Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.

Published byKelley Jefferson Modified over 8 years ago

Similar presentations

Presentation on theme: "A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire."— Presentation transcript:

1 A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire

2 2 Honeyd’s Contributions Provides an alternative technique for detecting attacks Extremely low-cost option for honeypots A model framework for low-interaction honeypots.

3 3 Agenda 1. Introduction of Honeypots 2. Honeyd 3. Critique of Honeyd 4. Recent Work 5. Honeyd’s Contributions

4 4 What are Honeypots? Monitored computer system with the hopes of being probed, attacked, and compromised. Monitors all incoming and outgoing data. –Any contact is considered suspicious. Can support any OS with any amount of functionality.

5 5 Honeypots’ Goals Capture information about attacks –System vulnerabilities –System responses Capture information about attackers –Attack methods –Scan patterns –Identities Be attacked!

6 6 Etymology of Honeypots Winnie-the-Pooh –His desire for pots of honey lead him to various predicaments Cold War terminology –Female communist agent vs. Male Westerner Outhouses –“Honey” : euphemism for waste –Attackers are flies attracted to honey’s stench

7 7 Physical vs. Virtual Honeypots Physical Honeypot: –Real machine –Runs one OS to be attacked –Has its own IP address Virtual Honeypot: –Virtual machine on top of a real machine –Can run a different OS than the real machine –Real machine responds to network traffic sent to the virtual machine

8 8 Physical vs. Virtual Honeypots Interne t Physical Honeypots Interne t Virtual Honeypots

9 9 Virtual Honeypot Types High-Interaction: –Simulates all aspects of an OS –Can be compromised completely Low-Interaction –Simulates some parts of an OS Example: Network Stack –Simulates only services that cannot lead to complete system compromise

10 10 Honeyd A virtual honeypot framework Can simulate different OS’s at once –Each honeypot allocated its own IP address Low-Interaction –Only the network stack is simulated –Attackers only interact with honeypots at the network level Supports TCP and UDP services –Handles ICMP message as well.

11 11 Honeyd: The Architecture Configuration Database Central Packet Dispatch Protocol handlers Personality Engine Routing Component (optional)

12 12 Personality Engine Virtual Honeypots Personality: –The network stack behavior of a given operating system Personality Engine alters outgoing packets to mimic that VH’s OS –Changes protocol headers Used to thwart fingerprinting tools: –Example: Xprobe and Nmap

13 13 Routing Options Proxy ARP Configured Routing –Routing Tables –Routing Trees Generic Routing Encapsulation –Network Tunneling –Load balancing

14 14 Experiments Virtual Honeypots for every detectable fingerprint in Nmap were used. –600 distinct fingerprints Each VH had one port open to run a web server. Nmap was tested against the address space allocated for all the VH’s –555 fingerprints were correctly identified –37 fingerprints list possible OS’s –8 were failed to be identified

15 15 Applications Network Decoys –Lure attackers to virtual honeypots, not real machines Detecting and Countering Worms –Capture packets sent by worms –Use large amounts of VH’s across large address space Spam Prevention –Monitor open proxy servers and open mail relays –Forward suspicious data to spam filters

16 16 Conclusions Honeyd is a framework for supporting multiple virtual honeypots Mimics OS network stack behaviors to trick attackers Provides a tool for network security research –Network decoy –Spam –Worm detection

17 17 Honeyd’s Strengths Supports an array of different OS network stacks –Fool attackers Can support a large number of VH’s for large address spaces Easily configurable to test various security issues –Routing configuration –OS options

18 18 Honeyd’s Weaknesses Low-Interaction –Only network stacks were implemented –Not all OS services available –Not all system vulnerabilities cannot be tested Personality Engine is not 100% –The 37 failed identifications –Could leave clues to attackers of which sections are honeypots.

19 19 Future Work Implement Middle-Interaction –Increase the number of OS services per VH Experiment with honeyd’s and physical honeypots on same network Increase stability of personality engine

20 20 Related Current Work Middle-Interaction –mwcollect –nepenthes The Honeynet Project –Raise Awareness –Teach and Inform –Research

21 21 Honeyd’s Contributions Provides an alternative technique for detecting attacks –Detecting worms, attackers, and spam Extremely low-cost option for honeypots –Cost of physical honeypots vs. virtual A model framework for low-interaction honeypots. –Simulates only an OS’s network stack –Can cover large amounts of IP addresses

Download ppt "A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire."

Similar presentations

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Honeypots Presented by Javier Garcia April 21, 2010.

Honeypots Presented by Javier Garcia April 21, 2010.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.

Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Dec, 20081 Honeyd Virtual Honeypot Frame Work Niels Provos Presented by: Fadi MohsenSupervised by: Dr. Chow CS591 Research Project Presented by: Fadi Mohsen.

Dec, Honeyd Virtual Honeypot Frame Work Niels Provos Presented by: Fadi MohsenSupervised by: Dr. Chow CS591 Research Project Presented by: Fadi Mohsen.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.

Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Similar presentations

Ads by Google