Camouflaging Virtual Honeypots
نویسندگان
چکیده
Honeypots are decoys designed to trap attackers. Once deployed, we can use honeypots to log an attacker’s activities, analyze its behavior and design new approaches to defend against it. A virtual honeypot can emulate multiple honeypots on one physical machine, and so provide great flexibility in representing one or more networks of machines. In order to operate effectively, a honeypot needs to hide itself, analogously to an experienced sniper needing camouflage. In this paper, we address issues related with designing an appropriate “camouflage” for virtual honeypots, in particular for Honeyd, which can emulate any size of network on one or multiple physical machines. We found that an attacker may remotely fingerprint honeyd by measuring the link latency of the network links emulated by honeyd. We design a camouflaged honeyd by rewriting a small part of the honeyd toolkit code and by appropriately patching the operating system. Our experiments demonstrate the effectiveness of our approach to hide honeyd.
منابع مشابه
"Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots
Honeypot has been an invaluable tool for the detection and analysis of network-based attacks by either human intruders or automated malware in the wild. The insights obtained by deploying honeypots, especially high-interaction ones, largely rely on the monitoring capability on the honeypots. In practice, based on the location of sensors, honeypots can be monitored either internally or externall...
متن کاملCollapsar: A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention
The honeypot has emerged as an effective tool to provide insights into new attacks and exploitation trends. However, a single honeypot or multiple independently operated honeypots only provide limited local views of network attacks. Coordinated deployment of honeypots in different network domains not only provides broader views, but also create opportunities of early network anomaly detection, ...
متن کاملHoneyd: A Virtual Honeypot Daemon
Honeypots are closely monitored network decoys serving several purposes: they can distract adversaries from more valuable machines on a network, they can provide early warning about new attack and exploitation trends and they allow in-depth examination of adversaries during and after exploitation of a honeypot. Deploying physical honeypots is often time intensive and expensive as different oper...
متن کاملHoneypot architectures for IPv6 networks
The decrease of available IPv4 addresses and the requirement for new features demands Internet service providers to deploy IPv6 networks. It is not a question of if, but when new network attacks will appear, which target the comparatively new network protocol. Virtual honeypots provide an important tool for the observation of assaults in computer networks. In contrast to intrusion detection sys...
متن کاملVersatile virtual honeynet management framework
Honeypots are designed to investigate malicious behaviour. Each type of homogeneous honeypot system has its own characteristics in respect of specific security functionality, and also suffers functional drawbacks that restrict its application scenario. In practical scenarios, therefore, security researchers always need to apply heterogeneous honeypots to cope with different attacks. However, th...
متن کامل