly network stacks were implementedNot all OS services availableNot all system vulnerabilities cannot be testedPersonality Engine is not 100%The 37 failed identificationsCould leave clues to attackers of which sections are honeypots.

  • Future WorkImplement Middle-InteractionIncrease the number of OS services per VHExperiment with honeyds and physical honeypots on same networkIncrease stability of personality engine

  • Related Current WorkMiddle-Interactionmwcollectnepenthes

    The Honeynet ProjectRaise AwarenessTeach and InformResearch

  • Honeyds ContributionsProvides an alternative technique for detecting attacksDetecting worms, attackers, and spamExtremely low-cost option for honeypotsCost of physical honeypots vs. virtualA model framework for low-interaction honeypots.Simulates only an OSs network stackCan cover large amounts of IP addresses