DOC PREVIEW
WUSTL CSE 571S - A Practical Guide to Honeypots

This preview shows page 1-2-3-4-5-6 out of 19 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

A Practical Guide to HoneypotsEric Peter, epeter(at)wustl(dot)edu and Todd Schiller,tschiller(at)acm(dot)org (A project report written under the guidance of Prof.Raj Jain)DownloadAbstractThis paper is composed of two parts: a survey of honeypot technology and a case study describing alow-interaction honeypot implemented in Java. The survey provides a brief overview of honeypot concepts andreferences to more detailed works. The implementation case study addresses many of the decisions requiredwhen designing and implementing a low-interaction honeypot.KeywordsHoneypot, network security, low-interaction, honeypot implementation, honeypot trends, honeyd, specter,honeyBot, case studyTable of Contents1 Introduction1.1 Network Intrusion Detection Systems1.2 Honeypots1.3 Honeypot History1.4 Types of Honeypots1.5 General Honeypot Advantages and Disadvantages2 Recent Trends and Advances2.1 Honeynets and Honeyfarms2.2 Shadow Honeypots2.3 Distributed Honeypots3 Survey of Existing Honeypot Solutions3.1 Honeyd3.2 HoneyBOT3.3 Specter3.4 Comparison4 HoneyRJ: Low-Interaction Honeypot Implementation Case Study4.1 Implementation Features4.2 Application Design4.2.1 Choice of Development Language4.2.2 Choice of IDE4.2.3 Design Decisions4.3 Application Internals4.3.1 HoneyRJ Launch and Initialization4.3.2 LIModule Initialization4.3.3 LIProtocol interface overview4.4 Implementing Additional ProtocolsA Practical Guide to Honeypotshttp://www.cse.wustl.edu/~jain/cse571-09/ftp/honey/index.html 1 of 194.4.1 Key Protocol Design Decisions4.4.2 Implementation4.4.3 Adding the Protocol5 SummaryAppendix: Application, Source Code, Source Code Documentation and User ManualReferencesList of Acronyms1 IntroductionIn this section we describe network intrusion detection systems, the traditional approach to network security.We then introduce and provide a brief history of honeypots. The section concludes with a discussion of thegeneral advantages and disadvantages of honeypots.1.1 Network Intrusion Detection SystemsThe goal of an Intrusion Detection System (IDS) is to "identify, preferably in real time, unauthorized use,misuse, and abuse of computer systems by both system insiders and external penetrators" [Mukherjee94]. AnIDS is used as an alternative (or a complement) to building a shield around the network. The shielding approachis deficient in several ways, including failure to prevent attacks from insiders. Mukherjee et al. provide anoverview of the IDS problem [Mukherjee94].Despite the groundwork being laid for detection systems, it wasn't until Paxson's work in 1998 that methods forbuilding real-time detection systems became publically available. The system converts a stream of packets into aseries of high-level network events that can be analyzed according to system security policy [Paxson99]. Since1999, this work has been extended to incorporate advanced machine learning techniques [Verwoerd02] andbetter detect threats such as denial-of-service attacks [Hussain03].However, while IDS technology is progressing, methods to circumvent IDSs are becoming more prevalent[Ptacek98]. For example, Wagner and Soto develop a class of mimicry attacks which mimic the originalbehavior of the application [Wagner02]. In light of these attacks as well as the growing prevalence of encryptedcommunication, alternatives such as honeypots have become more popular.1.2 HoneypotsThe exact definition of a honeypot is contentious, however most definitions are some form of the following:A honeypot is an "an information system resource whose value lies in unauthorized or illicit use of thatresources"(from the www.securityfocus.com forum)A more practical, but more limiting, definition is given by pcmag.com:"A server that is configured to detect an intruder by mirroring a real production system. It appears as anordinary server doing work, but all the data and transactions are phony. Located either in or outside thefirewall, the honeypot is used to learn about an intruder's techniques as well as determine vulnerabilities inthe real system" [pcmag09].In practice, honeypots are computers which masquerade as unprotected. The honeypot records all actions andinteractions with users. Since honeypots don't provide any legitimate services, all activity is unauthorized (andpossibly malicious). Talabis presents honeypots as being analogous to the use of wet cement for detectinghuman intruders [Talabis07b].A Practical Guide to Honeypotshttp://www.cse.wustl.edu/~jain/cse571-09/ftp/honey/index.html 2 of 191.3 Honeypot HistoryThe first publically available honeypot was Fred Cohen's Deception ToolKit in 1998 which was "intended tomake it appear to attackers as if the system running DTK [had] a large number of widely known vulnerabilities"[Cohen98]. More honeypots became both publically and commercially available throughout the late nineties. Asworms began to proliferate beginning in 2000, honeypots proved imperative in capturing and analyzing worms.In 2004, virtual honeypots were introduced which allow multiple honeypots to run on a single server[Provos04].A detailed history of honeypots can be found in [Spitzner02] and [Talabis07a].1.4 Types of HoneypotsThere are two broad categories of honeypots available today, high-interaction and low-interaction. Thesecategories are defined based on the services, or interaction level, provided by the honeypot to potential hackers[Spitzner02]. High-interaction honeypots let the hacker interact with the system as they would any regularoperating system, with the goal of capturing the maximum amount of information on the attacker's techniques.Any command or application an end-user would expect to be installed is available and generally, there is little tono restriction placed on what the hacker can do once he/she comprises the system. On the contrary,low-interaction honeypots present the hacker emulated services with a limited subset of the functionality theywould expect from a server, with the intent of detecting sources of unauthorized activity [Provos04]. Forexample, the HTTP service on a low-interaction honeypot would only support the commands needed toindentify that a known exploit is being attempted. Some authors classify a third category, medium-interactionhoneypots, as providing expanded interaction from low-interaction honeypots but less than high-interactionsystems. A medium-interaction honeypot might more fully implement the HTTP protocol to emulate awell-known vendor's implementation, such as Apache. However,


View Full Document

WUSTL CSE 571S - A Practical Guide to Honeypots

Documents in this Course
IP sec

IP sec

28 pages

Load more
Download A Practical Guide to Honeypots
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view A Practical Guide to Honeypots and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view A Practical Guide to Honeypots 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?