A virtual honeypot framework
Upcoming SlideShare
Loading in...5
×
 

A virtual honeypot framework

on

  • 829 views

 

Statistics

Views

Total Views
829
Views on SlideShare
829
Embed Views
0

Actions

Likes
0
Downloads
21
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

A virtual honeypot framework A virtual honeypot framework Presentation Transcript

  • A VIRTUAL HONEYPOTFRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium 2004. Presenter: Hiral Chhaya for CAP6103
  • SECURITY SITUATION  We’reunable to make secure computer systems or even measure their security.  New vulnerabilities kept being exploited  Exploit automation and massive global scanning for vulnerabilities to compromise computer systems  Weuse “Honeypot” as one way to get early warnings of new vulnerabilities
  • INTRODUCTION What Is Honeypot ????Defunation--A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.  Has no production value;  Used for monitoring, detecting and analyzing attacks  Does not solve a specific problem  Honeypots have a low false positive rate
  • CLASSIFICATION By level of interaction  High  Low By Implementation  Virtual  Physical
  • WHAT IS HONEYD Honeyd: Honeyd A virtual honeypot application, which allows us to create thousands of IP addresses with virtual machines and corresponding network services.
  • WHAT CAN HONEYD DO ??? Simulate TCP and UDP services Support ICMP Handle multiple IP addresses simultaneously Simulate arbitrary network topologies Support topologically dispersed address spaces Support network tunneling for load sharing
  • HONEYD DESIGN  Receiving Network Data  Architecture  Personality Engine  Routing Topology  Logging
  • RECEIVING NETWORK DATA Ways for Honeyd to receives traffic for its virtual honeypots Special route lead data to honeyd host Proxy ARP for honeypots
  • ARCHITECTURE •Configuration database •Central packet dispatcher •Protocol handles •Personality engine •Option routing component
  • PERSONALITY ENGIN To fool fingerprinting tools Uses fingerprint databases by  Nmap, for TCP, UDP  Xprobe, for ICMP Introduces changes to the headers of every outgoing packet before sent to the network
  • ROUTING TOPOLOGY Simulates virtual network topologies;  Some honeypots are also configured as routers  Latency and loss rate for each edge is configured; Support network tunneling and traffic redirection;
  • HOW TO CONFIGURE Each virtual honeypot is configured with a template. Commands:  Create: Creates a new template  Set:  Assign personality (fingerprint database) to a template  Specify default behavior of network protocols  Block: All packets dropped  Reset: All ports closed by default  Open: All ports open by default  Add: Specify available services  Proxy: Used for connection forwarding  Bind: Assign template to specific IP address
  • LOGGING Honeyd supports several ways of logging network activity.  Honeyd creat connection logs to report attempted and completed connections for all protocols.  Honeyd can be runs in conjunction with a NIDS.
  • APPLICATIONS Network decoys Spam Prevention
  • CONCLUSION Honeyd has many advantages over NIDS  Collects more useful information  Detects vulnerabilities not yet understood  Less likely leads to high false positives Cheats the fingerprint tools Effective network decoys Detecting and immunizing new worms Spam prevention
  • WEAKNESSES Limit interaction only at network level Not simulate the whole OS Adversaries never gain full access to systems Limited number of simulated services and protocols What if the warm is smart to cheat us? Honeyd will become attackers.
  • HOW TO IMPROVE Combine Honeyd with high-interaction virtual honeypots using User Mode Linux or VMware to have a better forensic analysis of the attacker; Cheat more fingerprint tools, eg. P0f—passive analyze the network traffic; Simulate more services and protocols, eg. has a better TCP state machine.
  •  THANK YOU !!!!!