Heat-seeking Honeypots: Design and Experience

AUTHORS : John P. John, Arvind Krishnamurthy, Fang Yu, Yinglian Xie, and Martín Abadi.

Outline● Honeypot● Problem statement● Introduction● System Design● Architecture● Working● Conclusion● References

CURRENT PROBLEMSThe Internet security is hard● New attacks every day● Our computers are static targets

What should we do?● The more you know about your enemy, the better you

can protect yourself● Fake target?

SOLUTIONHONEYPOT: Honeypot is a trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems.

Architecture● In front of the firewall

● Demilitarized Zone

● Behind the firewall (Intranet)

PROBLEM STATEMENTWe lack an automated server based honeypot system which generates honeypot(web) pages based on attacker’s interest

INTRODUCTION● Heat-seeking honeypots attract attackers, dynamically

generate and deploy honeypot pages, analyze logs to identify attack

● Attackers search for vulnerable serversChallenges:● How attackers find, Compromise, Misuse vulnerable servers● How to select which web applications to emulate● How to effectively get attackers to target these honeypots

SYSTEM DESIGN Heat Seeking honeypots consist of 4 components➢ Obtaining attacker queries➢ Creation of honeypot pages➢ Advertising honeypot pages to attackers➢ Detecting malicious traffic using logs

.

ARCHITECTURE

1. Obtaining attacker queriesHow do attackers find Web servers? ➔ Make use of Internet search engines.

Eg: query a php vulnerability: phpizabi v0.848b c1 hfp1➔ Perform brute-force port scanning on the internet. How can we obtain these malicious queries?

SearchAudit : Automatically identify malicious queries from attackers in the Bing log.

2. Creation of honeypot pages1. Install vulnerable web software:

a. Manually install web applications that were frequently targeted.

b. Each application placed in a different VM. Pros : High interaction with attacker. Cons : Need domain expert to manually identify the

target software and setup the software

Contd..

2. Set up web pages matching the querya. No setting up of actual softwareb. Creation of web pages similar to that automatically .

Pros : Scalable Cons : Fewer interactions since request made by

attackers may result in incorrect responses

Contd..

3. Set up proxy pages a. Creation of transparent proxy that forwards all attacker request to the actual website

Pros :Combines the advantages of the previous two approaches

Cons : Assisting in malicious attacks

Steps in honeypot creation ● Browse for each query and collect the result urls.● Fetch the web page elements of top results which requires to render these pages. ● Strip all javascript contents and rewrite all the links to

local points of the page.● Populate with keywords to improve page ranks.

3. Advertising honeypot pages to attackers

● Submit URL's of honeypot pages to search engines● Add links to other public web pages ● Legitimate sites shall not lose traffic from ordinary users

4. Detecting malicious traffic● Problems of existing blacklist approach● Log all visit to our local heat-seeking honeypots● Process log and automatically extract attack traffic.● Two kinds of legitimate traffic : - Search engine crawlers - Regular users

Identify Crawlers-malicious traffic● Identifying crawlers

○ Characterizing the behavior of known crawlers○ Identifying unknown crawlers

● Two types of links crawler visits :○ Static : Automatically generated honeypot pages.○ Dynamic : generated by the real software, where

url arguments can take different values.

Distinguishing traffic● Each site master enumerates the list of dynamic and

static links● This set is considered as Whitelist● From honeypot logs most of the attackers are not

targeting the static pages● Try to access non-existent files that were not publicly

accessed● Requests to links that are not in the Whitelist are

considered malicious

PROPERTIES ● Automatic generation of honeypot pages● Looks identical to original, so conduct attacks● Less overhead, less human interaction● Improve interaction by installing of actual software

CONCLUSION● Present heat-seeking honeypots, which deploy honey

pot pages corresponding to vulnerable software in order to attract attackers.

● System can detect malicious IP addresses solely through their web access patterns

● False-negative rate of at most 1%

REFERENCES● http://en.wikipedia.org/wiki/Honeypot_computing

● http://www.symantec.com/connect/articles/problems-and-challenges-

honeypots

● Glasstopf Honeypot Project. http://glastopf.org/

● J. P. John, F. Yu, Y. Xie, M. Abadi, and A. Krishnamurthy. Searching the

Searchers with SearchAudit

● F. Yu, Y. Xie, and Q. Ke. SBotMiner: Large scale search bot detection.