Honeypot Systems
A Virtual Honeypit Framework - Niels Provos
Let us understand the concept of Honeypot in real life. Imagine a pot of honey lying uncovered. What do you expect will happen ? Naturally, bees will be attracted to it.
So, here the honey filled pot is the dummy computer which is used to lure the bees which can be any of the malicious codes from worms to spam mails. We want to study the way these 'bees' are attracted to the honey to learn more about them and their behaviour. The more we know about something, the better our defences against it.
So honeypot is not exactly a new invention. It has been widely used in computer security for a while now. Then you may ask what is the point of this paper ?
Well, the problem with honeypots are that they are expensive and tiem consuming. Hence the need for virtual honeypots - Honeyd.
Honeyd creates virtual honeypot networks. A virtual honeypot is simulated by another machine that responds to network traffic send to it. The system simulates TCP and UDP services and is used to simulate only the network stack section of the OS.
Design and Implementation:
i) Receiving Network Data : The architecture is based in such a way that all the virtual honeypots report to the Honeyd. Honeyd will only reply to those network packets which have destination IP address as the simulated honeypots.
ii) Architecture : It consists of various components - configuration database, a central packet dispatcher, protocol handlers, personality engine and optional routing component.
iii) Personality Engine : Adversaries are ever adapting and getting cleverer as their detection techniques get better. Any common fingerprinting tool like Xprobe or Nmap can look up a honeypot and establish it to be a dummy. Therefore we need to simulate network behaviour of a given operating system. It changes the options and other parameters of TCP header to match behaviour of network stacks.
iv) Routing Topology : We need to simulate routing topologies to decieve adversaries. We create a virtual routing topology and split it using GRE to tunnel networks. This allows load balancing.
Potential applications for Honeyd include network decoys, detecting and countering worms and spam prevention.
In conclusion, a regular PC can simulate thousands of honeypots using Honeyd, thereby reducing the expense and time component greatly.
Let us understand the concept of Honeypot in real life. Imagine a pot of honey lying uncovered. What do you expect will happen ? Naturally, bees will be attracted to it.
So, here the honey filled pot is the dummy computer which is used to lure the bees which can be any of the malicious codes from worms to spam mails. We want to study the way these 'bees' are attracted to the honey to learn more about them and their behaviour. The more we know about something, the better our defences against it.
So honeypot is not exactly a new invention. It has been widely used in computer security for a while now. Then you may ask what is the point of this paper ?
Well, the problem with honeypots are that they are expensive and tiem consuming. Hence the need for virtual honeypots - Honeyd.
Honeyd creates virtual honeypot networks. A virtual honeypot is simulated by another machine that responds to network traffic send to it. The system simulates TCP and UDP services and is used to simulate only the network stack section of the OS.
Design and Implementation:
i) Receiving Network Data : The architecture is based in such a way that all the virtual honeypots report to the Honeyd. Honeyd will only reply to those network packets which have destination IP address as the simulated honeypots.
ii) Architecture : It consists of various components - configuration database, a central packet dispatcher, protocol handlers, personality engine and optional routing component.
iii) Personality Engine : Adversaries are ever adapting and getting cleverer as their detection techniques get better. Any common fingerprinting tool like Xprobe or Nmap can look up a honeypot and establish it to be a dummy. Therefore we need to simulate network behaviour of a given operating system. It changes the options and other parameters of TCP header to match behaviour of network stacks.
iv) Routing Topology : We need to simulate routing topologies to decieve adversaries. We create a virtual routing topology and split it using GRE to tunnel networks. This allows load balancing.
Potential applications for Honeyd include network decoys, detecting and countering worms and spam prevention.
In conclusion, a regular PC can simulate thousands of honeypots using Honeyd, thereby reducing the expense and time component greatly.
posted by Unknown at 7:25 PM
0 Comments:
Post a Comment
<< Home