dtk

Information about dtk

Published on September 13, 2007

Author: Belly

Source: authorstream.com

Content

DTK ---Deception toolkit:  DTK ---Deception toolkit Fangfang Zhang 1.Background:  1.Background Background :  Background Throughout the history of war, deception has been a cornerstone of successful offense and defense. The history of information system attack is almost entirely a history of deception in which attackers deceive, and defenders are open and honest. Background:  Background Perhaps one of the most important points to be brought out in this regard is that out of 140 defensive techniques, only one in ten could be considered deceptive in nature, while about half of the attack techniques involve deception. It is also important to understand that most of the defensive deception is only peripherally deceptive. some areas of cryptography Deception is underutilized in information protection How effective deceptions are created :  How effective deceptions are created understand the intelligence capacities of the attacker Find ways to cause their intelligence operations to go awry in desired ways. A set of redundant and seemingly independent sources of information that are trusted and verifiable by the attacker are exploited in order to create a total picture that deceives on a broad scale. 2.Introduction:  2.Introduction 2.1What is DTK:  2.1What is DTK 1997 Opensource Perlandamp;C DTK simply listens for inputs and provides responses that seem normal. In the process, it logs what is being done, provides sensible (if not quite perfect) answers, and lulls the attacker into a false sense of (your) insecurity. DTK currently has the following components: :  DTK currently has the following components: Generic.pl - a generic interface that works via tcp wrappers to service incoming requests. listen.pl - a port listener that listens to a port and forks slave processes to handle each inbound attempt. logging.pl - the subroutines and initialization for logging what happens. respond.pl - the subroutine for responding based on 'response' file content. notify.pl - a sample program to notify administrators of known attacks by email. coredump.c - produces a coredump message on a port (what a fakeout). deception.c - working on a C version of the program - don't even think about compiling it yet. makefile - makes the C programs into executables - truly trivial. [nn].response - the responder finiate state machine for each port. This takes some understanding of finite state machines @[nn].[something] - a response file for non-trivial outputs. @fake.passwd - a fake password file that nobody will ever be able to decode. expandlog.pl - expand's compressed logfiles into more readable form DTK GUI 1.1:  DTK GUI 1.1 New DTK GUI:  New DTK GUI What kind of fancy features does it have? :  What kind of fancy features does it have? compressed log files that save about half the space taken up by most logfiles without any loss of information - and a program to expand the compressed logs into the normal uncompressed format timeouts and limits on inputs everywhere so that resource exhaustion is naturally defended against built-in detection and reporting of port scanning 2.2Purpose:  2.2Purpose It is designed primarily to provide the average Internet user with a way to turn on a set of deceptions in a few minutes that will be effective in substantially increasing attacker workloads while reducing defender workloads. In it's off-the-shelf form, DTK is designed to provide fictions that are adequate to fool current off-the-shelf automated attack tools into believing that defenses are different than they actually are. Slide13:  DTK is not intended to be the end-all to deceptions in information systems. It is only a simple tool for creating deceptions that fool simplistic attacks, defeat automatic attack systems, and change the balance of workload in favor of the defender. 2.3 How does it work? :  2.3 How does it work? DTK is a State machines. DTK simply listens for inputs and provides responses that seem normal (i.e., full of bugs). In the process, it logs what is being done, provides sensible (if not quite perfect) answers, and lulls the attacker into a false sense of (your) insecurity. Basic Idea:  Basic Idea The deception is intended to make it appear to attackers as if the system has a large number of widely known vulnerabilities. attack tools automatically scan for known vulnerabilities find what appear to be large volumes of vulnerabilities. When the attacker tries to interpret the results, there is not enough information to tell which of the detected vulnerabilities are real, and the number of detected vulnerabilities is very high. The attacker is then faced with spending inordainent amounts of time trying to figure out which of the indicated attacks really work State machines :  State machines The design of the state machines used in generating deceptions can be done so as to easily reveal the severity and intent of the attacker in terms of malice, while automatically suppressing false positives by giving them differentiable state numbers. I Explain by [nn].response :  Explain by [nn].response The [nn].response file describes to listen.pl and Generic.pl (and some day - maybe - deception.pl) how to respond to inputs. Explain by an log example:  Explain by an log example 127.0.0.1 23 23 1998/04/02 05:34:23 8041 8041:1 listen.pl S0 - - - +3 - - 8041:1 - S1 root - - - +1 - - 8041:1 - S2 toor - - - +2 - - 8041:1 - S3 ls - - - +2 - - 8041:1 - S3 df - - - +4 - - 8041:1 - S3 cat /etc/passwd - - - +0 - - 8041:1 - S4 NOTICE //dtk/notify.pl 23 4 Email fred at all.net Just sent a password file to an attacker - t! 2.3 Effects: :  2.3 Effects: It increases the attacker's workload It allows us to track attacker attempts at entry and respond before they come across a vulnerability we are susceptible to. It sours the milk - so to speak. If one person uses DTK… If a few others start using it... If a lot of people use DTK… Effects--continue:  Effects--continue If enough people adopt DTK and work together to keep it's deceptions up to date, we will eliminate most sophisticated attackers, and all the copy-cat attacks will be detected soon after they are released to the wide hacking community. Reduce the 'noise' level of attacks to allow us to more clearly see the more serious attackers and track them down. Effects--continue:  Effects--continue If DTK becomes very widespread, one of DTK's key deceptions will become very effective. This deception is port 365 . The Effect of DTK on Denial of Services The Effect of DTK on False Positives and Determining Attacker Severity and Intent 2.4Limitation:  2.4Limitation DTK's deception is programmable, but it is typically limited to producing output in response to attacker input in such a way as to simulate the behavior of a system which is vulnerable to the attackers method. DTK is clearly limited in the richness of the deceptions it can provide. Limitation--continue:  Limitation--continue It is simple to differentiate between a real computing environment and the limited capabilities demonstrated by a finite state machine with a small number of states. Against most modern automated attack tools, this is adequate. But against a serious attacker, differentiation even by an automated tool would be a simple matter. 2.5Two problems for the designer of automated attacks against deceptive defenses such as DTK. :  2.5Two problems for the designer of automated attacks against deceptive defenses such as DTK. The first problem is generating automation that differentiates between deceptions and real services. The second problem is finding a way to succeed in the attack before the defender is able to react. 3.From Honey Pots to the Deception ToolKit :  3.From Honey Pots to the Deception ToolKit Slide26:  Early 'honey pot' systems were based on the idea of placing a small number of attractive targets in locations where they are likely to be found, and drawing attackers into them. Slide27:  The original Deception Toolkit (DTK) provided some relief from the low probability of encountering a deception and the extreme localization of deceptions under previous honey-pot systems Slide28:  Summary:  Summary 1.Background 2.Introduction 3.From Honey Pots to the Deception ToolKit Slide30:  END Thank you

Related presentations


Other presentations created by Belly

Capital budgeting
28. 04. 2008
0 views

Capital budgeting

Nice pics slides
17. 09. 2007
0 views

Nice pics slides

perceptron 2 4 2008
30. 04. 2008
0 views

perceptron 2 4 2008

pham07
18. 04. 2008
0 views

pham07

FC STONE GREAT WALL1
17. 04. 2008
0 views

FC STONE GREAT WALL1

Sauter Nuts Bolt ETFs
16. 04. 2008
0 views

Sauter Nuts Bolt ETFs

UnivOfGuelphNov26th
14. 04. 2008
0 views

UnivOfGuelphNov26th

fujiwara
13. 04. 2008
0 views

fujiwara

Week 08 Finance
10. 04. 2008
0 views

Week 08 Finance

Lct1
09. 04. 2008
0 views

Lct1

outlook
19. 06. 2007
0 views

outlook

Microsoft Windows Vista
19. 06. 2007
0 views

Microsoft Windows Vista

2004 presentation
13. 09. 2007
0 views

2004 presentation

Australian
13. 09. 2007
0 views

Australian

NBB
13. 09. 2007
0 views

NBB

Thilo Ewald ppt
13. 09. 2007
0 views

Thilo Ewald ppt

20031216 NASANIH presentation
05. 10. 2007
0 views

20031216 NASANIH presentation

mna presentation
17. 10. 2007
0 views

mna presentation

lect29 groupwords
18. 10. 2007
0 views

lect29 groupwords

Essential Q Imperialism 2
22. 10. 2007
0 views

Essential Q Imperialism 2

p puska
07. 09. 2007
0 views

p puska

Productivity
07. 09. 2007
0 views

Productivity

honeyPots
13. 09. 2007
0 views

honeyPots

NDB Bensouda
23. 10. 2007
0 views

NDB Bensouda

181105
24. 10. 2007
0 views

181105

METO200Lect19 20
05. 10. 2007
0 views

METO200Lect19 20

oksupercompsymp2006 talk matrow
17. 10. 2007
0 views

oksupercompsymp2006 talk matrow

mareyes
25. 10. 2007
0 views

mareyes

2 01 3
29. 10. 2007
0 views

2 01 3

Online Class Evaluations 8
30. 10. 2007
0 views

Online Class Evaluations 8

1 3Grand father Journey
02. 11. 2007
0 views

1 3Grand father Journey

TuijaKuisma
07. 09. 2007
0 views

TuijaKuisma

Metallsektor
14. 11. 2007
0 views

Metallsektor

insects in out
13. 09. 2007
0 views

insects in out

oasen
16. 11. 2007
0 views

oasen

Unit 10 Scent Theory
17. 11. 2007
0 views

Unit 10 Scent Theory

SPEAR 2004
21. 11. 2007
0 views

SPEAR 2004

danse macabre
22. 11. 2007
0 views

danse macabre

kmutt
13. 09. 2007
0 views

kmutt

NCUR SDT 4 19 05
04. 01. 2008
0 views

NCUR SDT 4 19 05

gerber colloq UICtop feb2002
15. 10. 2007
0 views

gerber colloq UICtop feb2002

Lioi Altered Version
07. 01. 2008
0 views

Lioi Altered Version

Five Halloween Pumpkins audacity
02. 11. 2007
0 views

Five Halloween Pumpkins audacity

smime
07. 10. 2007
0 views

smime

CdF BEC
20. 11. 2007
0 views

CdF BEC

WEB C Schumacher
23. 10. 2007
0 views

WEB C Schumacher

bsb
13. 09. 2007
0 views

bsb

2006052213550876705
03. 01. 2008
0 views

2006052213550876705

1 11
19. 02. 2008
0 views

1 11

Ukraine
20. 02. 2008
0 views

Ukraine

truck tmp1002
27. 02. 2008
0 views

truck tmp1002

ace program plan
29. 02. 2008
0 views

ace program plan

takala
07. 09. 2007
0 views

takala

464 TM12
14. 12. 2007
0 views

464 TM12

ICEBP presentation for ANZCP A
10. 03. 2008
0 views

ICEBP presentation for ANZCP A

aionescu cmc dec06
30. 10. 2007
0 views

aionescu cmc dec06

creationtalk
11. 03. 2008
0 views

creationtalk

Data Mining 2
12. 03. 2008
0 views

Data Mining 2

Omaha Pres for NAP web2
29. 12. 2007
0 views

Omaha Pres for NAP web2

sustainable development part1
26. 03. 2008
0 views

sustainable development part1

Schrage
31. 08. 2007
0 views

Schrage

IHYJP Kickoff Poster
09. 10. 2007
0 views

IHYJP Kickoff Poster

020703 DHCAL
31. 08. 2007
0 views

020703 DHCAL

Vimpel Com
31. 08. 2007
0 views

Vimpel Com

Overland vista uib itforum
19. 06. 2007
0 views

Overland vista uib itforum

OS Notes
19. 06. 2007
0 views

OS Notes

NVIDIA OpenGL on Vista
19. 06. 2007
0 views

NVIDIA OpenGL on Vista

NonAdmin Pilot
19. 06. 2007
0 views

NonAdmin Pilot

New Mexico NETUG WPF
19. 06. 2007
0 views

New Mexico NETUG WPF

nercomp SIG
19. 06. 2007
0 views

nercomp SIG

MSAM Launch Vista Final Updated
19. 06. 2007
0 views

MSAM Launch Vista Final Updated

MOSS WF Talk
19. 06. 2007
0 views

MOSS WF Talk

More Online Games
19. 06. 2007
0 views

More Online Games

MHay Wireless
19. 06. 2007
0 views

MHay Wireless

Marl WSUS3
19. 06. 2007
0 views

Marl WSUS3

mail list news
19. 06. 2007
0 views

mail list news

Lenovo UofU
19. 06. 2007
0 views

Lenovo UofU

Lecture II
19. 06. 2007
0 views

Lecture II

Smith F09
13. 10. 2007
0 views

Smith F09

35508
26. 02. 2008
0 views

35508

pinar
19. 06. 2007
0 views

pinar

pgp
19. 06. 2007
0 views

pgp

pessner
19. 06. 2007
0 views

pessner

Overview Presentation
19. 06. 2007
0 views

Overview Presentation

North Dakota Annuity Deck
19. 06. 2007
0 views

North Dakota Annuity Deck

Rutland Presentation plenary4
31. 08. 2007
0 views

Rutland Presentation plenary4

NAMI NC 112707
07. 01. 2008
0 views

NAMI NC 112707

finland poster
07. 09. 2007
0 views

finland poster

sample
27. 09. 2007
0 views

sample

Phenotyping Oxford
17. 10. 2007
0 views

Phenotyping Oxford

dog breeding
19. 11. 2007
0 views

dog breeding

5th trondhiem
29. 11. 2007
0 views

5th trondhiem

policies regs
28. 12. 2007
0 views

policies regs

GetuHailu
13. 09. 2007
0 views

GetuHailu

genealogy
01. 10. 2007
0 views

genealogy

net info 050928
19. 06. 2007
0 views

net info 050928

chap7
15. 10. 2007
0 views

chap7

Rafael Guillen CCAD SIAM mar06
22. 10. 2007
0 views

Rafael Guillen CCAD SIAM mar06

na3 Russia
31. 08. 2007
0 views

na3 Russia

Sois Global Programs3 12 04
31. 08. 2007
0 views

Sois Global Programs3 12 04

sacha
31. 08. 2007
0 views

sacha

amm pres valdez lacnic
22. 10. 2007
0 views

amm pres valdez lacnic

nwnt
19. 06. 2007
0 views

nwnt

STAR shielding 2
13. 11. 2007
0 views

STAR shielding 2

voiceline overview
17. 10. 2007
0 views

voiceline overview

gross PPT
07. 04. 2008
0 views

gross PPT

WP1a
15. 10. 2007
0 views

WP1a

Microarray Data Standard
07. 11. 2007
0 views

Microarray Data Standard

Lim Badejo Dell Presentation 1
19. 06. 2007
0 views

Lim Badejo Dell Presentation 1

HongKong Punkka Salo
07. 09. 2007
0 views

HongKong Punkka Salo

Dvoretsky
31. 08. 2007
0 views

Dvoretsky

qm1 web
03. 01. 2008
0 views

qm1 web

IAPS
07. 09. 2007
0 views

IAPS

yalestudy
28. 09. 2007
0 views

yalestudy

digvlsideslec1
12. 10. 2007
0 views

digvlsideslec1

mead
13. 09. 2007
0 views

mead

bashmakov
31. 08. 2007
0 views

bashmakov