Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Development, Confusion andExploration of Honeypot Technology                    Seak                  Antiy Labs
Outline•   Development of Honeypots•   Status Quo of Honeypots•   Technical Challenges•   Exploration and Outlook
What is a Honeypot?• A honeypot is a security resource that can be  scanned , attacked and compromised.                   ...
1990-1998: Early Days• In 1990, The Cuckoo’s Egg was published.• Network administrators started using honeypots.• Physical...
1998-2000: Rapid Development•   Open source tools are used to induce attackers•   DTK( Fred Cohen )•   Honeyd(Niels Provos...
Fred Cohen• The first master in antivirus field• First used the term “virus”• Diagonal Method
2000-2006: Prosperous Period• Since 2000, security researchers tended to use real  hosts, operating systems and apps to bu...
Outline•   Development of Honeypots•   Status Quo of Honeypots•   Technical Challenges•   Exploration and Outlook
Categories• Deploy Purposes   – Security products   – Research• Intensity of Interaction   – High intensity   – Low intens...
Honeypots of High Interaction Intensity• Honeywall CDROM• Sebek:• HoneyBow
Honeypots of Low Interaction              Intensity• Nepenthes• Honeyd:• Honeytrap:  Honeypot using wireless nodes
Client Honeypots• Capture-HPC• HoneyC
Data Analysis Tool• Honeysnap
Some Open Source Systems
Some Open Source Systems
Outline•   Development of Honeypots•   Status Quo of Honeypots•   Technical Challenges•   Exploration and Outlook
Security Threats• DEP can protect users quite well. Until now, there  hasn’t any Windows system services targeted attacks ...
Core Challenges• Honeypots simulates targets, and then waits for  attackers ‘ malicious operations.• The main attack links...
Report All Activities• Typical report system: OSLoader, drivers, services,  processes, modules and IE plug-ins.• Report la...
Representative Distributive Report System•   Eset(NOD32)ThreatSense.Net•   ArrectNET•   Rising “Cloud” Project•   360safe ...
Challenges• Large quantities of desktop security products and  clients• Actual activities• Zero cost of devices and hardwa...
Outline•   Development of Honeypots•   Status Quo of Honeypots•   Technical Challenges•   Exploration and Outlook
Trend: Sample Cultivation• Web drive-by download• Why do we cultivate samples? (incomplete  extraction, frequent changes)•...
Sample Cultivation and Analysis System• Research of automatic behavior and signature  extraction: Antiy Labs, Peking Unive...
Research of automatic behavior and             signature extraction                     Signature            Virus        ...
Wind-catcher Plan• Wind-catcher plan: a non-profit honeypot deploy  project initiated by Antiy in 2006;• The plan contains...
Wind-catcher I: ARM Virtual Honeypot• Demonstration• Circuit design• Software system
Telecom-level Honeypot: Honey Pool2008-07-07                                  28
Management System
Wind-catcher II: Honeypot Alliance• Antiy cooperates with Harbin Institute of Technology;  Tsinghua University and Wuhan U...
Wind-catcher III: ADSL Honeypot• Small-sized honeypot gateway with dual  network cards;• Can be placed between the uses sy...
Honeybot• Security application of NPC;• Simulate the target value, induce attacks;• Integrate with traditional system.
Creation in Our Wake• We appreciate your suggestions.• seak@antiy.net
Upcoming SlideShare
Loading in …5
×

Development, Confusion and Exploration of Honeypot Technology

1,378 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Development, Confusion and Exploration of Honeypot Technology

  1. 1. Development, Confusion andExploration of Honeypot Technology Seak Antiy Labs
  2. 2. Outline• Development of Honeypots• Status Quo of Honeypots• Technical Challenges• Exploration and Outlook
  3. 3. What is a Honeypot?• A honeypot is a security resource that can be scanned , attacked and compromised. —Lance Spiztner
  4. 4. 1990-1998: Early Days• In 1990, The Cuckoo’s Egg was published.• Network administrators started using honeypots.• Physical System
  5. 5. 1998-2000: Rapid Development• Open source tools are used to induce attackers• DTK( Fred Cohen )• Honeyd(Niels Provos)• Honeypot products: KFSensor, Specter• Virtual Honeypots
  6. 6. Fred Cohen• The first master in antivirus field• First used the term “virus”• Diagonal Method
  7. 7. 2000-2006: Prosperous Period• Since 2000, security researchers tended to use real hosts, operating systems and apps to build honeypots. They also integrated data capture, data analysis and data control systems to security tools.• main channels to collect samples
  8. 8. Outline• Development of Honeypots• Status Quo of Honeypots• Technical Challenges• Exploration and Outlook
  9. 9. Categories• Deploy Purposes – Security products – Research• Intensity of Interaction – High intensity – Low intensity
  10. 10. Honeypots of High Interaction Intensity• Honeywall CDROM• Sebek:• HoneyBow
  11. 11. Honeypots of Low Interaction Intensity• Nepenthes• Honeyd:• Honeytrap: Honeypot using wireless nodes
  12. 12. Client Honeypots• Capture-HPC• HoneyC
  13. 13. Data Analysis Tool• Honeysnap
  14. 14. Some Open Source Systems
  15. 15. Some Open Source Systems
  16. 16. Outline• Development of Honeypots• Status Quo of Honeypots• Technical Challenges• Exploration and Outlook
  17. 17. Security Threats• DEP can protect users quite well. Until now, there hasn’t any Windows system services targeted attacks that can bypass DEP.• Static format overflow, browser and other clients based attacks become the mainstream.• The basic working principle of honeypots are seriously threatened.
  18. 18. Core Challenges• Honeypots simulates targets, and then waits for attackers ‘ malicious operations.• The main attack links are not IP dominated, which makes the situation much more complicated. Attacks are becoming less specifically targeted.
  19. 19. Report All Activities• Typical report system: OSLoader, drivers, services, processes, modules and IE plug-ins.• Report large quantities of files + record data frequency + determine as yet unknown malware + automatic analysis system
  20. 20. Representative Distributive Report System• Eset(NOD32)ThreatSense.Net• ArrectNET• Rising “Cloud” Project• 360safe process report system
  21. 21. Challenges• Large quantities of desktop security products and clients• Actual activities• Zero cost of devices and hardware resources• Zero cost of distributive computation
  22. 22. Outline• Development of Honeypots• Status Quo of Honeypots• Technical Challenges• Exploration and Outlook
  23. 23. Trend: Sample Cultivation• Web drive-by download• Why do we cultivate samples? (incomplete extraction, frequent changes)• Main sources of sample cultivation
  24. 24. Sample Cultivation and Analysis System• Research of automatic behavior and signature extraction: Antiy Labs, Peking University, Tsinghua University• Research of automatic file in large quantities: Antiy Labs, National “863” anti-intrusion and antivirus center, South China Normal University
  25. 25. Research of automatic behavior and signature extraction Signature Virus Antiy Labs File Signature extraction detection Peking Platform Result of static and recognition/unpack analysis University various engines Static analysis Online analysisMalware Malicious behavior Report on serviceSamples Flow Chart (CFG) behavior recognition analysis Function Call Graph API Call Sequence Various Families/categories information Dynamic Peking Analysis report Analysis Peking Universit Application-level University y Report on Sandbox Behavior analysis network Network behavior behavior Network signature Network extraction signature Tsinghua University2012年11月5日 25
  26. 26. Wind-catcher Plan• Wind-catcher plan: a non-profit honeypot deploy project initiated by Antiy in 2006;• The plan contains 3 periods:• Wind-catcher I: improve the national basic capture system• Wind-catcher II: cooperate with universities• Wind-catcher III: target at civil researchers and report nodes
  27. 27. Wind-catcher I: ARM Virtual Honeypot• Demonstration• Circuit design• Software system
  28. 28. Telecom-level Honeypot: Honey Pool2008-07-07 28
  29. 29. Management System
  30. 30. Wind-catcher II: Honeypot Alliance• Antiy cooperates with Harbin Institute of Technology; Tsinghua University and Wuhan University.• Deploy 3-5 wind-catcher II honeypots in the universities, share data, and provide basic data for information science research.
  31. 31. Wind-catcher III: ADSL Honeypot• Small-sized honeypot gateway with dual network cards;• Can be placed between the uses system and the ADSL Modem
  32. 32. Honeybot• Security application of NPC;• Simulate the target value, induce attacks;• Integrate with traditional system.
  33. 33. Creation in Our Wake• We appreciate your suggestions.• seak@antiy.net

×