? - PowerPoint PPT Presentation

About This Presentation
Title:

?

Description:

A short introduction to honeypots Telecooperation Group, Technische Universit t ... – PowerPoint PPT presentation

Number of Views:79
Avg rating:3.0/5.0
Slides: 17
Provided by: J753
Category:
Tags: analysis | malware

less

Transcript and Presenter's Notes

Title: ?


1
A short introduction to honeypots
  • ?µµa????? ?as???µa???????
  • ?p???f??? ??d??t??
  • Telecooperation Group, Technische Universität
    Darmstadt
  • Center for Advanced Security Research Darmstadt
    (CASED)
  • S??e???t?? ???. ???t??? ISLAB, ???, ?????????S
  • manolis_at_cased.de

2
Outline
  • Introduction
  • Classifications
  • Deployment Architectures
  • Open source vs. nothing
  • 2 Honeypots
  • SURFcert IDS experiences from Demokritos
  • Future work - ideas

3
Introduction (1/2)
  • Axiom Attackers are always (at least) one step
    forward
  • Attacks are getting overwhelming, targeted and
    also more sophisticated
  • Intrusion Detection Systems (IDSs) produce a
    significant large number of false
    positive/negative alerts.
  • More proactive solutions, and more information
    regarding the attacks are needed.

4
Introduction
  • Definition A security resource who's value lies
    in being probed, attacked or compromised
  • Doesnt have to be a system Honeytokens
  • We want to get compromised!
  • Certainly not a standalone security mechanism.
  • Why?
  • FUN!
  • No false-positives!
  • Research Malware analysis/reverse engineering
  • Reducing available attack surface/early warning
    system

5
Honeypot Classifications
  • Low interaction simulate network operations
    (usually at the tcp/ip stack)
  • Medium interaction simulate network
    operations(with more sophisticated ways)
  • High interaction real systems(e.g., VMs)
  • Other classifications
  • Purpose Generic, Malware collectors, SSH, etc.
  • Production Research (not really useful)

6
Honeypot Deployment Architectures
7
Open Source vs. nothing (really!)
Honeypot Type OS Language GUI License
Honeyd Generic LINUX C N GNU
Nepenthes Malware LINUX C N GNU
Dionaea Malware LINUX PYTHON N GNU
Honeytrap Generic LINUX C N GNU
LaBrea Generic LINUX C N GNU
Tiny HP Generic LINUX PERL N GNU
HoneyBot Malware WINDOWS - Y CLOSED
Google Hack HP WEB - PHP Y GNU
Multipot Malware WINDOWS VB 6 Y GNU
Glastopf WEB - PYTHON Y GNU
Kojoney SSH LINUX PYTHON N GNU
Kippo SSH LINUX PYTHON N BSD
Amun Malware LINUX PYTHON N GNU
Omnirova Malware WINDOWS Borland Delphi Y GNU
BillyGoat Malware - ? ? CLOSED
Artemisa VOIP - PYTHON N GNU
GHOST USB WINDOWS C Y GNU
8
Dionaea
  • Low Interaction honeypot for collecting malware
  • Nepenthes successor
  • Basic protocol simulated SMB (port 445)
  • Others HTTP, HTTPS, FTP, TFTP, MSSQL and SIP
    (VOIP)
  • Also supports IPv6 and TLS
  • Malware files stored locally or/and sent to 3rd
    party entities (CWSandbox, Norman Sandbox,
    Anubis, VirusTotal)

9
Kippo (1/2)
  • Low interaction SSH honeypot
  • Features
  • Presenting a fake (but functional) system to
    the attacker (resembling a Debian 5.0
    installation)
  • Attacker can download his tools through wget, and
    we save them for later inspection (cool!)
  • Session logs are stored in an UML- compatible
    format for easy replay with original timings
    (even cooler!)
  • Easy to install, but hard to get hackers!

10
SURFcert IDS
  • An open source (GPLv2) distributed intrusion
    detection system based on honeypots
  • Sensors, act as proxies, forwarding network
    traffic from the monitored network to the
    systems center using OpenVPN
  • Supported Honeypots Nepenthes, Dionaea, Argos,
    Kippo

Three parts Tunnel honeypot server Web
Logging server Sensors
11
SURFcert IDS
  • Also
  • Supports p0f for attackers OS detection
  • Statistics, nice web-GUI, sensor status,
    geographical visualizations, and more

12
SURFcert IDS _at_ Demokritos
  • Some stats
  • 21.000 attacks on 3 different sensors (1 month)
  • 1500 malware files downloaded
  • Main target port 445
  • Successfully detected infected systems, inside
    our network (mostly with a Conficker Worm
    variant)
  • Automatic malware analysis can give us valuable
    informationon Botnets (and their CC IRC
    servers)
  • Possible to find zero-date exploits / new malware
    (or different variants)

13
Future Work - Ideas
  • Features
  • Better visualization
  • Anti-evasion techniques
  • Cheap easy mobile sensorsRaspberry Pi
  • Advertising honeypots
  • Honeypots
  • Mobile honeypots (e.g., Android)
  • SCADA Industrial Control Systems (ICS)

Attacker scans our system
Attacker trying to connect to our ftp server
14
  • Thank You ?
  • Questions?

15
  • Backup slides

16
Useful Links
  • Interesting stuff
  • http//www.islab.demokritos.gr Many
    honeypot-related theses available
  • https//www.enisa.europa.eu/activities/cert/suppor
    t/proactive-detection/proactive-detection-of-secur
    ity-incidents-II-honeypots - Report from ENISA
    regarding honeypots
  • http//publicids.surfnet.nl8080/surfnetids/login.
    php - Demo version of SURFcert IDS
  • Honeypots
  • http//www.honeynet.org General information on
    honeypots
  • http//dionaea.carnivore.it Dionaea honeypot
  • http//amunhoney.sourceforge.net Amun honeypot
  • http//map.honeynet.org Honeypots visualization

17
SURFcert IDS _at_ Demokritos
outside main firewall
inside main firewall
Write a Comment
User Comments (0)
About PowerShow.com