heat seeking honeypot
DESCRIPTION
TRANSCRIPT
Heat-seeking Honeypots: Design and Experience
AUTHORS : John P. John, Arvind Krishnamurthy, Fang Yu, Yinglian Xie, and Martín Abadi.
Outline● Honeypot● Problem statement● Introduction● System Design● Architecture● Working● Conclusion● References
CURRENT PROBLEMSThe Internet security is hard● New attacks every day● Our computers are static targets
What should we do?● The more you know about your enemy, the better you
can protect yourself● Fake target?
SOLUTIONHONEYPOT: Honeypot is a trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems.
Architecture● In front of the firewall
● Demilitarized Zone
● Behind the firewall (Intranet)
PROBLEM STATEMENTWe lack an automated server based honeypot system which generates honeypot(web) pages based on attacker’s interest
INTRODUCTION● Heat-seeking honeypots attract attackers, dynamically
generate and deploy honeypot pages, analyze logs to identify attack
● Attackers search for vulnerable serversChallenges:● How attackers find, Compromise, Misuse vulnerable servers● How to select which web applications to emulate● How to effectively get attackers to target these honeypots
SYSTEM DESIGN Heat Seeking honeypots consist of 4 components➢ Obtaining attacker queries➢ Creation of honeypot pages➢ Advertising honeypot pages to attackers➢ Detecting malicious traffic using logs
.
ARCHITECTURE
1. Obtaining attacker queriesHow do attackers find Web servers? ➔ Make use of Internet search engines.
Eg: query a php vulnerability: phpizabi v0.848b c1 hfp1➔ Perform brute-force port scanning on the internet. How can we obtain these malicious queries?
SearchAudit : Automatically identify malicious queries from attackers in the Bing log.
2. Creation of honeypot pages1. Install vulnerable web software:
a. Manually install web applications that were frequently targeted.
b. Each application placed in a different VM. Pros : High interaction with attacker. Cons : Need domain expert to manually identify the
target software and setup the software
Contd..
2. Set up web pages matching the querya. No setting up of actual softwareb. Creation of web pages similar to that automatically .
Pros : Scalable Cons : Fewer interactions since request made by
attackers may result in incorrect responses
Contd..
3. Set up proxy pages a. Creation of transparent proxy that forwards all attacker request to the actual website
Pros :Combines the advantages of the previous two approaches
Cons : Assisting in malicious attacks
Steps in honeypot creation ● Browse for each query and collect the result urls.● Fetch the web page elements of top results which requires to render these pages. ● Strip all javascript contents and rewrite all the links to
local points of the page.● Populate with keywords to improve page ranks.
3. Advertising honeypot pages to attackers
● Submit URL's of honeypot pages to search engines● Add links to other public web pages ● Legitimate sites shall not lose traffic from ordinary users
4. Detecting malicious traffic● Problems of existing blacklist approach● Log all visit to our local heat-seeking honeypots● Process log and automatically extract attack traffic.● Two kinds of legitimate traffic : - Search engine crawlers - Regular users
Identify Crawlers-malicious traffic● Identifying crawlers
○ Characterizing the behavior of known crawlers○ Identifying unknown crawlers
● Two types of links crawler visits :○ Static : Automatically generated honeypot pages.○ Dynamic : generated by the real software, where
url arguments can take different values.
Distinguishing traffic● Each site master enumerates the list of dynamic and
static links● This set is considered as Whitelist● From honeypot logs most of the attackers are not
targeting the static pages● Try to access non-existent files that were not publicly
accessed● Requests to links that are not in the Whitelist are
considered malicious
PROPERTIES ● Automatic generation of honeypot pages● Looks identical to original, so conduct attacks● Less overhead, less human interaction● Improve interaction by installing of actual software
CONCLUSION● Present heat-seeking honeypots, which deploy honey
pot pages corresponding to vulnerable software in order to attract attackers.
● System can detect malicious IP addresses solely through their web access patterns
● False-negative rate of at most 1%
REFERENCES● http://en.wikipedia.org/wiki/Honeypot_computing
● http://www.symantec.com/connect/articles/problems-and-challenges-
honeypots
● Glasstopf Honeypot Project. http://glastopf.org/
● J. P. John, F. Yu, Y. Xie, M. Abadi, and A. Krishnamurthy. Searching the
Searchers with SearchAudit
● F. Yu, Y. Xie, and Q. Ke. SBotMiner: Large scale search bot detection.