• Save
Client Side Honeypots
Upcoming SlideShare
Loading in...5
×
 

Client Side Honeypots

on

  • 2,828 views

Bing Yuan

Bing Yuan

Statistics

Views

Total Views
2,828
Views on SlideShare
2,827
Embed Views
1

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 1

http://localhost 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Client Side Honeypots Client Side Honeypots Presentation Transcript

  • Client-Side Honeypots Bing Yuan Department of Computer Science RWTH Aachen April 26, 2007
  • Overview Motivation The Client-Side Honeypot The CHP System Attack Patterns Future Works
  • Overview Motivation The Client-Side Honeypot The CHP System Attack Patterns Future Works
  • Overview Motivation The Client-Side Honeypot The CHP System Attack Patterns Future Works
  • Overview Motivation The Client-Side Honeypot The CHP System Attack Patterns Future Works
  • Overview Motivation The Client-Side Honeypot The CHP System Attack Patterns Future Works
  • Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works Problems client-side exploit means exploiting client-side software’s vulnerabilities computers can be infected by simply browsing web pages or opening emails about 90% of PCs connected to the internet are infected with spyware in 2006 (www.webroot.com) Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works Problems client-side exploit means exploiting client-side software’s vulnerabilities computers can be infected by simply browsing web pages or opening emails about 90% of PCs connected to the internet are infected with spyware in 2006 (www.webroot.com) Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works Problems client-side exploit means exploiting client-side software’s vulnerabilities computers can be infected by simply browsing web pages or opening emails about 90% of PCs connected to the internet are infected with spyware in 2006 (www.webroot.com) Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works Analysis client-side softwares are wide-spread: web browsers, email clients, ... client-side softwares have many vulnerabilities: Microsoft Security Bulletin Search: IE, OE, ... Mozilla Foundation Security Advisory: Firefox, Thunderbird, ... Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works Analysis client-side softwares are wide-spread: web browsers, email clients, ... client-side softwares have many vulnerabilities: Microsoft Security Bulletin Search: IE, OE, ... Mozilla Foundation Security Advisory: Firefox, Thunderbird, ... Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works Analysis client-side softwares are wide-spread: web browsers, email clients, ... client-side softwares have many vulnerabilities: Microsoft Security Bulletin Search: IE, OE, ... Mozilla Foundation Security Advisory: Firefox, Thunderbird, ... Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works Analysis client-side softwares are wide-spread: web browsers, email clients, ... client-side softwares have many vulnerabilities: Microsoft Security Bulletin Search: IE, OE, ... Mozilla Foundation Security Advisory: Firefox, Thunderbird, ... Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works anti-malware softwares are all reactive traditional honeypots focus on server-side attacks we need proactively to handle the client-side attacks Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works anti-malware softwares are all reactive traditional honeypots focus on server-side attacks we need proactively to handle the client-side attacks Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works anti-malware softwares are all reactive traditional honeypots focus on server-side attacks we need proactively to handle the client-side attacks Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Definition The client-side honeypot is one trap computer which simulates or drives the client-side softwares to actively and automatically search for attacks, record system activities and judge which system activities are malicious for better knowing about client-side attack patterns. Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Characteristics client-side: it simulates/drives client-side software and does not provide services active: because it can not lure attacks, it must actively search for attacks automatic: because huge resource should be visited, client-side honeypot’s tasks must be automated identify: it must can judge which system activities are normal and which are malicious Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Characteristics client-side: it simulates/drives client-side software and does not provide services active: because it can not lure attacks, it must actively search for attacks automatic: because huge resource should be visited, client-side honeypot’s tasks must be automated identify: it must can judge which system activities are normal and which are malicious Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Characteristics client-side: it simulates/drives client-side software and does not provide services active: because it can not lure attacks, it must actively search for attacks automatic: because huge resource should be visited, client-side honeypot’s tasks must be automated identify: it must can judge which system activities are normal and which are malicious Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Characteristics client-side: it simulates/drives client-side software and does not provide services active: because it can not lure attacks, it must actively search for attacks automatic: because huge resource should be visited, client-side honeypot’s tasks must be automated identify: it must can judge which system activities are normal and which are malicious Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Classification high-interaction and low interaction according to the development technologies: integrity control: take two snapshots of the system before and after crawling, then compare these two snapshots to judge if the system integrity is changed real-time monitoring: during the crawling we intercept important system calls and record the system activities caused by these system calls using hook technologies more efficient: it does not need system snapshots more precise: every important system calls are intercepted Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Classification high-interaction and low interaction according to the development technologies: integrity control: take two snapshots of the system before and after crawling, then compare these two snapshots to judge if the system integrity is changed real-time monitoring: during the crawling we intercept important system calls and record the system activities caused by these system calls using hook technologies more efficient: it does not need system snapshots more precise: every important system calls are intercepted Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Classification high-interaction and low interaction according to the development technologies: integrity control: take two snapshots of the system before and after crawling, then compare these two snapshots to judge if the system integrity is changed real-time monitoring: during the crawling we intercept important system calls and record the system activities caused by these system calls using hook technologies more efficient: it does not need system snapshots more precise: every important system calls are intercepted Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Classification high-interaction and low interaction according to the development technologies: integrity control: take two snapshots of the system before and after crawling, then compare these two snapshots to judge if the system integrity is changed real-time monitoring: during the crawling we intercept important system calls and record the system activities caused by these system calls using hook technologies more efficient: it does not need system snapshots more precise: every important system calls are intercepted Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Classification high-interaction and low interaction according to the development technologies: integrity control: take two snapshots of the system before and after crawling, then compare these two snapshots to judge if the system integrity is changed real-time monitoring: during the crawling we intercept important system calls and record the system activities caused by these system calls using hook technologies more efficient: it does not need system snapshots more precise: every important system calls are intercepted Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Classification high-interaction and low interaction according to the development technologies: integrity control: take two snapshots of the system before and after crawling, then compare these two snapshots to judge if the system integrity is changed real-time monitoring: during the crawling we intercept important system calls and record the system activities caused by these system calls using hook technologies more efficient: it does not need system snapshots more precise: every important system calls are intercepted Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (1) HoneyC: low-interaction client-side honeypot developed by Christian Seifert in 2006, platform independent open source framework written in Ruby drive visitor component like web browser simulator to visit web servers use analysis engine to determine if the system’s security policies are violated Capture-HPC: high-interaction client-side honeypot developed by many researchers using Java and C at Victoria University of Wellington capture server is responsible for controlling capture clients capture client is responsible for recording the system activities in real-time Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (1) HoneyC: low-interaction client-side honeypot developed by Christian Seifert in 2006, platform independent open source framework written in Ruby drive visitor component like web browser simulator to visit web servers use analysis engine to determine if the system’s security policies are violated Capture-HPC: high-interaction client-side honeypot developed by many researchers using Java and C at Victoria University of Wellington capture server is responsible for controlling capture clients capture client is responsible for recording the system activities in real-time Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (1) HoneyC: low-interaction client-side honeypot developed by Christian Seifert in 2006, platform independent open source framework written in Ruby drive visitor component like web browser simulator to visit web servers use analysis engine to determine if the system’s security policies are violated Capture-HPC: high-interaction client-side honeypot developed by many researchers using Java and C at Victoria University of Wellington capture server is responsible for controlling capture clients capture client is responsible for recording the system activities in real-time Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (1) HoneyC: low-interaction client-side honeypot developed by Christian Seifert in 2006, platform independent open source framework written in Ruby drive visitor component like web browser simulator to visit web servers use analysis engine to determine if the system’s security policies are violated Capture-HPC: high-interaction client-side honeypot developed by many researchers using Java and C at Victoria University of Wellington capture server is responsible for controlling capture clients capture client is responsible for recording the system activities in real-time Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (1) HoneyC: low-interaction client-side honeypot developed by Christian Seifert in 2006, platform independent open source framework written in Ruby drive visitor component like web browser simulator to visit web servers use analysis engine to determine if the system’s security policies are violated Capture-HPC: high-interaction client-side honeypot developed by many researchers using Java and C at Victoria University of Wellington capture server is responsible for controlling capture clients capture client is responsible for recording the system activities in real-time Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (1) HoneyC: low-interaction client-side honeypot developed by Christian Seifert in 2006, platform independent open source framework written in Ruby drive visitor component like web browser simulator to visit web servers use analysis engine to determine if the system’s security policies are violated Capture-HPC: high-interaction client-side honeypot developed by many researchers using Java and C at Victoria University of Wellington capture server is responsible for controlling capture clients capture client is responsible for recording the system activities in real-time Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (2) Honeyclient: the first open source high-interaction client-side honeypot developed by Kathy Wang using Perl in early 2005 establish two baselines of system files and registry entries before and after visiting one whole domain compare these two baselines to find integrity changes HoneyMonkey System: short for Strider HoneyMonkey Exploit Detection System and was developed by Microsoft in 2005, first high-interaction client-side honeypot system which found 0-day exploit execute one web browser instance for each malicious URL and wait for some minutes in the meantime it will record and analyse the system activities pipeline of virtual machines with different patch levels Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (2) Honeyclient: the first open source high-interaction client-side honeypot developed by Kathy Wang using Perl in early 2005 establish two baselines of system files and registry entries before and after visiting one whole domain compare these two baselines to find integrity changes HoneyMonkey System: short for Strider HoneyMonkey Exploit Detection System and was developed by Microsoft in 2005, first high-interaction client-side honeypot system which found 0-day exploit execute one web browser instance for each malicious URL and wait for some minutes in the meantime it will record and analyse the system activities pipeline of virtual machines with different patch levels Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (2) Honeyclient: the first open source high-interaction client-side honeypot developed by Kathy Wang using Perl in early 2005 establish two baselines of system files and registry entries before and after visiting one whole domain compare these two baselines to find integrity changes HoneyMonkey System: short for Strider HoneyMonkey Exploit Detection System and was developed by Microsoft in 2005, first high-interaction client-side honeypot system which found 0-day exploit execute one web browser instance for each malicious URL and wait for some minutes in the meantime it will record and analyse the system activities pipeline of virtual machines with different patch levels Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (2) Honeyclient: the first open source high-interaction client-side honeypot developed by Kathy Wang using Perl in early 2005 establish two baselines of system files and registry entries before and after visiting one whole domain compare these two baselines to find integrity changes HoneyMonkey System: short for Strider HoneyMonkey Exploit Detection System and was developed by Microsoft in 2005, first high-interaction client-side honeypot system which found 0-day exploit execute one web browser instance for each malicious URL and wait for some minutes in the meantime it will record and analyse the system activities pipeline of virtual machines with different patch levels Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (2) Honeyclient: the first open source high-interaction client-side honeypot developed by Kathy Wang using Perl in early 2005 establish two baselines of system files and registry entries before and after visiting one whole domain compare these two baselines to find integrity changes HoneyMonkey System: short for Strider HoneyMonkey Exploit Detection System and was developed by Microsoft in 2005, first high-interaction client-side honeypot system which found 0-day exploit execute one web browser instance for each malicious URL and wait for some minutes in the meantime it will record and analyse the system activities pipeline of virtual machines with different patch levels Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (2) Honeyclient: the first open source high-interaction client-side honeypot developed by Kathy Wang using Perl in early 2005 establish two baselines of system files and registry entries before and after visiting one whole domain compare these two baselines to find integrity changes HoneyMonkey System: short for Strider HoneyMonkey Exploit Detection System and was developed by Microsoft in 2005, first high-interaction client-side honeypot system which found 0-day exploit execute one web browser instance for each malicious URL and wait for some minutes in the meantime it will record and analyse the system activities pipeline of virtual machines with different patch levels Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (2) Honeyclient: the first open source high-interaction client-side honeypot developed by Kathy Wang using Perl in early 2005 establish two baselines of system files and registry entries before and after visiting one whole domain compare these two baselines to find integrity changes HoneyMonkey System: short for Strider HoneyMonkey Exploit Detection System and was developed by Microsoft in 2005, first high-interaction client-side honeypot system which found 0-day exploit execute one web browser instance for each malicious URL and wait for some minutes in the meantime it will record and analyse the system activities pipeline of virtual machines with different patch levels Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Overview the goal: implement one system which can determine if clicking on one weblink will cause system’s activities, if yes, judge if these activities are normal or malicious, when malicious, further research the URLs which cause the malicious activities to gain knowledge about client-side attack patterns the CHP system is one high-interaction client-side honeypot and contains CI(Crawl and Identify) developed by me using C++ and CWSandbox developed by Carsten Willems using Delphi, it runs on Windows XP/2000 Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Overview the goal: implement one system which can determine if clicking on one weblink will cause system’s activities, if yes, judge if these activities are normal or malicious, when malicious, further research the URLs which cause the malicious activities to gain knowledge about client-side attack patterns the CHP system is one high-interaction client-side honeypot and contains CI(Crawl and Identify) developed by me using C++ and CWSandbox developed by Carsten Willems using Delphi, it runs on Windows XP/2000 Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Which system activities should be controlled files: created, deleted, modified files registry entries: created, deleted, modified keys/data/values processes: opened, created, terminated processes network connections: malicious network connections memory: ultimate goal of system control, because most malwares leave traces in the memory, but it is not easy to be implemented Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Which system activities should be controlled files: created, deleted, modified files registry entries: created, deleted, modified keys/data/values processes: opened, created, terminated processes network connections: malicious network connections memory: ultimate goal of system control, because most malwares leave traces in the memory, but it is not easy to be implemented Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Which system activities should be controlled files: created, deleted, modified files registry entries: created, deleted, modified keys/data/values processes: opened, created, terminated processes network connections: malicious network connections memory: ultimate goal of system control, because most malwares leave traces in the memory, but it is not easy to be implemented Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Which system activities should be controlled files: created, deleted, modified files registry entries: created, deleted, modified keys/data/values processes: opened, created, terminated processes network connections: malicious network connections memory: ultimate goal of system control, because most malwares leave traces in the memory, but it is not easy to be implemented Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Which system activities should be controlled files: created, deleted, modified files registry entries: created, deleted, modified keys/data/values processes: opened, created, terminated processes network connections: malicious network connections memory: ultimate goal of system control, because most malwares leave traces in the memory, but it is not easy to be implemented Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Schema Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The GUI of CI Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The crawling part How to build URL-list? the first 100 search results (URLs) blacklist which contains known malicious URLs extract URLs from the email body extract URLs from the crawled webpages the malicious URLs we indentified after one execution Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The crawling part How to build URL-list? the first 100 search results (URLs) blacklist which contains known malicious URLs extract URLs from the email body extract URLs from the crawled webpages the malicious URLs we indentified after one execution Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The crawling part How to build URL-list? the first 100 search results (URLs) blacklist which contains known malicious URLs extract URLs from the email body extract URLs from the crawled webpages the malicious URLs we indentified after one execution Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The crawling part How to build URL-list? the first 100 search results (URLs) blacklist which contains known malicious URLs extract URLs from the email body extract URLs from the crawled webpages the malicious URLs we indentified after one execution Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The crawling part How to build URL-list? the first 100 search results (URLs) blacklist which contains known malicious URLs extract URLs from the email body extract URLs from the crawled webpages the malicious URLs we indentified after one execution Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Crawling parameters breadth: how many weblinks in one webpage we want to click on depth: how many layers we want to visit, for example if the depth equals two, then the current webpage is the zero layer, we click on the weblinks at the zero layer to go to the first layer, then go to the second layer by clicking on the weblinks at the first layer length: time length between visiting two URLs Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Crawling parameters breadth: how many weblinks in one webpage we want to click on depth: how many layers we want to visit, for example if the depth equals two, then the current webpage is the zero layer, we click on the weblinks at the zero layer to go to the first layer, then go to the second layer by clicking on the weblinks at the first layer length: time length between visiting two URLs Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Crawling parameters breadth: how many weblinks in one webpage we want to click on depth: how many layers we want to visit, for example if the depth equals two, then the current webpage is the zero layer, we click on the weblinks at the zero layer to go to the first layer, then go to the second layer by clicking on the weblinks at the first layer length: time length between visiting two URLs Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Layers Breadth = 3, Depth = 2 Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Computing The numbers of the URLs to visit = breadth0 + breadth1 + breadth2 + ... + breadthdepth The time we need for one crawling (in secondes) = ((The numbers of the URLs to visit) − 1) × length Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The identify part after crawling and hooking, namely real-time monitoring, we get ”analysis.xml” which contains all important activities caused by visiting URLs activity = action + filepath + filename parse this XML file and identify malicious activities using filter patterns Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The identify part after crawling and hooking, namely real-time monitoring, we get ”analysis.xml” which contains all important activities caused by visiting URLs activity = action + filepath + filename parse this XML file and identify malicious activities using filter patterns Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The identify part after crawling and hooking, namely real-time monitoring, we get ”analysis.xml” which contains all important activities caused by visiting URLs activity = action + filepath + filename parse this XML file and identify malicious activities using filter patterns Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Filter patterns (1) Activity Filter Patterns File’s activity not contains ”Temporary Internet Files” Registry’s activity contains ”Browser Helper Objects” contains ”CurrentVersionRun” contains ”CurrentVersionRunOnce” contains ”CurrentVersionRunServices” contains ”CurrentVersionRunServicesOnce” contains ”Internet ExplorerToolbar” contains ”Search Assistent” contains ”Search Bar” contains ”Search Page” contains ”Start Page” Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Filter patterns (2) Activity Filter Patterns contains ”Startup Folder” contains ”Hosts” contains ”CurrentVersionWinLogon” contains ”CurrentControlSetServices” contains ”CurrentControlSetControl” contains ”ShellOpenCommand” contains ”ShellExecuteHooks” Process create or terminate activities Ini-file’s activity contains ”win.ini” and ”run” and ”load” contains ”system.ini” and ”load” and ”shell” Winsock every crawled URL Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Introduction the CWSandbox can automatically analyse the malware’s behaviours by running the malwares and intercepting all important calls to the Windows API which will cause correspondent system activities the CWSandbox uses hook technologies, hooking one function means the interception of calls to this function by some other function called hook finally it will generate one summarized report Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Introduction the CWSandbox can automatically analyse the malware’s behaviours by running the malwares and intercepting all important calls to the Windows API which will cause correspondent system activities the CWSandbox uses hook technologies, hooking one function means the interception of calls to this function by some other function called hook finally it will generate one summarized report Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Introduction the CWSandbox can automatically analyse the malware’s behaviours by running the malwares and intercepting all important calls to the Windows API which will cause correspondent system activities the CWSandbox uses hook technologies, hooking one function means the interception of calls to this function by some other function called hook finally it will generate one summarized report Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The Integration of CI and CWSandbox the CWSandbox drives one IE instance as malware which can be captured by the CI the CI continuously crawls the URLs from the URL list using this IE instance in the meantime the system activities caused by visiting these URLs are recorded by CWSandbox the CWSandbox generates one summarized report of the system activities the identify part of the CI parses and analyse this report to judge which activities are malicious Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The Integration of CI and CWSandbox the CWSandbox drives one IE instance as malware which can be captured by the CI the CI continuously crawls the URLs from the URL list using this IE instance in the meantime the system activities caused by visiting these URLs are recorded by CWSandbox the CWSandbox generates one summarized report of the system activities the identify part of the CI parses and analyse this report to judge which activities are malicious Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The Integration of CI and CWSandbox the CWSandbox drives one IE instance as malware which can be captured by the CI the CI continuously crawls the URLs from the URL list using this IE instance in the meantime the system activities caused by visiting these URLs are recorded by CWSandbox the CWSandbox generates one summarized report of the system activities the identify part of the CI parses and analyse this report to judge which activities are malicious Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The Integration of CI and CWSandbox the CWSandbox drives one IE instance as malware which can be captured by the CI the CI continuously crawls the URLs from the URL list using this IE instance in the meantime the system activities caused by visiting these URLs are recorded by CWSandbox the CWSandbox generates one summarized report of the system activities the identify part of the CI parses and analyse this report to judge which activities are malicious Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The Integration of CI and CWSandbox the CWSandbox drives one IE instance as malware which can be captured by the CI the CI continuously crawls the URLs from the URL list using this IE instance in the meantime the system activities caused by visiting these URLs are recorded by CWSandbox the CWSandbox generates one summarized report of the system activities the identify part of the CI parses and analyse this report to judge which activities are malicious Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (1) malwares use social engineering to disguise themselves, such as ”svchost.exe” redirect user’s network connections using e.g. invisible ”iframe” malicious websites put their weblinks on the webpages of other websites conceal the source code using obfuscation method, even many times Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (1) malwares use social engineering to disguise themselves, such as ”svchost.exe” redirect user’s network connections using e.g. invisible ”iframe” malicious websites put their weblinks on the webpages of other websites conceal the source code using obfuscation method, even many times Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (1) malwares use social engineering to disguise themselves, such as ”svchost.exe” redirect user’s network connections using e.g. invisible ”iframe” malicious websites put their weblinks on the webpages of other websites conceal the source code using obfuscation method, even many times Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (1) malwares use social engineering to disguise themselves, such as ”svchost.exe” redirect user’s network connections using e.g. invisible ”iframe” malicious websites put their weblinks on the webpages of other websites conceal the source code using obfuscation method, even many times Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (2) use different scripting languages, such as mixture of VBScript and Java Script use script code to directly operate on the local system, such as using ”Scripting.FileSystemObject” object malwares use various methods to create/execute/delete themselves in the same time malwares use rootkit technologies to hide themselves Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (2) use different scripting languages, such as mixture of VBScript and Java Script use script code to directly operate on the local system, such as using ”Scripting.FileSystemObject” object malwares use various methods to create/execute/delete themselves in the same time malwares use rootkit technologies to hide themselves Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (2) use different scripting languages, such as mixture of VBScript and Java Script use script code to directly operate on the local system, such as using ”Scripting.FileSystemObject” object malwares use various methods to create/execute/delete themselves in the same time malwares use rootkit technologies to hide themselves Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (2) use different scripting languages, such as mixture of VBScript and Java Script use script code to directly operate on the local system, such as using ”Scripting.FileSystemObject” object malwares use various methods to create/execute/delete themselves in the same time malwares use rootkit technologies to hide themselves Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (1) further improve the CHP system and expand filter patterns test the CHP system in the Laboratory for Dependable Distributed Systems at the University of Mannheim and the Honeynet Organization improve the email part, let it research the vulnerabilities of the email client, this must be coordinated with CWSandbox which can monitor activities such as opening emails or email attachments add the network control part Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (1) further improve the CHP system and expand filter patterns test the CHP system in the Laboratory for Dependable Distributed Systems at the University of Mannheim and the Honeynet Organization improve the email part, let it research the vulnerabilities of the email client, this must be coordinated with CWSandbox which can monitor activities such as opening emails or email attachments add the network control part Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (1) further improve the CHP system and expand filter patterns test the CHP system in the Laboratory for Dependable Distributed Systems at the University of Mannheim and the Honeynet Organization improve the email part, let it research the vulnerabilities of the email client, this must be coordinated with CWSandbox which can monitor activities such as opening emails or email attachments add the network control part Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (1) further improve the CHP system and expand filter patterns test the CHP system in the Laboratory for Dependable Distributed Systems at the University of Mannheim and the Honeynet Organization improve the email part, let it research the vulnerabilities of the email client, this must be coordinated with CWSandbox which can monitor activities such as opening emails or email attachments add the network control part Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (2) improve the integrity control part, through better configuration and implementation, the integrity control approach may also work very efficiently the CWSandbox is not one open source project, so maybe we can build one own real-time monitoring kernel deepen the theoretical research of the client-side honeypot which can help us better improve the CHP system build one central repository which can be accessed through project website or CI, this repository will store the malicious URLs and their activities, all distributed users all over the world can run the CHP system and submit malicious URLs they found to this central repository Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (2) improve the integrity control part, through better configuration and implementation, the integrity control approach may also work very efficiently the CWSandbox is not one open source project, so maybe we can build one own real-time monitoring kernel deepen the theoretical research of the client-side honeypot which can help us better improve the CHP system build one central repository which can be accessed through project website or CI, this repository will store the malicious URLs and their activities, all distributed users all over the world can run the CHP system and submit malicious URLs they found to this central repository Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (2) improve the integrity control part, through better configuration and implementation, the integrity control approach may also work very efficiently the CWSandbox is not one open source project, so maybe we can build one own real-time monitoring kernel deepen the theoretical research of the client-side honeypot which can help us better improve the CHP system build one central repository which can be accessed through project website or CI, this repository will store the malicious URLs and their activities, all distributed users all over the world can run the CHP system and submit malicious URLs they found to this central repository Bing Yuan Client-Side Honeypots
  • Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (2) improve the integrity control part, through better configuration and implementation, the integrity control approach may also work very efficiently the CWSandbox is not one open source project, so maybe we can build one own real-time monitoring kernel deepen the theoretical research of the client-side honeypot which can help us better improve the CHP system build one central repository which can be accessed through project website or CI, this repository will store the malicious URLs and their activities, all distributed users all over the world can run the CHP system and submit malicious URLs they found to this central repository Bing Yuan Client-Side Honeypots
  • Vielen Dank f¨ r Ihre Aufmerksamkeit! u