Introduction%20to%20Honeypot,%20Botnet,%20and%20Security%20Measurement - PowerPoint PPT Presentation

About This Presentation
Title:

Introduction%20to%20Honeypot,%20Botnet,%20and%20Security%20Measurement

Description:

Introduction to Honeypot, Botnet, and Security Measurement Cliff C. Zou 02/07/06 – PowerPoint PPT presentation

Number of Views:234
Avg rating:3.0/5.0
Slides: 18
Provided by: ucf90
Learn more at: http://www.cs.ucf.edu
Category:

less

Transcript and Presenter's Notes

Title: Introduction%20to%20Honeypot,%20Botnet,%20and%20Security%20Measurement


1
Introduction to Honeypot, Botnet, and Security
Measurement
  • Cliff C. Zou
  • 02/07/06

2
What Is a Honeypot?
  • Abstract definition
  • A honeypot is an information system resource
    whose value lies in unauthorized or illicit use
    of that resource. (Lance Spitzner)
  • Concrete definition
  • A honeypot is a faked vulnerable system used
    for the purpose of being attacked, probed,
    exploited and compromised.

3
Example of a Simple Honeypot
  • Install vulnerable OS and software on a machine
  • Install monitor or IDS software
  • Connect to the Internet (with global IP)
  • Wait monitor being scanned, attacked,
    compromised
  • Finish analysis, clean the machine

4
Benefit of Deploying Honeypots
  • Risk mitigation
  • A deployed honeypot may lure an attacker away
    from the real production systems (easy target).
  • IDS-like functionality
  • Since no legitimate traffic should take place to
    or from the honeypot, any traffic appearing is
    evil and can initiate further actions.
  • Attack analysis
  • Find out reasons, and strategies why and how you
    are attacked.

5
Benefit of Deploying Honeypots
  • Evidence
  • Once the attacker is identified all data captured
    may be used in a legal procedure.
  • Increased knowledge
  • By knowing how you are attacked you are able to
    enlarge your ability to respond in an appropriate
    way and to prevent future attacks.
  • Research
  • Operating and monitoring a honeypot can reveal
    most up-to-date techniques/exploits and tools
    used as well as internal communications of the
    hackers or infection or spreading techniques of
    worms or viruses.

6
Honeypot Classification
  • High-interaction honeypots
  • A full and working OS is provided for being
    attacked
  • VMware virtual environment
  • Several VMware virtual hosts in one physical
    machine
  • Low-interaction honeypots
  • Only emulate specific network services
  • No real interaction or OS
  • Honeyd
  • Honeynet/honeyfarm
  • A network of honeypots

7
Low-Interaction Honeypots
  • Pros
  • Easy to install (simple program)
  • No risk (no vulnerable software to be attacked)
  • One machine supports hundreds of honeypots
  • Cons
  • No real interaction to be captured
  • Limited logging/monitor function
  • Easily detectable by attackers

8
High-Interaction Honeypots
  • Pros
  • Real OS, capture all attack traffic/actions
  • Can discover unknown attacks/vulnerabilites
  • Cons
  • Time-consuming to build/maintain
  • Time-consuming to analysis attack
  • Risk of being used as stepping stone
  • High computer resource requirement

9
Honeynet
  • A network of honeypots
  • High-interaction honeynet
  • A distributed network composing many honeypots
  • Collapsar A VM-Based Architecture for Network
    Attack Detention Center, Usenix04
  • Low-interaction honeynet
  • Emulate a virtual network in one physical machine
  • Example honeyd
  • Mixed honeynet
  • Scalability, Fidelity and Containment in the
    Potemkin Virtual Honeyfarm, presented next week
  • Reference http//www.ccc.de/congress/2004/fahrpla
    n/files/135-honeypot-forensics-slides.ppt

10
What Is a Botnet?
  • A network of compromised computers controlled by
    their attacker
  • Users on zombie machines do not know
  • The main source for many attacks now
  • Distributed Denial-of-Service (DDoS)
  • Extortion
  • Email spam, phishing
  • Ad-fraud
  • User information document, keylogger,

11
How to Build a Botnet?
  • Infect machines via
  • Internet worms, viruses
  • Email virus
  • Backdoor left by previous malware
  • Trojan programs
  • Bots phone back to receive command

12
Botnet Architecture
  • Bot controller
  • Usually using IRC server (Internet relay chat)
  • Dozen of controllers for robustness

13
Botnet Monitoring
  • Hijack one of the bot controller
  • DNS provider redirects domain name to the monitor
  • Still cannot cut off a botnet (dozen of
    controller)
  • Can obtain most/all bots IP addresses
  • Let honeypots join in a botnet
  • Can monitor all communications
  • No complete picture of a botnet

14
Security Measurement
  • Monitor network traffic to understand/track
    Internet attack activities
  • Monitor incoming traffic to unused IP space
  • TCP connection requests
  • UDP packets

Internet
Unused IP space
Local network
15
Refining Monitoring
  • TCP/SYN not enough (IP, port only)
  • Distinguish different attacks
  • Low-interaction honeypots (honeyd)
  • Obtain the first attack payload by replying
    SYN/ACK
  • Internet Motion Sensor presented next week
  • High-interaction honeypots
  • TCP Reset packets
  • Backscatter from spoofed DoS attack victims
  • Inferring Internet Denial-of-Service Activity,
    presented later

16
Remote fingerprinting
  • Actively probe remote hosts to identify remote
    hosts OS, physical devices, etc
  • OSes service responses are different
  • Hardware responses are different
  • Purposes
  • Understand Internet computers
  • Remove DHCP issue in monitored data

17
Data Sharing Traffic Anonymization
  • Sharing monitored network traffic is important
  • Collaborative attack detection
  • Academic research
  • Privacy and security exposure in data sharing
  • Packet header IP address, service port exposure
  • Packet content more serious
  • Data anonymization
  • Change packet header preserve IP prefix, and
  • Change packet content
Write a Comment
User Comments (0)
About PowerShow.com