1 / 22

Network of Affined Honeypots: More Than An Infrastructure

presented by Spiros Antonatos antonat@ics.forth.gr Distributed Computing Systems Lab Institute of Computer Science FORTH. Network of Affined Honeypots: More Than An Infrastructure. Roadmap. A little about the project What are honeypots? The NoAH approach Architecture overview Argos

dextra
Télécharger la présentation

Network of Affined Honeypots: More Than An Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. presented by Spiros Antonatos antonat@ics.forth.gr Distributed Computing Systems Lab Institute of Computer Science FORTH Network of Affined Honeypots: More Than An Infrastructure

  2. Roadmap A little about the project What are honeypots? The NoAH approach Architecture overview Argos Honey@home Conclusions/discussion Terena Networking Conference 2007

  3. The NoAH project • Three years project • April 2005 until March 2008 • Funded from the Research Infrastructures Programme of the European Union • 4 Work Packages • FORTH is coordinator Terena Networking Conference 2007

  4. What problem we face • Malware: worms, viruses, keyloggers, spyware… • Malware spreads fast • Faster than we can react • Thousands of hosts can be infected in a few minutes • We need information about the cyberattacks so as to build effective defenses Terena Networking Conference 2007

  5. Project goals Gather and analyse information about the nature of Internet cyberattacks Develop an infrastructure to detect and provide early warning of such attacks Security monitoring based on honeypot technology Terena Networking Conference 2007

  6. What are honeypots? Computer systems that do not run production services Listen to unused IP addresses Intentionally made vulnerable Closely monitored to analyse attacksdirected at them We can identify two typesof honeypots: low-interactionand high-interaction Terena Networking Conference 2007

  7. Low- and high-interaction honeypots • Low-interaction honeypots emulate services using scripts + Lightweight processes, able to cover large network space -Emulation cannot provide a high level of interaction with attackers • High-interaction honeypots do not perform emulation, they run real services - Heavyweight processes, able to cover small network space + Provide the highest level of interaction with attackers • NoAH uses the advantages of both types Terena Networking Conference 2007

  8. The NoAH architecture Terena Networking Conference 2007

  9. Low-interaction honeypot: Honeyd • Most popular and widely-used low-interaction honeypot • Emulates thousands of IP addresses • Performs network stack emulation • Highly configurable and lightweight • An efficient mechanism to filter out unestablished and uninteresting connections • Port scans, SSH brute-force attacks, etc • Interesting connections are forwarded to high-interaction honeypots Terena Networking Conference 2007

  10. High-interaction honeypot: Argos • Emulates entire PC systems • OS agnostic, run on commodity hardware • Based on the Qemu emulator • Key idea: data coming from the network should never be executed • Tracks network data throughout execution • Memory tainting technique • Detect illegal uses of network data • Jump targets, function pointers, instructions, system call arguments • Argos is able to detect all exploit attempts, including 0-days! Terena Networking Conference 2007

  11. Argos Overview NIC Applications Forensics Guest OS Argos emulator Signature post-processing Host OS Detect attack and log state Correlate data Signature Log Terena Networking Conference 2007

  12. http://www.few.vu.nl/argos Terena Networking Conference 2007

  13. Beyond honeypots: Honey@Home Honeypots listen to unused IP space of the organization they are hosted to This space is limiting to provide results fast and accurately NoAH tries to empower people to participate Bring NoAH to home users with Honey@home Terena Networking Conference 2007

  14. Honey@home • Lightweight tool that runs in the background • Monitors an unused IP address • Usually taken by DHCP • All traffic to that unused address isforwarded to our central honeypots • No configuration, install and run! • Both Windows and Linux platforms Terena Networking Conference 2007

  15. Honey@home in action 1 Running at the background 2 Creating a new virtual interface 3 Getting an IP address from DHCP server Terena Networking Conference 2007

  16. Backend architecture • Honey@home clients connect to NoAH honeypots • Honeyd acts as front-end to filter out scans • Honeyd hands off connection to Argos • Attacker thinks she communicates with honey@home user but in reality Argos is providing the answers Attack Forward Handoff Attacker Honey@home Honeyd NoAH core

  17. Challenges • Identity of clients and honeypots must remain hidden • Attackers can flood black space with junk traffic once identity is revealed • TOR is a network that can provide the desired anonymization • Automatic installation of clients must be prevented • Else attacker would massively deploy mockup clients • Registration with CAPTCHA techniques is used Terena Networking Conference 2007

  18. www.honeyathome.org Terena Networking Conference 2007

  19. How can an organization participate? • We view an organization as a regular user that possesses large unused space • A specialized version of honey@home is implemented • No TOR involved, organization is a trusted entity (unlike home users) • Only configuration needed is to declare the unused address space • Honey@home will forward all traffic to that space (funneling) Terena Networking Conference 2007

  20. Publications • Deliverables can be found at http://www.fp6-noah.org/publications/ • 5 conference papers • Usenix Security 05, SIGOPS 2006, DIMVA ’06, RAID’06 • Various articles and presentations • ERCIM news, local press Terena Networking Conference 2007

  21. Conclusions NoAH is a distributed architecture based on low- and high-interaction honeypots Argos is able to detect all exploits, including zero-days NoAH empowers non-experts to the battlefield of cyberattacks Honey@home enables unfamiliar users to effortlessly participate to NoAH Terena Networking Conference 2007

  22. Questions Terena Networking Conference 2007

More Related