51 research outputs found
A Honeynet within the German Research Network – Experiences and Results
A honeynet is a special prepared network which is not used in normal
business. It is a kind of playground to watch and learn the tactics of crackers. The only
purpose of a honeynet is to be probed, attacked or compromised. During the operation
other systems may not be harmed by an attack originated within the honeynet. In
this paper the design, realization and operation of a honeynet built within the German
Research Network (DFN) will be described. Concepts for continuously monitoring
and securing the honeynet are introduced. A selection of the results of the operation
phase will be presented as well
Honeypots and honeynets: issues of privacy
Honeypots and honeynets are popular tools in the area of network security and network forensics. The deployment and usage of these tools are influenced by a number of technical and legal issues, which need to be carefully considered. In this paper, we outline the privacy issues of honeypots and honeynets with respect to their technical aspects. The paper discusses the legal framework of privacy and legal grounds to data processing. We also discuss the IP address, because by EU law, it is considered personal data. The analysis of legal issues is based on EU law and is supported by discussions on privacy and related issues
Web attack risk awareness with lessons learned from high interaction honeypots
Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Com a evolução da web 2.0, a maioria das empresas elabora negócios através da Internet usando aplicações web. Estas aplicações detêm dados importantes com requisitos cruciais como confidencialidade, integridade e disponibilidade. A perda destas propriedades influencia directamente o negócio colocando-o em risco. A percepção de risco providencia o necessário conhecimento de modo a agir para a sua mitigação. Nesta tese foi concretizada uma colecção de honeypots web de alta interacção utilizando diversas aplicações e sistemas operativos para analisar o comportamento do atacante. A utilização de ambientes de virtualização assim como ferramentas de monitorização de honeypots amplamente utilizadas providencia a informação forense necessária para ajudar a comunidade de investigação no estudo do modus operandi do atacante, armazenando os últimos exploits e ferramentas maliciosas, e a desenvolver as necessárias medidas de protecção que lidam com a maioria das técnicas de ataque. Utilizando a informação detalhada de ataque obtida com os honeypots web, o comportamento do atacante é classificado entre diferentes perfis de ataque para poderem ser analisadas as medidas de mitigação de risco que lidam com as perdas de negócio. Diferentes frameworks de segurança são analisadas para avaliar os benefícios que os conceitos básicos de segurança dos honeypots podem trazer na resposta aos requisitos de cada uma e a consequente mitigação de risco.With the evolution of web 2.0, the majority of enterprises deploy their business over the Internet using web applications. These applications carry important data with crucial requirements such as confidentiality, integrity and availability. The loss of those properties influences directly the business putting it at risk. Risk awareness provides the necessary know-how on how to act to achieve its mitigation. In this thesis a collection of high interaction web honeypots is deployed using multiple applications and diverse operating systems in order to analyse the attacker behaviour. The use of virtualization environments along with widely used honeypot monitoring tools provide the necessary forensic information that helps the research community to study the modus operandi of the attacker gathering the latest exploits and malicious tools and to develop adequate safeguards that deal with the majority of attacking techniques. Using the detailed attacking information gathered with the web honeypots, the attacking behaviour will be classified across different attacking profiles to analyse the necessary risk mitigation safeguards to deal with business losses. Different security frameworks commonly used by enterprises are analysed to evaluate the benefits of the honeypots security concepts in responding to each framework’s requirements and consequently mitigating the risk
Context-Aware Network Security.
The rapid growth in malicious Internet activity, due to the rise of threats like
automated worms, viruses, and botnets, has driven the development of tools
designed to protect host and network resources. One approach that has gained
significant popularity is the use of network based security
systems. These systems are deployed on the network to detect, characterize and
mitigate both new and existing threats.
Unfortunately, these systems are developed and deployed in production networks
as generic systems and little thought has been paid to customization.
Even when it is possible to customize these devices, the approaches for
customization are largely manual or ad hoc. Our observation of the production
networks suggest that these networks have significant diversity in end-host
characteristics, threat landscape, and traffic behavior -- a collection of
features that we call the security context of a network. The scale and
diversity in security context of production networks make manual or ad hoc
customization of security systems difficult. Our thesis is that automated
adaptation to the security context can be used to significantly improve the
performance and accuracy of network-based security systems.
In order to evaluate our thesis, we explore a system from three broad categories
of network-based security systems: known threat detection, new threat detection,
and reputation-based mitigation. For known threat detection, we examine a
signature-based intrusion detection system and show that the system performance
improves significantly if it is aware of the signature set and the traffic
characteristics of the network. Second, we explore a large collection of
honeypots (or honeynet) that are used to detect new threats. We show that
operating system and application configurations in the network impact honeynet
accuracy and adapting to the surrounding network provides a significantly better
view of the network threats. Last, we apply our context-aware approach to a
reputation-based system for spam blacklist generation and show how traffic
characteristics on the network can be used to significantly improve its
accuracy.
We conclude with the lessons learned from our experiences adapting to network
security context and the future directions for adapting network-based security
systems to the security context.Ph.D.Computer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/64745/1/sushant_1.pd
Enabling an Anatomic View to Investigate Honeypot Systems: A Survey
A honeypot is a type of security facility deliberately created to be probed, attacked, and compromised. It is often used for protecting production systems by detecting and deflecting unauthorized accesses. It is also useful for investigating the behavior of attackers, and in particular, unknown attacks. For the past 17 years plenty of effort has been invested in the research and development of honeypot techniques, and they have evolved to be an increasingly powerful means of defending against the creations of the blackhat community. In this paper, by studying a wide set of honeypots, the two essential elements of honeypots—the decoy and the captor—are captured and presented, together with two abstract organizational forms—independent and cooperative—where these two elements can be integrated. A novel decoy and captor (D-C) based taxonomy is proposed for the purpose of studying and classifying the various honeypot techniques. An extensive set of independent and cooperative honeypot projects and research that cover these techniques is surveyed under the taxonomy framework. Furthermore, two subsets of features from the taxonomy are identified, which can greatly influence the honeypot performances. These two subsets of features are applied to a number of typical independent and cooperative honeypots separately in order to validate the taxonomy and predict the honeypot development trends
Honeypot for Wireless Sensor Networks
People have understood that computer systems need safeguarding and require
knowledge of security principles for their protection. While this has led to solutions
for system components such as malware-protection, firewalls and intrusion detection
systems, the ubiquitous usage of tiny microcomputers appeared at the same time. A
new interconnectivity is on the rise in our lives. Things become “smart” and increasingly
build new networks of devices.
In this context the wireless sensor networks here interact with users and also, vice
versa as well; unprivileged users able to interact with the wireless sensor network may
harm the privileged user as a result. The problem that needs to be solved consists of
possible harm that may be caused by an unprivileged user interacting with the wireless
sensor network of a privileged user and may come via an attack vector targeting a vul-
nerability that may take as long as it is needed and the detection of such mal-behaviour
can only be done if a sensing component is implemented as a kind of tool detecting the
status of the attacked wireless sensor network component and monitors this problem
happening as an event that needs to be researched further on. Innovation in attack
detection comprehension is the key aspect of this work, because it was found to be
a set of hitherto not combined aspects, mechanisms, drafts and sketches, lacking a
central combined outcome. Therefore the contribution of this thesis consists in a span
of topics starting with a summary of attacks, possible countermeasures and a sketch
of the outcome to the design and implementation of a viable product, concluding in an
outlook at possible further work.
The chosen path for the work in this research was experimental prototype construction
following an established research method that first highlights the analysis of attack
vectors to the system component and then evaluates the possibilities in order to im-
prove said method. This led to a concept well known in common large-scale computer
science systems, called a honeypot. Its common definitions and setups were analy-
sed and the concept translation to the wireless sensor network domain was evaluated.
Then the prototype was designed and implemented. This was done by following the ap-
proach set by the science of cybersecurity, which states that the results of experiments
and prototypes lead to improving knowledge intentionally for re-use
- …