A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.

Slides:



Advertisements
Similar presentations
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Advertisements

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Honeypots Presented by Javier Garcia April 21, 2010.
Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
System Security Scanning and Discovery Chapter 14.
Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Dec, Honeyd Virtual Honeypot Frame Work Niels Provos Presented by: Fadi MohsenSupervised by: Dr. Chow CS591 Research Project Presented by: Fadi Mohsen.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.
Introduction to Honeypot, Botnet, and Security Measurement
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
HONEYPOT.  Introduction to Honeypot  Honeytoken  Types of Honeypots  Honeypot Implementation  Advantages and Disadvantages  Role of Honeypot in.
The Security Aspect of Social Engineering Justin Steele.
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Submitted by: Shailendra Kumar Sharma 06EYTCS049.
Honeypot and Intrusion Detection System
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
KFSensor Vs Honeyd Honeypot System Sunil Gurung
Private Network Interconnection Chapter 20. Introduction Privacy in an internet is a major concern –Contents of datagrams that travel across the Internet.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:
HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.
HONEYPOT By SIDDARTHA ELETI CLEMSON UNIVERSITY. Introduction Introduced in 1990/1991 by Clifford Stoll’™s in his book “The Cuckoo’s Egg” and by Bill Cheswick’€™s.
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
Linux Networking and Security
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.
Introduction to Honeypot, measurement, and vulnerability exploits
Honeypots and Honeynets Alex Dietz. To discover methods used to breach a system To discover new root kits To learn what changes are made to a system and.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Security with Honeyd By Ryan Olsen. What is Honeyd? ➲ Open source program design to create honeypot networks. ➲ What is a honeypot? ● Closely monitored.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion.
DoS/DDoS attack and defense
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Defending against Hitlist Worms using NASR Khanh Nguyen.
HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.
UNDER THE GUIDENCE OF: Mr.M.JAYANTHI RAO,M.Tech HOD OF IT. BY: I.ADITHYA(09511A1212) HONEYPOTS.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
CompTIA Security+ Study Guide (SY0-401)
The Devil and Packet Trace Anonymization
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Honeypots at CESNET/MU
CompTIA Security+ Study Guide (SY0-401)
Intrusion Detection Systems (IDS)
IS4680 Security Auditing for Compliance
OPS235: Configuring a Network Using Virtual Machines – Part 2
12/6/2018 Honeypot ICT Infrastructure Sashan
Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department.
Presentation transcript:

A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire

2 Honeyd’s Contributions Provides an alternative technique for detecting attacks Extremely low-cost option for honeypots A model framework for low-interaction honeypots.

3 Agenda 1. Introduction of Honeypots 2. Honeyd 3. Critique of Honeyd 4. Recent Work 5. Honeyd’s Contributions

4 What are Honeypots? Monitored computer system with the hopes of being probed, attacked, and compromised. Monitors all incoming and outgoing data. –Any contact is considered suspicious. Can support any OS with any amount of functionality.

5 Honeypots’ Goals Capture information about attacks –System vulnerabilities –System responses Capture information about attackers –Attack methods –Scan patterns –Identities Be attacked!

6 Etymology of Honeypots Winnie-the-Pooh –His desire for pots of honey lead him to various predicaments Cold War terminology –Female communist agent vs. Male Westerner Outhouses –“Honey” : euphemism for waste –Attackers are flies attracted to honey’s stench

7 Physical vs. Virtual Honeypots Physical Honeypot: –Real machine –Runs one OS to be attacked –Has its own IP address Virtual Honeypot: –Virtual machine on top of a real machine –Can run a different OS than the real machine –Real machine responds to network traffic sent to the virtual machine

8 Physical vs. Virtual Honeypots Interne t Physical Honeypots Interne t Virtual Honeypots

9 Virtual Honeypot Types High-Interaction: –Simulates all aspects of an OS –Can be compromised completely Low-Interaction –Simulates some parts of an OS Example: Network Stack –Simulates only services that cannot lead to complete system compromise

10 Honeyd A virtual honeypot framework Can simulate different OS’s at once –Each honeypot allocated its own IP address Low-Interaction –Only the network stack is simulated –Attackers only interact with honeypots at the network level Supports TCP and UDP services –Handles ICMP message as well.

11 Honeyd: The Architecture Configuration Database Central Packet Dispatch Protocol handlers Personality Engine Routing Component (optional)

12 Personality Engine Virtual Honeypots Personality: –The network stack behavior of a given operating system Personality Engine alters outgoing packets to mimic that VH’s OS –Changes protocol headers Used to thwart fingerprinting tools: –Example: Xprobe and Nmap

13 Routing Options Proxy ARP Configured Routing –Routing Tables –Routing Trees Generic Routing Encapsulation –Network Tunneling –Load balancing

14 Experiments Virtual Honeypots for every detectable fingerprint in Nmap were used. –600 distinct fingerprints Each VH had one port open to run a web server. Nmap was tested against the address space allocated for all the VH’s –555 fingerprints were correctly identified –37 fingerprints list possible OS’s –8 were failed to be identified

15 Applications Network Decoys –Lure attackers to virtual honeypots, not real machines Detecting and Countering Worms –Capture packets sent by worms –Use large amounts of VH’s across large address space Spam Prevention –Monitor open proxy servers and open mail relays –Forward suspicious data to spam filters

16 Conclusions Honeyd is a framework for supporting multiple virtual honeypots Mimics OS network stack behaviors to trick attackers Provides a tool for network security research –Network decoy –Spam –Worm detection

17 Honeyd’s Strengths Supports an array of different OS network stacks –Fool attackers Can support a large number of VH’s for large address spaces Easily configurable to test various security issues –Routing configuration –OS options

18 Honeyd’s Weaknesses Low-Interaction –Only network stacks were implemented –Not all OS services available –Not all system vulnerabilities cannot be tested Personality Engine is not 100% –The 37 failed identifications –Could leave clues to attackers of which sections are honeypots.

19 Future Work Implement Middle-Interaction –Increase the number of OS services per VH Experiment with honeyd’s and physical honeypots on same network Increase stability of personality engine

20 Related Current Work Middle-Interaction –mwcollect –nepenthes The Honeynet Project –Raise Awareness –Teach and Inform –Research

21 Honeyd’s Contributions Provides an alternative technique for detecting attacks –Detecting worms, attackers, and spam Extremely low-cost option for honeypots –Cost of physical honeypots vs. virtual A model framework for low-interaction honeypots. –Simulates only an OS’s network stack –Can cover large amounts of IP addresses