honeyd litao

Information about honeyd litao

Published on October 7, 2007

Author: Sharck

Source: authorstream.com

Content

A Virtual Honeypot Framework:  A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li Outline :  Outline Introduction Honeyd What is Honeyd? Design and Implementation of Honeyd Evaluation of Honeyd Application Discussion Outline :  Outline Introduction Honeyd What is Honeyd? Design and Implementation of Honeyd Evaluation of Honeyd Application Discussion Introduction:  Introduction Network Security Background We’re unable to make secure computer systems or even measure their security. New vulnerabilities kept being exploited Exploit automation and massive global scanning for vulnerabilities to compromise computer systems We use “Honeypot” as one way to get early warnings of new vulnerabilities. Introduction:  Introduction What is a honeypot? A closely monitored computing resource intended to be probed, attacked or compromised. Network decoy to deter from real targets Network sensor monitoring blackhole Provide IDS functionality Introduction:  Introduction Why using honeypots instead of NIDS ? All data entering or leaving a honeypot is closely monitored and collected for forensic analysis It can detect vulnerabilities not yet understood Less likely to lead to false positives Can run any OS and any number of services The configured services determine the vectors available for an adversary to attack Introduction:  Introduction Categories of honeypots Interaction High-interaction honeypots simulate all aspects of OS, can be compromised completely Low-interaction honeypots simulate only parts of OS, to gather high level information Implementation Phisical honeypots: real machines with itself IP Virtual honeypots: simulated by another machine Outline :  Outline Introduction Honeyd Information of Honeyd Design and Implementation of Honeyd Evaluation of Honeyd Application Discussion What is Honeyd ?:  What is Honeyd ? Honeyd is a low-interaction virtual honeypot, a lightweight framework for creating virtual honeypots to instrument thousands of IP addresses with virtual machines and corresponding network services. What can Honeyd do?:  What can Honeyd do? Simulate TCP and UDP services Support ICMP Handle multiple IP addresses simultaneously Simulate arbitrary network topologies Support topologically dispersed address spaces Support network tunneling for load sharing Design and Implementation:  Design and Implementation Receiving Network Data Architecture Personality Engine Routing Topology Configuration Logging Receiving Network Data:  Receiving Network Data Three ways for Honeyd to receives traffic for its virtual honeypots Special route lead data to honeyd host Proxy ARP for honeypots Support Network Tunnels—generic routing encapsulation (GRE) Architecture:  Architecture Incoming packets are dispatched to correct protocol handler. For TCP and UDP, the configured services receive new data and send repsonses if necessary. All outgoing packets are modified by the personality engine to mimic the behavior of the configured network stack. The routing component is optional and used only Honeyd simulated network topology. Architecture:  Architecture Configuration database Store the personalities of the configured network stack. Central packet dispatcher Dispatch Incoming packets to the correct protocol handler. Protocol handlers Personality engine Option routing component Architecture:  Architecture Support subsystem An application that runs in the name space of the virtual honeypot—no need to create a new process for each connection Support redirection of connections Forward connection request for a service to a real server Reflect connections back to an adversary!!! Personality Engine:  Personality Engine Why to use it? Different operating system have different network stack behaviors. Adversaries commonly run fingerprinting tools like Xprobe or Nmap to gather information about a target system. Personality Engine make honeypots appear like real target to a probe to fool the fingerprinting tools Personality Engine:  Personality Engine How to fool the adversaries? Use Nmap’s fingerprint database as reference for TCP and UDP protocol Use Xprobe’s fingerprint database for ICMP Introduces changes to the headers of every outgoing packet before sent to the network to match the characteristics of the configured operating system Personality Engine:  Personality Engine Example Nmap’ s fingerprinting is mostly concerned with an OS’s TCP implementation Nmap uses the size of the advertised receiver windows which varies between implementations as part of the fingerprint. Personality Engine:  Personality Engine Example of Nmap’s fingerprint specifying the network behavior Fingerprint IRIX 6.5.15m on SGI O2 TSeq(Class=TD%gcd=<104%SI=<1AE%IPID=I%TS=2HZ) T1(DF=N%W=EF2A%ACK=S++%Flags=AS%Ops=MNWNNTNNM) T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) T3(Resp=Y%DF=N%W=EF2A%ACK=O%Flags=A%Ops=NNT) T4(DF=N%W=0%ACK=O%Flags=R%Ops=) T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(DF=N%W=0%ACK=O%Flags=R%Ops=) T7(DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=N) Routing Topology :  Routing Topology Honeyd can simulate arbitrary virtual routing topologies Simulation of route tree Configure the entry router Configurable latency and packet loss Simulation of arbitrary routing Extension Integrate physical machines into topology Distributed Honeyd via GRE tunneling How to Configure?:  How to Configure? Each virtual honeypot is configured with a template. Commands: Create: Creates a new template Set: Assign personality (fingerprint database) to a template Specify default behavior of network protocols Block: All packets dropped Reset: All ports closed by default Open: All ports open by default Add: Specify available services Proxy: Used for connection forwarding Bind: Assign template to specific IP address Logging:  Logging Honeyd supports several ways of logging network activity. Honeyd creat connection logs to report attempted and completed connections for all protocols. Information also can be gathered from the services themselves and be reported to Honeyd via stderr. Honeyd can be runs in conjunction with a NIDS. Evaluation:  Evaluation Honeyd did fools Nmap Among totally 600 fingerprints, Nmap uniquely identified the operating system simulated by Honey in 555, generated a list of possible answers including the simulated personality in 37. Only 8 fingerprints out of 600 failed! It works pretty effectively. Outline :  Outline Introduction Honeyd What is Honeyd? Design and Implementation of Honeyd Evaluation of Honeyd Application Discussion Application:  Application Network Decoys Instrument the unallocated addresses of a production network, confuse and deter adversaries scanning the production network Conjunction with a NIDS, the resulting network traffic may help in getting early warning of attacks. Application :  Application Detecting and Countering Worms Deploy a large number of virtual honeypots as gateways in front of a smaller number of high-interaction honeypots. Use Honeyd’s subsystem support to expose regular UNIX applications like OpenSSH to worms. Application:  Application Spam Prevention Spammers abuse two Internet services proxy servers and open mail relays Use the Honeyd framework to instrument networks with open proxy servers and open mail relays. Outline :  Outline Introduction Honeyd What is Honeyd? Design and Implementation of Honeyd Evaluation of Honeyd Application Discussion Strength:  Strength Honeyd has many advantages over NIDS Collects more useful information Detects vulnerabilities not yet understood Less likely leads to high false positives It cheats the fingerprint tools effectively Effective network decoys—confuse and defer the attackers Detecting and immunizing new worms Spam prevention Weakness:  Weakness Limit interaction only at network level Not simulate the whole OS Adversaries never gain full access to systems Limited number of simulated services and protocols What if the warm is smart to cheat us? Honeyd will become attackers. How to improve?:  How to improve? Combine Honeyd with high-interaction virtual honeypots using User Mode Linux or VMware to have a better forensic analysis of the attacker; Cheat more fingerprint tools, eg. P0f—passive analyze the network traffic; Simulate more services and protocols, eg. has a better TCP state machine. Slide34:  Thank you. Any questions?

Related presentations


Other presentations created by Sharck

rockets
07. 11. 2007
0 views

rockets

Rock Cycle
20. 09. 2007
0 views

Rock Cycle

Parsons IDEXPO 2005 09 27
20. 08. 2007
0 views

Parsons IDEXPO 2005 09 27

frost action presentation
20. 09. 2007
0 views

frost action presentation

nissan
29. 09. 2007
0 views

nissan

env
18. 10. 2007
0 views

env

PlenaryVIChan
11. 10. 2007
0 views

PlenaryVIChan

history ppt
27. 11. 2007
0 views

history ppt

Fin603 Fall2005 Week9
02. 11. 2007
0 views

Fin603 Fall2005 Week9

Mac OSX Security
20. 08. 2007
0 views

Mac OSX Security

NAIS Overview Neil Hammerschmidt
20. 08. 2007
0 views

NAIS Overview Neil Hammerschmidt

stewart cloer
20. 08. 2007
0 views

stewart cloer

High Frequency RFID Jim Burgess
20. 08. 2007
0 views

High Frequency RFID Jim Burgess

Swine Working Group
20. 08. 2007
0 views

Swine Working Group

European Imperialism
20. 08. 2007
0 views

European Imperialism

10 Southeast Asia 05
28. 12. 2007
0 views

10 Southeast Asia 05

Nadal
31. 12. 2007
0 views

Nadal

gre
01. 10. 2007
0 views

gre

Robotics Presentation 2005 copy1
07. 01. 2008
0 views

Robotics Presentation 2005 copy1

Epidemiology
06. 08. 2007
0 views

Epidemiology

first year presentation
06. 08. 2007
0 views

first year presentation

equality law update
06. 08. 2007
0 views

equality law update

dating violence 1304
06. 08. 2007
0 views

dating violence 1304

ells
06. 08. 2007
0 views

ells

Lecture 2 Igneous Rocks
20. 09. 2007
0 views

Lecture 2 Igneous Rocks

bh usa 01 Greg Miles
20. 08. 2007
0 views

bh usa 01 Greg Miles

Investigación de VIH ICGES
22. 10. 2007
0 views

Investigación de VIH ICGES

evettsleicester
26. 10. 2007
0 views

evettsleicester

conduct a defense by pl
26. 02. 2008
0 views

conduct a defense by pl

Finland
06. 08. 2007
0 views

Finland

freed 3 7 07
06. 08. 2007
0 views

freed 3 7 07

Contractor School briefing
11. 03. 2008
0 views

Contractor School briefing

BATLAS22 SP1
26. 03. 2008
0 views

BATLAS22 SP1

Persakhirtahun
26. 03. 2008
0 views

Persakhirtahun

SatelliteManagement
04. 10. 2007
0 views

SatelliteManagement

Zeppospres
27. 11. 2007
0 views

Zeppospres

Rising Sun
07. 04. 2008
0 views

Rising Sun

Dimitri HIV sexnets dfazito
30. 03. 2008
0 views

Dimitri HIV sexnets dfazito

TP 1
09. 04. 2008
0 views

TP 1

geog323 lecture4 globalization
10. 04. 2008
0 views

geog323 lecture4 globalization

Business Plan Workshop Final
13. 04. 2008
0 views

Business Plan Workshop Final

UAV2004
07. 10. 2007
0 views

UAV2004

UCSB
17. 04. 2008
0 views

UCSB

KRHD ABC 40 TV
05. 10. 2007
0 views

KRHD ABC 40 TV

JRA1 Proch report Sept05
18. 03. 2008
0 views

JRA1 Proch report Sept05

s vogels
17. 04. 2008
0 views

s vogels

GoldRushApril2006 update
22. 04. 2008
0 views

GoldRushApril2006 update

chapter three
04. 01. 2008
0 views

chapter three

LECTURE24
07. 01. 2008
0 views

LECTURE24

documen prog inf
19. 06. 2007
0 views

documen prog inf

dispgin
19. 06. 2007
0 views

dispgin

Disassembling ForFun2
19. 06. 2007
0 views

Disassembling ForFun2

Disassembling ForFun
19. 06. 2007
0 views

Disassembling ForFun

DFVI Prasentation 01012007
19. 06. 2007
0 views

DFVI Prasentation 01012007

Dennett Netz
19. 06. 2007
0 views

Dennett Netz

Da Wa Vision DOAG SIG OLAP
19. 06. 2007
0 views

Da Wa Vision DOAG SIG OLAP

cybers talking study
19. 06. 2007
0 views

cybers talking study

DODAF COI
19. 06. 2007
0 views

DODAF COI

dbase250
19. 06. 2007
0 views

dbase250

ESCI101 09 Rocks
20. 09. 2007
0 views

ESCI101 09 Rocks

spm pres jun jul
03. 10. 2007
0 views

spm pres jun jul

02 gmw
15. 10. 2007
0 views

02 gmw

inet2002
20. 08. 2007
0 views

inet2002

1191
20. 08. 2007
0 views

1191

sbmdyr00 block
20. 08. 2007
0 views

sbmdyr00 block

Sector
09. 10. 2007
0 views

Sector

Improving Student Services
16. 06. 2007
0 views

Improving Student Services

IDS and your network
16. 06. 2007
0 views

IDS and your network

I106 Deploiment Office 2007
16. 06. 2007
0 views

I106 Deploiment Office 2007

Hassell EDITED
16. 06. 2007
0 views

Hassell EDITED

Harness AD
16. 06. 2007
0 views

Harness AD

gshelly 0206
16. 06. 2007
0 views

gshelly 0206

ghost
16. 06. 2007
0 views

ghost

05 j irwin2
16. 06. 2007
0 views

05 j irwin2

01292007
16. 06. 2007
0 views

01292007

icz report
11. 10. 2007
0 views

icz report

2 deformation I
20. 09. 2007
0 views

2 deformation I

AussoisApr05 Petersen
20. 09. 2007
0 views

AussoisApr05 Petersen

AGU Turquety dec15
29. 10. 2007
0 views

AGU Turquety dec15

Food Insecurity
06. 08. 2007
0 views

Food Insecurity

escolania
22. 10. 2007
0 views

escolania

inversiones CAF
22. 10. 2007
0 views

inversiones CAF

MMFR 2005 02
15. 11. 2007
0 views

MMFR 2005 02

VFD Funding Group
28. 02. 2008
0 views

VFD Funding Group

EEX Kick off 2007 v2
03. 10. 2007
0 views

EEX Kick off 2007 v2

01 Love
16. 06. 2007
0 views

01 Love

Hitchhikers Guide to Avalon
16. 06. 2007
0 views

Hitchhikers Guide to Avalon

ponencia robert
14. 11. 2007
0 views

ponencia robert

DH N Review prozess
19. 06. 2007
0 views

DH N Review prozess

Implementation Panel
20. 08. 2007
0 views

Implementation Panel

HIS101 Lecture13
14. 12. 2007
0 views

HIS101 Lecture13

MAPPING ICT4D PROJECTS
20. 09. 2007
0 views

MAPPING ICT4D PROJECTS

IE7 Vistassa
16. 06. 2007
0 views

IE7 Vistassa

YangWooKo 86slides SMSEC
20. 08. 2007
0 views

YangWooKo 86slides SMSEC

Processing Travis Choat
20. 08. 2007
0 views

Processing Travis Choat

deq ogs gimdl RCIM
20. 09. 2007
0 views

deq ogs gimdl RCIM