Presentation is loading. Please wait.

Presentation is loading. Please wait.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

Published byDaniel Hodge Modified over 8 years ago

Similar presentations

Presentation on theme: "Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P."— Presentation transcript:

1 Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P. Papadopoulos 1

2 Compromising Web Servers Phishing and malware pages, redirecting user traffic to malicious sites Almost 90% of Web attacks take place through legitimate sites that have been compromised Over of 50% of popular search keywords have at least one malicious link to a compromised site Communicate with clients behind NATs and firewalls 2

3 Honeypots A honeypot is a computer security mechanism set to detect, deflect, or, counteract attempts to gain unauthorized access to information systems. Client-based - Detect malicious servers that attack clients Server-based - Emulate vulnerable services/software and passively wait for attackers 3

4 Heat-seeking Honeypots 1.Actively attrack attackers 2.Dynamically generate and deploy honeypot pages 3.Advertise honeypot pages to attackers via search engines 4.Analyze the honeypot logs to identify attack patterns 4

5 Heat-seeking Honeypot Architecture 5

6 Attacker queries How attackers find vulnerable Web servers: 1.Brute-force port scanning on the Internet 2.Make use of search engines Identify malicious queries in the Bing log E.g. “phpizabi v0.848b c1 hfp1” 6

7 Creation of Honeypot Pages Deployment: - Search engines (Bing and Google ) - Top three results - The crawler fetches the Web pages at these URLs - Strip all Javascript content and rewrite all links of the page to point to the local Ex. http://path/to/honeypot/includes/joomla.phphttp://path/to/honeypot/includes/joomla.php Install a few common Web applications - Different VM for each app 7

8 Advertising Honeypot Pages Submit the URLs of the honeypot pages to the search engines and wait for the crawlers to visit them Increase the chance of honeypot pages (pagerank) Add hidden links (not visible to regular users) pointing to the honeypot pages on other public Web sites 8

9 Detecting Malicious Traffic Process the log (visitors) and automatically extract attack traffic Identifying crawlers - Well-known : Google’s crawler uses Mozilla/5.0 (compatible;Googlebot/2.1;+http://www.google.com/bot.html) - Characterizing the behavior of known crawlers - Identifying unknown crawlers Identify mallicious traffic 9

10 Identifying Crawlers 1/2  Known crawlers - Look at the user agent string and verify that the IP address matches the organization - A single search engine uses multiple IP addresses to crawl different pages (AS) - Most of crawlers can visit static links - Only one crawler can visit dynamic links 10

11 Identifying Crawlers 2/2  Unknown crawlers - Other IPs  Also grouped by AS numbers - Similar behavior as the know crawlers - Threshold: K = |P| / |C| (P: fraction pages, C: crawlable pages) 11

12 Identifying Malicious Traffic Attackers do not target static pages Try to access non-existent or private files Whitelist: All the dynamic and static links, for each site Try to access links not contained in the whitelist - Exact set of links present in the honeypots - Files visited by well behaved crawlers (robots.txt) 12

13 Results Experiment duration: 3 months Place : Washington university CS personal home page 96 automatically generated honeypot web pages 4 manually installed Web application software packages Received 54.477 visits from 6.438 different IPs 13

14 Distinguishing malicious visits 14 One crawler visitors links are dynamic links in the software. Low PageRank

15 Crawler Visits 15 Bi-modal distribution 16 ASes crawling more than 75% of the hosted pages 18 ASes visiting less than 25% of the pages

16 Attacker Visits Joomla 16

17 Attacker Visits 17

18 Geographic Locations & Discovery Time 18

19 Comparing Honeypots 1.Web Server - No hostname - No hyperlinks 2.Vulnerable Software - Pages accessible on the Internet - Search engines can find them 3.Heat-seeking Honeypot Pages - Generated as simple static HTML pages 19

20 Comparison of the total number of visits and the number of distinct IP addresses 20

21 Attack Types 21

22 Attack Types 22

23 Applying whitelists to the Internet ●Random set of 100 Web Servers whose HTTP access logs are indexed by search engines ●A request is defined to be from an attacker - If not present in the whitelist  Link not accessed by a crawler - Not present at all  Request results in an HTTP 404 Error 23

24 Applying whitelists to the Internet For 20% of the sites, almost 90% of the traffic came from attackers 24 0.25

25 Conclusion Heat-seeking Honeypots ○Deploy honeypot pages corresponding to vulnerable pages ○Attract Attackers Detect malicious IP addresses only through their Web access patterns False-negative rate of at most 1%. 25

Download ppt "Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P."

Similar presentations

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Cloak and Dagger. In a nutshell… Cloaking Cloaking in search engines Search engines’ response to cloaking Lifetime of cloaked search results Cloaked pages.

Cloak and Dagger. In a nutshell… Cloaking Cloaking in search engines Search engines’ response to cloaking Lifetime of cloaked search results Cloaked pages.
CpSc 881: Information Retrieval. 2 How hard can crawling be?  Web search engines must crawl their documents.  Getting the content of the documents is.

CpSc 881: Information Retrieval. 2 How hard can crawling be?  Web search engines must crawl their documents.  Getting the content of the documents is.
Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.

Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.
March 26, 2003CS502 Web Information Systems1 Web Crawling and Automatic Discovery Donna Bergmark Cornell Information Systems

March 26, 2003CS502 Web Information Systems1 Web Crawling and Automatic Discovery Donna Bergmark Cornell Information Systems
SEO PACKAGES. Types of Plans Starter Plan Business Plan Enterprises Plan.

SEO PACKAGES. Types of Plans Starter Plan Business Plan Enterprises Plan.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
WEB SCIENCE: SEARCHING THE WEB. Basic Terms Search engine Software that finds information on the Internet or World Wide Web Web crawler An automated program.

WEB SCIENCE: SEARCHING THE WEB. Basic Terms Search engine Software that finds information on the Internet or World Wide Web Web crawler An automated program.
IDK0040 Võrgurakendused I Building a site: Publicising Deniss Kumlander.

IDK0040 Võrgurakendused I Building a site: Publicising Deniss Kumlander.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University.

PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
The Ghost In The Browser Analysis of Web-based Malware Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. The.

The Ghost In The Browser Analysis of Web-based Malware Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. The.
JOHN P. JOHN FANG YU YINGLIAN XIE MARTÍN ABADI ARVIND KRISHNAMURTHY PRESENTATION BY SAM KLOCK Searching the Searchers with SearchAudit.

JOHN P. JOHN FANG YU YINGLIAN XIE MARTÍN ABADI ARVIND KRISHNAMURTHY PRESENTATION BY SAM KLOCK Searching the Searchers with SearchAudit.
Wasim Rangoonwala ID# 00506259 CS-460 Computer Security “Privacy is the claim of individuals, groups or institutions to determine for themselves when,

Wasim Rangoonwala ID# CS-460 Computer Security “Privacy is the claim of individuals, groups or institutions to determine for themselves when,
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
John P., Fang Yu, Yinglian Xie, Martin Abadi, Arvind Krishnamurthy University of California, Santa Cruz USENIX SECURITY SYMPOSIUM, August, 2010 John P.,

John P., Fang Yu, Yinglian Xie, Martin Abadi, Arvind Krishnamurthy University of California, Santa Cruz USENIX SECURITY SYMPOSIUM, August, 2010 John P.,

Similar presentations

Ads by Google