1 HIVE: an Open Infrastructure for Malware Collection and Analysis Davide Cavalca 1 and Emanuele Goldoni 2 1 University of Pavia Department of Computer Engineering and Systems Science 2 University of Pavia Department of Electronics Abstract. Honeynets have become an important tool for researchers and network operators. However, the lack of a unified honeynet data model has impeded their effectiveness, resulting in multiple unrelated data sources, each with its own proprietary access method and format. Moreover, the deployment and management of a honeynet is a timeconsuming activity and the interpretation of collected data is far from trivial. In this paper we propose HIVE (Honeynet Infrastructure in Virtualized Environment), a new highly scalable automated data collection and analysis architecture, which is built on top of proven FLOSS (Free, Libre and Open Source) solutions integrated and extended with new tools we developed. We use virtualization to ease honeypot management and deployment, combining both high-interaction and low-interaction sensors in a common infrastructure. We address the need for rapid comprehension and detailed data analysis by harnessing the power of a relational database system, which provides centralized storage and access to the collected data while ensuring its constant integrity. Finally, we present some techniques for the active monitoring of centralized botnets we integrated in our infrastructure. Key words: botnet, honeynet, honeypot, threat monitoring, malware 1 Introduction In last years there has been a dramatic increase in malware activity on the Internet: according to , the last two years saw a 1500% increase in threat volume, with major contributions from botnet creation and expansion. A constant monitoring of criminal activity on the network is needed to identify, prevent and actively counteract the impeding menaces. To be able to successfully defend itself, every networked company has to carry the burden of threat monitoring, building and maintaining a dedicated infrastructure. Due to the recent shift from mass attacks (mostly represented by viruses) to targeted attacks, which
2 2 Davide Cavalca and Emanuele Goldoni are performed for a specific purpose (data theft, disruption of operations, etc.), threat control has become even more compelling. Thanks to The Honeynet Project  and similar initiatives, the employment of honeypots for threat monitoring has grown into wide usage. There are now several honeynets monitoring the Internet, deployed both by academic and commercial organizations, for research and defense purposes. Most of these honeynets are independent and disconnected: they are owned and maintained by a single organization and they serve a specific purpose; the data they collect is often kept confidential, especially for commercial organizations. Moreover, each and every honeynet uses a different, usually homegrown, data collection and analysis system, impairing interoperability with external systems. Even if a company wants to share its honeynet data, it is often difficult to integrate different data sources in a unified system. The mwcollect Alliance  has taken a step in the right direction, building a single infrastructure for the collection of honeynet data and the monitoring of threats in a collaborative fashion. But the Alliance is a centralized system, essentially closed, for safety reasons: there is no public information on their infrastructure. We believe there is a need for an open honeynet infrastructure, to lower the barrier needed to setup and operate an honeypot network and to ease data collection and analysis. The openness needs to be both structural and material: open and common data schemas make the sharing of information effortless, thus encouraging it. On the other hand, the use of Open Source software to implement the actual infrastructure makes it easy for everyone to study, build, audit and improve it, allowing the whole community to benefit from individual efforts. The remainder of this paper is organized as follows: in Section 2 we discuss previous works in this area and its relation with our research. The architecture and implementation of HIVE (Honeynet Infrastructure in Virtualized Environment), our proposed honeynet infrastructure, is described in detail in Section 3. We present some preliminary results from our testbed system in Section 4. Finally, in Section 5 we conclude and lay out the grounds for some future works. 2 Background and related work The use of honeypots for malware detection and capture is now a wellestablished field. Two major kinds of honeypots have been developed: lowinteraction honeypots simulate vulnerable services or environments to lure malware into attacking them and capture its sample. They are easy to deploy and require low maintenance, but the simulation is imperfect and they can often be detected or circumvented. The major Open Source products in this area are Nepenthes , HoneyTrap  and Amun . High-interaction honeypots, on the other hand, use a full fledged system as a bait; the honeypot machine is periodically analyzed, malware is collected and the system is rebuilt to a clean state. This kind of honeypot can potentially capture more malware samples,
3 HIVE: an Open Infrastructure for Malware Collection and Analysis 3 Fig. 1. Block diagram of HIVE architecture. but is also much more expensive to deploy and maintain. There are also legal liability concerns: we have to avoid that the honeypot participates or starts a potentially dangerous attack to external machines (e.g. a denial of service). Nowadays, high-interaction honeypots are often implemented using virtualization, which eases most of their drawbacks but potentially makes them easier to detect and thus vulnerable to targeted attacks [11, 34]. The HoneyBow project  deployed a sensor infrastructure using virtualized VMWare systems combined with Nepenthes  sensors to capture malware samples. While part of the software they developed is freely available at  it has not received any significant update in the last two years. The HoneyBow project also fails to detail their data storage and analysis system, focusing instead on the collection infrastructure and the analysis results of collected data. In  Rajab et al. developed a botnet measurement infrastructure using Nepenthes sensors and a physical honeynet. They focused on IRC bots, developing a series of tools to study and infiltrate these kinds of botnets. While they make the collected data available to the research community, to our knowledge the developed software has not been released. 3 Implementation of HIVE We chose to structure HIVE on a three-tier architecture, shown in Fig. 1, to fully decouple data acquisition from data memorization. This decision has a twofold advantage: it is easier to build and scale the whole system, and if a honeypot sensor is compromised there is no way it can harm (or even see) the data store. The first stage is the actual honeynet, which is implemented using virtualization and features a combination of low-interaction and high-interaction sensors. Malware samples acquired from the honeypots are sent to a gateway, which validates and preprocesses them; samples are then sent to the data store for storage and analysis. Malware samples are analyzed with the help of external services, which provide reports on the samples behavior to help classification.
4 4 Davide Cavalca and Emanuele Goldoni Fig. 2. Our virtual honeynet structure. Monitoring facilities query the data store to obtain threat information (e.g. botnet controller servers addresses) and oversee their development. The architecture is fully scalable: adding more sensors is only a matter of creating new virtual machines or adding other physical systems. If a honeypot is damaged or compromised it cannot affect other sensors and it can be easily rebuilt or replaced. Structure and implementation of the honeynet and its sensors is described in Section 3.1. The gateway (which itself can be replicated with no effort) allows preliminary filtering of honeypot data: we can potentially remove bogus samples before sending them to the data store, avoiding to waste system resources on their analysis. The data store, finally, can be made redundant using database replication, and itself uses multiple providers for the samples analysis, to achieve better accuracy and lower the samples turnaround. This part of HIVE, which can be considered its core, is presented in Section Honeynet sensors We chose to implement our honeypot sensors using virtualization. As noted before in , virtualization dramatically cuts down the efforts needed to deploy and manage the honeynet. Moreover, the ability to simulate an arbitrary network topology on a single physical machine allows us to dynamically reconfigure the honeynet. This choice is not mandatory: our infrastructure works equally well with virtual and physical honeypots, but in the latter case restoring the machine to a clean state will require considerably more efforts. We based our implementation on VirtualBox , an Open Source virtualization product. VirtualBox has similar performance to its more prominent competitor VMWare, which has been used in honeypot research , is multiplatform and features some advantages from our point of view. Besides being Open Source, it s fully scriptable using a command-line interface or, in the last version, a standards-compliant web service. The latter feature allows to easily automate the honeypots management operations using a few shell scripts.
5 HIVE: an Open Infrastructure for Malware Collection and Analysis 5 Compared to Xen, another leading Open Source virtualization product, Virtual- Box does not require dedicated hardware support to execute unmodified guests (such as Microsoft closed-souce operating systems). Our back-end is, of course, product-agnostic and is not tied to this particular choice. We believe that using a combination of low-interaction and high-interaction honeypots allows us to get the best of both worlds; through the use of virtualization, we are able to nullify the traditional problems (difficult and expensive deployment and maintenance) associated with high-interaction systems. We are currently using Nepenthes  for the low interaction sensors and a Gen-III Windows honeynet  for the high-interaction. An HoneyWall  Roo gateway, itself running in a VM (Virtual Machine), monitors incoming and outgoing traffic to the high-interaction honeynet. It is important to limit outgoing traffic, to avoid being part of an attack or a denial-of-service and thus preserving legal liability . The Windows honeypots are automatically rebuilt twice a day from a clean snapshot. Before the rebuild, their disk contents are analyzed: we register the differences with a clean installation and send to the gateway the new executables found potential malware samples for further analysis. The deployment and rebuilding of VMs is currently implemented with the VirtualBox command-line utility (VBoxManage). Our rebuild script powers the VM off and mounts the virtual disk on the host system; the directory tree is then compared post-mortem to a clean image using the standard Unix tool diff. We found this procedure to be the most reliable, although rather expensive. Preliminary testing of clientbased collection tools, such as MwWatcher and MwFetcher from the HoneyBow project , showed poor reliability and a large number of missed samples. Using the VirtualBox snapshotting features was also not an option snapshots are stored in a proprietary format and they cannot be easily mounted for analysis. Once the samples have been collected, we clone the clean image into a new virtual disk (using the built-in VirtualBox cloning facility) which is then attached to the VM, replacing the old one. Our script finally restarts the machine, which becomes ready for a new collection round. The collected samples are fed to a Python script, which submits them to the gateway with a properly formatted HTTP request. The honeynet structure is shown in Fig. 2. Linux software bridging  interconnects HoneyWall and the Nepenthes sensors with the darknet; the Windows honeypots are connected through a VirtualBox internal network (an isolated virtual switch) to HoneyWall internal interface. 3.2 Core infrastructure Once malware samples have been acquired, they must be processed, stored and analyzed. The life cycle of a malware sample in HIVE is shown in Fig. 3. The gateway exposes a web service to receive samples from the sensors; every sample has some metadata attached (file details, name of the sensor, date of collection
6 6 Davide Cavalca and Emanuele Goldoni Fig. 3. Life cycle of a malware sample in HIVE. and cryptographic hash). We have currently implemented the web service using a PHP script which receives data via HTTP POST. A simplified version of the Entity-Relationship diagram for the database schema is shown in Fig. 4. We chose to rely on PostgreSQL 8.3, an Open Source object-relational DataBase Management System (DBMS): it supports most of the major SQL:2003 features , including referential integrity, transactions, views, stored procedures and triggers. We made extensive use of foreign keys constrains to ensure data integrity and implemented most of the analysis logic using stored procedures and triggers, in a mixture of pl/pgsql and pl/python. Our data model is centered around samples, which are uniquely identified using their MD5 digest and stored in binary fields in the database. The addition of a new sample triggers its submission to external services, which analyze it and return a report. We use the reports to categorize the samples and extract useful data. HIVE currently relies on the external services offered by Anubis [12, 5] and CWSandbox [23, 32] for the analysis of malware samples. Both services run the malware in a controlled environment, tracing its actions and logging network connections to provide a behavioral analysis. We use CWSandbox, which provides a machine-parsable XML report and a PCAP  network trace, as our main provider and rely on Anubis (whose reports are human-readable web pages) for verification and human cross-checking. CWSandbox provides also a VirusTotal  report we use to identify the malware according to antivirus classification. Our infrastructure can be integrated, in principle, with any analysis service available, either in-house or outsourced; we are currently evaluating integration with Joebox  and Norman SandBox .
7 HIVE: an Open Infrastructure for Malware Collection and Analysis 7 Fig. 4. Simplified Entity-Relationship diagram for HIVE database. We have also implemented a pre-filtering stage, which allows HIVE to preliminary screen the samples at gateway or analysis layer for known malware, thus reducing the load on external services. The analysis currently relies on the Open Source antivirus scanner ClamAV , but could be extended to support other antivirus engines. 3.3 Data analysis and active monitoring Our database schema currently accounts for IRC and HTTP centralized botnets and generic network worms. We make an extensive use of database views to aggregate data and present it in a coherent fashion. Views allow also to disclose useful data without compromising the necessary anonymity on the location of honeypot sensors and attack targets. We currently lack a full-fledged reporting interface: data analysis is currently done directly querying the database. We wrote a Google Maps mashup to graphically show the geographic distribution of botnet C&C (Command and Control) centers; the centers IP addresses were geolocated using MaxMind GeoLite City . This example shows how easy is to access data and mangle it in the needed way. Using the data collected during analysis we have all the information needed to connect to the botnet C&C and impersonate a bot. To study IRC botnets, we extended the Infiltrator Open Source software  by Jan Göbel to interface with our database. Infiltrator connects to the C&C and logs every communication on
8 8 Davide Cavalca and Emanuele Goldoni the channel, providing insight in the botnet operations and targets. To achieve a similar analysis for HTTP botnets, we wrote httpmole, a Python program which periodically connects to the command center and reads its reply. Since the reply is arbitrary and different botnets use different ad hoc control software, some form of fingerprinting is needed to be able to parse these messages in a useful way. While the software is still not ready for production, we are currently working in this direction. 3.4 Caveats and pitfalls The use of virtual machines for the honeypot implementation opens them to a risk (albeit small) of being detected. Virtualization detection is rather easy and several works have been published ; nevertheless, we are not aware of any widespread malware checking for a virtualized environment. As studied by , virtualization may pose a security risk: if an attacker is able to exploit a weakness in the VM software, he may be able to execute arbitrary code on the host system, potentially breaking into it. An automated periodic rebuild of the host systems would address this concern. On the other hand, the eventual compromise of a honeypot sensors is not a catastrophic event: while the sensor could send bogus data, it has no way to directly access the database. In case of a suspect break-in, it is rather trivial to setup the gateway to ignore traffic from a specific sensor until the situation is investigated. The strategic weakness of every honeypot is its secrecy: if an attacker were to discover the honeypot s address, he could blacklist it or send targeted attacks trying to disable, poison or subvert it. As shown by , honeypots can potentially be detected by specially crafted malwares; refer to  for a HoneyWall targeted example. While there are no reports of current malware in the wild exploiting such techniques, this is a legitimate concern. To extract meaningful statistics, it s important to have an even distribution of honeynets, both in geographical and in IP address space. In order to acquire a good understanding of Internet threats a very large number of sensors would be necessary. On the other hand, a global knowledge must be completed by a good understanding of local malicious activities as shown by , it s essential to deploy geographically local sensors. The critical point of HIVE is the database the DBMS server represents a single point of failure, which can be overcome using replication techniques to duplicate it on multiple machines. Slony  is an Open Source replication system for PostgreSQL which could be useful for this purpose. 4 Preliminary results We built a simple testbed system to evaluate HIVE feasibility. We used only two physical machines for simplicity: one ran the virtual honeynet, the other implemented the gateway and the data store. Our honeynet was composed of
9 HIVE: an Open Infrastructure for Malware Collection and Analysis 9 Fig. 5. Distribution of acquired samples by type. Fig. 6. Weekly collected samples per type. two Windows systems and a Nepenthes sensor, on a small darknet of three previously unused IP addresses on a commercial network. We provided the highinteraction honeypots with 2000 Server and XP Professional, both unpatched and with default configurations. A vast majority of malware targets these Microsoft systems: XP is probably the most widespread client system, while the presence of 2000 Server allows us to capture samples attacking server-grade services (such as IIS). During a month of operation, we detected more than 14,000 malware samples (about 13,000 unique), classified as in Fig. 5. It looks like HTTP bots are a negligible part, compared to other threats. The worm samples about a half of the total are due to the Allaple polymorphic worm, which spreads through Microsoft systems using network share and buffer overflow vulnerabilities . The unfiled samples are currently not classified: they may be corrupt samples (which are screened but currently not included in results) or types of malware still unknown to our system or to the analysis services we rely on. Fig. 6 shows the weekly samples breakdown by threat type. There has been a spike in the sixth week, due to a specific IRC bot, which spread over 2,000 samples on one honeypot, all tied to a single C&C center. We also noticed a slight decrease in Allaple infections in the last two weeks; we would need to collect more data in the following weeks to be able to confirm the trend. Due to the strong locality of our sensors, we would require data from other honeynets to be able to draw conclusive results. In Fig. 7 and Fig. 8 we present the preliminary results from our monitoring infrastructure. We tracked about 50 different IRC botnets for two weeks, logging the activity on the control channel. The majority of botnet control is performed with private messages (PRIVMSG), and most commands issued are network scans and botnet expansion.
10 10 Davide Cavalca and Emanuele Goldoni Fig. 7. Distribution of the IRC commands issued on the controlling channels. Fig. 8. Breakdown of IRC commands by type. 5 Conclusions and future works We have proposed a new three-stage open honeypot architecture for malware data collection and analysis. We believe our solution, if widely deployed, could significantly ease the sharing of collected data. Our architecture is fully open: anyone can implement it using Open Source software. In the future, we plan to integrate our database with the attack information collected by HoneyWall, to correlate attack vectors with malware samples. We are also investigating PE Hunter  as a possible additional sensor. Our honeypot management tools currently rely on the VirtualBox command-line interface; we plan to rewrite them to use the web service facility introduced in VirtualBox Our database schema is currently focused on centralized botnets; there is no support for P2P botnets , which are an increasing threat. We plan to add at least some basic support for P2P botnets in the future. HIVE currently has a strong dependency on CWSandbox it s our main source of analysis data on captured samples. In the future, we plan to integrate more tightly several other analysis services, to provide a level of redundancy and cross-checking on analysis results and spread the load on multiple systems. Finally, we will write a reporting interface to expose interesting data and trends in a user friendly way currently, obtaining statistical data requires querying the database using SQL. We believe that the easy availability of aggregate data on malware threats will greatly help developing new countermeasures.
11 Availability HIVE: an Open Infrastructure for Malware Collection and Analysis 11 Implementation details for the HIVE platform, the database DDL and our programs source code are all available at or contacting the authors. Future developments and data reports will be published at the same location. References 1. The honeynet project The mwcollect alliance P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. Freiling. The Nepenthes platform: An efficient approach to collect malware. In Springer, editor, Proceedings of the 9th International Symposium On Recent Advances In Intrusion Detection (RAID), pages , Sept E. Balas and C. Viecco. Towards a third generation data capture architecture for honeynets. In Systems, Man and Cybernetics (SMC) Information Assurance Workshop, Proceedings from the Sixth Annual IEEE, pages 21 28, June 15 17, U. Bayer, A. Moser, C. Kruegel, and E. Kirda. Dynamic analysis of malicious code. Journal in Computer Virology, 2(1):67 77, Aug M. Dornseif, T. Holz, and C. N. Klein. NoSEBrEaK - attacking honeynets. In Information Assurance Workshop, Proceedings from the Fifth Annual IEEE SMC, pages , June J. G. Göbel. Amun: Python honeypot J. G. Göbel. Infiltrator v infiltrator_v01, Nov J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang, and D. Dagon. Peer-topeer botnets: overview and case study. In HotBots 07: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, pages 1 1, Berkeley, CA, USA, USENIX Association. 10. Hispasec Sistemas. Virustotal T. Holz and F. Raynal. Detecting honeypots and other suspicious environments. In Information Assurance Workshop, IAW 05. Proceedings from the Sixth Annual IEEE SMC, pages 29 36, June International Secure Systems Lab. Anubis: Analyzing unknown binaries. http: //anubis.iseclab.org. 13. Joe Security. Joebox MaxMind. GeoLite City S. McCanne, C. Leres, and V. Jacobson. libpcap Norman. SandBox information center T. Ormandy. An empirical study into the security exposure to hosts of hostile virtualized environments. Technical report, Google, Inc., Apr F. Pouget, M. Dacier, and V. H. Pham. Leurre.com: on the advantages of deploying a large scale distributed honeypot platform. In ECCE 05, E-Crime and Computer Conference, 29-30th March 2005, Monaco, Mar
12 12 Davide Cavalca and Emanuele Goldoni 19. M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In IMC 06: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, pages 41 52, New York, NY, USA, ACM. 20. Sophos. W32/Allaple-B. viruses-and-spyware/w32allapleb.html, Sourcefire, Inc. Clam antivirus SUN Microsystems. VirtualBox Sunbelt. Cwsandbox The Artemis Team. HoneyBow The Honeynet project. Know your enemy: Honeywall cdrom roo. honeynet.org/papers/cdrom/roo/index.html, Aug The Linux Foundation. Net:bridge. Bridge. 27. The PostgreSQL Global Development Group. Slony-I: enterprise-level replication system The PostgreSQL Global Development Group. PostgreSQL documentation. appendix D. SQL conformance. features.html, Mar Trend Micro threat report and forecast. Technical report, Trend Micro, T. Werner. Honeytrap T. Werner. PE hunter C. Willems, T. Holz, and F. Freiling. Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security & Privacy Magazine, 5(2):32 39, Mar./Apr J. Zhuge, T. Holz, X. Han, C. Song, and W. Zou. Collecting autonomous spreading malware using high-interaction honeypots. In ICICS 2007, pages , C. C. Zou and R. Cunningham. Honeypot-aware Advanced Botnet Construction and Maintenance. In Dependable Systems and Networks, DSN International Conference on, pages , Philadelphia, PA, 2006.
DISTRIBUTED LOW-INTERACTION HONEYPOT SYSTEM TO DETECT BOTNETS GONG JIAN 2 email@example.com Jiangsu Key Laboratory of Computer Networking Technology, China, Nanjing, Southeast University AHMAD JAKALAN
Advanced Honeypot Architecture for Network Threats Quantification Mr. Susheel George Joseph M.C.A, M.Tech, M.Phil(CS) (Associate Professor, Department of M.C.A, Kristu Jyoti College of Management and Technology,
Proceedings of the International Conference on Computer and Communication Engineering 2008 May 13-15, 2008 Kuala Lumpur, Malaysia Countermeasure for Detection of Honeypot Deployment Lai-Ming Shiue 1, Shang-Juh
Multifaceted Approach to Understanding the Botnet Phenomenon Christos P. Margiolas University of Crete A brief presentation for the paper: Multifaceted Approach to Understanding the Botnet Phenomenon Basic
Extending Black Domain Name List by Using Co-occurrence Relation between DNS queries Kazumichi Sato 1 keisuke Ishibashi 1 Tsuyoshi Toyono 2 Nobuhisa Miyake 1 1 NTT Information Sharing Platform Laboratories,
Towards Automated Botnet Detection and Mitigation Stopping the Root Cause of Spam Pi1 - Laboratory for Dependable Distributed Systems Outline Motivation Tools & techniques for botnet detection nepenthes
Adaptability of IRC Botnet Detection Method to P2P Botnet Detection Ji, Yuan Department of Electrical Engineering and Computer Science University of California, Irvine firstname.lastname@example.org John, Robin Department
Reihe Informatik. TR-2007-010 Characterizing the IRC-based Botnet Phenomenon Jianwei Zhuge 1, Thorsten Holz 2, Xinhui Han 1, Jinpeng Guo 1, and Wei Zou 1 1 Peking University 2 University of Mannheim Institute
HONEYPOT SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
Detection of Botnets Using Honeypots and P2P Botnets Rajab Challoo Dept. of Electrical Engineering & Computer Science Texas A&M University Kingsville Kingsville, 78363-8202, USA Raghavendra Kotapalli Dept.
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. email@example.com Abstract Honeypots are security resources which trap malicious activities, so they
The Honeynet Project: Data Collection Tools, Infrastructure, Archives and Analysis David Watson The UK Honeynet Project Chapter firstname.lastname@example.org Jamie Riden The UK Honeynet Project Chapter email@example.com
Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai firstname.lastname@example.org Abstract New threats are constantly emerging to the security of organization s information
LASTLINE WHITEPAPER Large-Scale Detection of Malicious Web Pages Abstract Malicious web pages that host drive-by-download exploits have become a popular means for compromising hosts on the Internet and,
Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite
Detecting P2P-Controlled Bots on the Host Antti Nummipuro Helsinki University of Technology anummipu # cc.hut.fi Abstract Storm Worm is a trojan that uses a Peer-to-Peer (P2P) protocol as a command and
Honeypot as the Intruder Detection System DAVID MALANIK, LUKAS KOURIL Department of Informatics and Artificial Intelligence Faculty of Applied Informatics, Tomas Bata University in Zlin nam. T. G. Masaryka
Honeynet2_bookTOC.fm Page vii Monday, May 3, 2004 12:00 PM Contents Preface Foreword xix xxvii P ART I THE HONEYNET 1 Chapter 1 The Beginning 3 The Honeynet Project 3 The Information Security Environment
Virtual Desktops Security Test Report A test commissioned by Kaspersky Lab and performed by AV-TEST GmbH Date of the report: May 19 th, 214 Executive Summary AV-TEST performed a comparative review (January
The Nepenthes Platform: An Efficient Approach to Collect Malware Paul Baecher 1, Markus Koetter 1,ThorstenHolz 2, Maximillian Dornseif 2, and Felix Freiling 2 1 Nepenthes Development Team email@example.com
New Mexico State University Honeypots and Honeynets Technologies Hussein Al-Azzawi Final Paper CS 579 Special Topics / Computer Security Nov. 27, 2011 Supervised by Mr. Ivan Strnad Table of contents: 1.
Virtual Machines and Security Paola Stone Martinez East Carolina University November, 2013. Keywords: virtualization, virtual machine, security. 1. Virtualization The rapid growth of technologies, nowadays,
TIME TO LIVE ON THE NETWORK Executive Summary This experiment tests to see how well commonly used computer platforms withstand Internet attacks in the wild. The experiment quantifies the amount of time
Choose Your Weapon: Fighting the Battle against Zero-Day Virus Threats 1 of 2 November, 2004 Choose Your Weapon: Fighting the Battle against Zero-Day Virus Threats Choose Your Weapon: Fighting the Battle
LASTLINE WHITEPAPER Dealing with Evasion in Malware Analysis by Analyzing Multiple Execution Paths Abstract Malicious code (or malware) is defined as software that fulfills the deliberately harmful intent
How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform McAfee Endpoint Security 10 provides customers with an intelligent, collaborative framework, enabling endpoint defenses to
Virtualization for Security t j Including Sandboxing, Disaster Recovery, High Availability, Forensic Analysis, and Honeypotting John Hoopes Technical Editor Aaron Bawcom Paul Kenealy Wesley J. Noonan Craig
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A firstname.lastname@example.org A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
Catching hackers using a virtual honeynet: A case study D.N. Pasman email@example.com ABSTRACT This paper presents an evaluation of honeypots used for gathering information about the methods
Sygate Secure Enterprise and Alcatel Sygate Secure Enterprise eliminates the damage or loss of information, cost of recovery, and regulatory violation due to rogue corporate computers, applications, and
Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology Project Proposal 1 Project Proposal 2 Abstract Honeypot systems are readily used by organizations large and
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 15 - Web Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
isheriff CLOUD SECURITY isheriff is the industry s first cloud-based security platform: providing fully integrated endpoint, Web and email security, delivered through a single Web-based management console
Honeynets: An Educational Resource for IT Security Jeremiah K. Jones 265 CTB Brigham Young University Provo, UT 84602 USA 1.801.422.1297 firstname.lastname@example.org Gordon W. Romney 265G CTB Brigham Young University
WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction
Staying Secure After Microsoft Windows Server 2003 Reaches End of Life Trevor Richmond, Sales Engineer Trend Micro Windows Server 2003 End of Life- Why Care? The next big vulnerability (Heartbleed/Shellshock)
Symantec Cyber Threat Analysis Program Symantec Cyber Threat Analysis Program Team White Paper: Symantec Security Intelligence Services Symantec Cyber Threat Analysis Program Contents Overview...............................................................................................
An Empirical Analysis of Malware Blacklists Marc Kührer and Thorsten Holz Chair for Systems Security Ruhr-University Bochum, Germany Abstract Besides all the advantages and reliefs the Internet brought
ESET Security Solutions for Your Business It Is Our Business Protecting Yours For over 20 years, companies large and small have relied on ESET to safeguard their mission-critical infrastructure and keep
IS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS
Sandbox Analysis with Controlled Internet Connection for Observing Temporal Changes of Malware Behavior Katsunari Yoshioka, Takahiro Kasama, and Tsutomu Matsumoto Yokohama National University, 79-7 Tokiwadai,
Collecting Autonomous Spreading Malware Using High-Interaction Honeypots Jianwei Zhuge 1, Thorsten Holz 2, Xinhui Han 1, Chengyu Song 1, and Wei Zou 1 1 Institute of Computer Science and Technology, Peking
Attacks from the Inside Eddy Willems, G Data Righard J. Zwienenberg, Norman Attacks from the Inside. Agenda - Social Networking / Engineering - Where are the threats coming from - Infection vectors - The
Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.
LASTLINE WHITEPAPER In-Depth Analysis of Malware Abstract Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse).
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
Characterizing the IRC-based Botnet Phenomenon Jianwei Zhuge, Xinhui Han, Jinpeng Guo, Wei Zou Institute of Computer Science and Technology Peking University Beijing, China email@example.com
Agenda Richard Baskerville P Principles of P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Principles Kim, et al (2004) A fuzzy expert system for
SECURING APACHE : DOS & DDOS ATTACKS - II How DDoS attacks are performed A DDoS attack has to be carefully prepared by the attackers. They first recruit the zombie army, by looking for vulnerable machines,
ESET Endpoint Security 6 ESET Endpoint Antivirus 6 for Windows Products Details ESET Endpoint Security 6 protects company devices against most current threats. It proactively looks for suspicious activity
Advanced Administration for Citrix NetScaler 9.0 Platinum Edition Course Length: 5 Days Course Code: CNS-300 Course Description This course provides the foundation to manage, configure and monitor advanced
Shellshock By Oz Elisyan & Maxim Zavodchik INTRODUCTION Once a high profile vulnerability is released to the public, there will be a lot of people who will use the opportunity to take advantage on vulnerable
Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.
THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two
USE HONEYPOTS TO KNOW YOUR ENEMIES SHERIF MOUSA (EG-CERT) 9 MAY 2012 WHAT ARE WE GOING TO TALK ABOUT? What exactly happens on the end of your Internet connection. Open Source tools to set up your own Honeypot
Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability
Volume 4, Issue 2, February 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com An Emerging
Managed file transfer for SOA IBM Edition, Version 7.0 Multipurpose transport for both messages and files Audi logging of transfers at source and destination for audit purposes Visibility of transfer status
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
Radware s Behavioral Server Cracking Protection A DefensePro Whitepaper By Renaud Bidou Senior Security Specialist,Radware October 2007 www.radware.com Page - 2 - Table of Contents Abstract...3 Information
DATA SHEET Extreme Networks Security Analytics G2 Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution HIGHLIGHTS Help prevent security breaches by discovering
V1.4 August 2 Spambrella Email Continuity SaaS Easy to implement, manage and use, Message Continuity is a scalable, reliable and secure service with no set-up fees. Built on a highly reliable and scalable
Content-ID DATA CC # SSN Files THREATS Vulnerability Exploits Viruses Spyware Content-ID URLS Web Filtering Content-ID combines a real-time threat prevention engine with a comprehensive URL database and
DATA SHEET Total Defense Endpoint Premium r12 Overview: Total Defense Endpoint Premium Edition r12 offers comprehensive protection for networks, endpoints and groupware systems from intrusions, malicious
Intrusion Detection Systems (IDS) What are They and How do They Work? By Wayne T Work Security Gauntlet Consulting 56 Applewood Lane Naugatuck, CT 06770 203.217.5004 Page 1 6/12/2003 1. Introduction Intrusion
Securing Industrial Control Systems on a Virtual Platform How to Best Protect the Vital Virtual Business Assets WHITE PAPER Sajid Nazir and Mark Lazarides firstname.lastname@example.org 9 Feb, 2016 email@example.com
IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods
NSP Integration DNS Sinkhole with URL Sandboxing Botnets are a complex and pervasive form of cyber attack that has been used by attackers, for over a decade, to compromise millions of endpoints in order
Implementation of Botcatch for Identifying Bot Infected Hosts GRADUATE PROJECT REPORT Submitted to the Faculty of The School of Engineering & Computing Sciences Texas A&M University-Corpus Christi Corpus
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
IQware's Approach to Software and IT security Issues The Need for Security Security is essential in business intelligence (BI) systems since they have access to critical and proprietary enterprise information.
Lessons learned from the deployment of a high-interaction honeypot E. Alata 1, V. Nicomette 1, M. Kaâniche 1, M. Dacier 2, M. Herrb 1 1 LAAS-CNRS, University of Toulouse, 7 Avenue du Colonel Roche, 31077
Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
Studying Spamming nets Using Lab Arvind Krishnamurthy Joint work with: John John, Alex Moshchuk, Steve Gribble University of Washington nets: a Growing Threat Increasing awareness, but there is a dearth
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: