Download - Heat seeking honeypot
![Page 1: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/1.jpg)
Heat-seeking Honeypots: Design and Experience
AUTHORS : John P. John, Arvind Krishnamurthy, Fang Yu, Yinglian Xie, and Martín Abadi.
![Page 2: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/2.jpg)
Outline● Honeypot● Problem statement● Introduction● System Design● Architecture● Working● Conclusion● References
![Page 3: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/3.jpg)
CURRENT PROBLEMSThe Internet security is hard● New attacks every day● Our computers are static targets
What should we do?● The more you know about your enemy, the better you
can protect yourself● Fake target?
![Page 4: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/4.jpg)
SOLUTIONHONEYPOT: Honeypot is a trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems.
![Page 5: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/5.jpg)
Architecture● In front of the firewall
● Demilitarized Zone
● Behind the firewall (Intranet)
![Page 6: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/6.jpg)
PROBLEM STATEMENTWe lack an automated server based honeypot system which generates honeypot(web) pages based on attacker’s interest
![Page 7: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/7.jpg)
INTRODUCTION● Heat-seeking honeypots attract attackers, dynamically
generate and deploy honeypot pages, analyze logs to identify attack
● Attackers search for vulnerable serversChallenges:● How attackers find, Compromise, Misuse vulnerable servers● How to select which web applications to emulate● How to effectively get attackers to target these honeypots
![Page 8: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/8.jpg)
SYSTEM DESIGN Heat Seeking honeypots consist of 4 components➢ Obtaining attacker queries➢ Creation of honeypot pages➢ Advertising honeypot pages to attackers➢ Detecting malicious traffic using logs
.
![Page 9: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/9.jpg)
ARCHITECTURE
![Page 10: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/10.jpg)
1. Obtaining attacker queriesHow do attackers find Web servers? ➔ Make use of Internet search engines.
Eg: query a php vulnerability: phpizabi v0.848b c1 hfp1➔ Perform brute-force port scanning on the internet. How can we obtain these malicious queries?
SearchAudit : Automatically identify malicious queries from attackers in the Bing log.
![Page 11: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/11.jpg)
2. Creation of honeypot pages1. Install vulnerable web software:
a. Manually install web applications that were frequently targeted.
b. Each application placed in a different VM. Pros : High interaction with attacker. Cons : Need domain expert to manually identify the
target software and setup the software
![Page 12: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/12.jpg)
Contd..
2. Set up web pages matching the querya. No setting up of actual softwareb. Creation of web pages similar to that automatically .
Pros : Scalable Cons : Fewer interactions since request made by
attackers may result in incorrect responses
![Page 13: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/13.jpg)
Contd..
3. Set up proxy pages a. Creation of transparent proxy that forwards all attacker request to the actual website
Pros :Combines the advantages of the previous two approaches
Cons : Assisting in malicious attacks
![Page 14: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/14.jpg)
Steps in honeypot creation ● Browse for each query and collect the result urls.● Fetch the web page elements of top results which requires to render these pages. ● Strip all javascript contents and rewrite all the links to
local points of the page.● Populate with keywords to improve page ranks.
![Page 15: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/15.jpg)
3. Advertising honeypot pages to attackers
● Submit URL's of honeypot pages to search engines● Add links to other public web pages ● Legitimate sites shall not lose traffic from ordinary users
![Page 16: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/16.jpg)
4. Detecting malicious traffic● Problems of existing blacklist approach● Log all visit to our local heat-seeking honeypots● Process log and automatically extract attack traffic.● Two kinds of legitimate traffic : - Search engine crawlers - Regular users
![Page 17: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/17.jpg)
Identify Crawlers-malicious traffic● Identifying crawlers
○ Characterizing the behavior of known crawlers○ Identifying unknown crawlers
● Two types of links crawler visits :○ Static : Automatically generated honeypot pages.○ Dynamic : generated by the real software, where
url arguments can take different values.
![Page 18: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/18.jpg)
Distinguishing traffic● Each site master enumerates the list of dynamic and
static links● This set is considered as Whitelist● From honeypot logs most of the attackers are not
targeting the static pages● Try to access non-existent files that were not publicly
accessed● Requests to links that are not in the Whitelist are
considered malicious
![Page 19: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/19.jpg)
PROPERTIES ● Automatic generation of honeypot pages● Looks identical to original, so conduct attacks● Less overhead, less human interaction● Improve interaction by installing of actual software
![Page 20: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/20.jpg)
CONCLUSION● Present heat-seeking honeypots, which deploy honey
pot pages corresponding to vulnerable software in order to attract attackers.
● System can detect malicious IP addresses solely through their web access patterns
● False-negative rate of at most 1%
![Page 21: Heat seeking honeypot](https://reader033.vdocuments.us/reader033/viewer/2022051210/54c68f8d4a79590e6b8b4586/html5/thumbnails/21.jpg)
REFERENCES● http://en.wikipedia.org/wiki/Honeypot_computing
● http://www.symantec.com/connect/articles/problems-and-challenges-
honeypots
● Glasstopf Honeypot Project. http://glastopf.org/
● J. P. John, F. Yu, Y. Xie, M. Abadi, and A. Krishnamurthy. Searching the
Searchers with SearchAudit
● F. Yu, Y. Xie, and Q. Ke. SBotMiner: Large scale search bot detection.