Dynamic Honeypot Construction



Similar documents
HONEYPOT SECURITY. February The Government of the Hong Kong Special Administrative Region

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Securing the system using honeypot in cloud computing environment

DESIGN OF NETWORK SECURITY PROJECTS USING HONEYPOTS *

Honeypots / honeynets

Honeypot as the Intruder Detection System

DETECTING AND ANALYZING NETWORK ATTACKS USING VIRTUAL HONEYNET NUR ATIQAH BT. HASAN

Intrusion Detection Systems (IDS)

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Honeypots & Honeynets Overview. Adli Wahid Security Specialist, APNIC.net adli@apnic.net

Εmerging Ways to Protect your Network

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Advanced Honeypot System for Analysing Network Security

Ranch Networks for Hosted Data Centers

Countermeasure for Detection of Honeypot Deployment

VoIP Fraud and Misuse

Detection of illegal gateways in protected networks

Honeypots and Honeynets Technologies

CMPT 471 Networking II

HONEYPOTS REVEALED Prepared by:

SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam

Keywords Intrusion detection system, honeypots, attacker, security. 7 P a g e

Penetration Testing Workshop

Use of Honeypots to Increase Awareness regarding Network Security

Unified network traffic monitoring for physical and VMware environments

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

Firewall Firewall August, 2003

Capturing Web Application Threats Using virtual CMS Honeypot. Saharuddin Saat, Nor Adora Endut 1, Abdul Hamid Othman 2

Banking Security using Honeypot

Autonomous Hybrid Honeypot as the Future of Distributed Computer Systems Security

Synthetic Application Monitoring

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Second-generation (GenII) honeypots

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CryPLH: Protecting smart energy systems from targeted attacks with a PLC honeypot

Chapter 11 Cloud Application Development

Data Collection and Data Analysis in Honeypots and Honeynets

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

CTS2134 Introduction to Networking. Module Network Security

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Intrusion Detection System with Deceptive Virtual Host

Intrusion Detection Systems

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

HONEYPOTS The new-way Security Analysis

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Transformation of honeypot raw data into structured data

Safe network analysis

PROFESSIONAL SECURITY SYSTEMS

Avoiding Cyber-attacks to DMZ and Capturing Forensics from Intruders Using Honeypots

Internet infrastructure. Prof. dr. ir. André Mariën

Using honeypots to study skill level of attackers based on the exploited vulnerabilities in the network

8. Firewall Design & Implementation

Security Event Management. February 7, 2007 (Revision 5)

5nine Virtual Firewall 2.1 for Microsoft Hyper-V

The current version installed on your server is el6.x86_64 and it's the latest available.

Passive Vulnerability Detection

Stephen Coty Director, Threat Research

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Lab Objectives & Turn In

Introduction to Network Security Lab 2 - NMap

Firewall Security: Policies, Testing and Performance Evaluation

Tk20 Network Infrastructure

[Kapse*, 4.(10): October, 2015] ISSN: (I2OR), Publication Impact Factor: 3.785

IDS / IPS. James E. Thiel S.W.A.T.

Advanced Honeypot Architecture for Network Threats Quantification

Voice over IP Communications

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

A radical approach to secure LAN network using novel hardening techniques

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Blended Security Assessments

Linux Server Support by Applied Technology Research Center. Proxy Server Configuration

Firewall VPN Router. Quick Installation Guide M73-APO09-380

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

The Benefits of Verio Virtual Private Servers (VPS) Verio Virtual Private Server (VPS) CONTENTS

Log Management for the University of California: Issues and Recommendations

Multi-Homing Dual WAN Firewall Router

Network Forensics: Log Analysis

EKT 332/4 COMPUTER NETWORK

Chapter 9 Firewalls and Intrusion Prevention Systems

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Wireless Honeypot Trickery by Laurent Oudot last updated February 13, 2004

Virtual Server in SP883

Transcription:

Dynamic Honeypot Construction 2nd Annual Alaska Information Assurance Workshop Christopher Hecker U. of Alaska, Fairbanks 9-5-2006 Presentation l Brief Introduction l Project Overview l Future Work l References 1

Honeypots l A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource [4] (basically, a computer/router, virtual or real, whose purpose is to be attacked and record as much information as possible). l Since it has no production value, anything going to or from a honeypot is likely a probe, attack or compromise. This decreases the amount of logs to analyze. Network Diagram 2

Types Of Honeypots l Low-interaction l Scripts emulate services, applications, and OS. l Low risk and easy to deploy/maintain, but capture limited information. l Used by companies or individuals for IDS and network usage l High-interaction l Real services, applications, and OS l Capture extensive information, but high risk and time intensive to maintain. l Used by researchers and security analysts for detecting new attacks Dynamic Honeypots l Two methods of mapping network Passive and Active scanning l Determines OS version, ports, and services running on scanned machine(s) l Add new honeypots based on network configuration at scheduled times or as soon as a new machine is detected and scanned 3

Passive Scan - Dynamic Honeypots l Advantages l Determine network configuration without detection l Creates log of network usage and cycles l No extra bandwidth required l Disadvantages l Takes a long time l Difficulty with routers/switches l Requires communication to determine open ports Production Network ` Workstation 1 ` Workstation 2 ` Workstation 3 Internet Hub Server Passive Honeynet Server Active Scan - Dynamic Honeypots l Advantages l Short time frame l Determines OS and all open ports and services (to the best of its ability) l Few network hardware limitations (routers/switches) l Disadvantages l Only recognizes ports open to network traffic (not individual machines) l All computers and ports are scanned (uses bandwidth) l Only recognizes new machines when scanning is initiated 4

Project Overview Active Scan using Honeyd l Project - implement an low interaction, active scan dynamic honeypot system using Honeyd. l Honeyd is a small daemon that runs both on UNIX-like and Windows platforms. l It is used to create multiple virtual honeypots on a single machine. Entire networks can be simulated using Honeyd. Project Overview Honeyd l Honeyd emulates operating systems by responding with appropriate packets to Nmap and Xprobe fingerprinting packets. Thus the list of operating systems that Honeyd emulates can be found in nmap.prints and xprobe2.conf. l Honeyd can be configured to run a range of services like FTP, HTTP, or SMTP. l Add scripts to Honeyd which can provide a more in depth emulation of a given service. The depth of the emulation is only determined by the script provided. l Honeyd allows a single host to claim as many as 65536 IP addresses 5

Project Overview Project - Honeyd Configuration Manager l Developed under Linux Centos 4 l Programmed using Perl l Development of Dynamic Honeypot system using Honeyd and Nmap lnmap scans IP address or range lnmap information is used real-time to make honeyd.conf file lmysql is queried to find relevant emulation scripts lhoneypots IP address is configured according to system administrator s specification lhoneyd is used to make Honeynet comparable to the network scanned l GUI User Interface - Glade 6

MySQL Database l Emulation script information stored in DB l allows user to add more scripts to database in specified format l allows Honeyd config. manager to query DB and find all relevant scripts for honeypots l Information: l OS Personality l Protocol l Port l Location 7

Project Overview GUI, l Glade User Interface Builder for GTK+ and GNOME l Programmed using C l Calls Honeyd Configuration Manager l Allows user to setup up Honeyd honeypots from GUI 8

Future Work l Integrate high interaction honeypots l Incorporate network scanning/deployment with lag time l Allow user to interact with database through the GUI add/delete scripts l Use combined Active and Passive Scanning methods l Create standalone appliance with web interface Possible Scenario 9

References 1) The Honeynet Project: Research Alliance - http://www.honeynet.org/index.html 2) http://www.honeyd.org/faq.php#list 3) http://www.insecure.org/nmap/nmap_documentation.html 4) http://www.securityfocus.com/infocus/1731 5) Honeypots for Windows by Roger A. Grimes, 2005 6) Honeypots: Tracking Hackers by Lance Spitzner, 2003 Questions? http://assert.uaf.edu/ fscrh2@uaf.edu 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information