Enabling an Anatomic View to Investigate Honeypot Systems: A Survey

A honeypot is a type of security facility deliberately created to be probed, attacked, and compromised. It is often used for protecting production systems by detecting and deflecting unauthorized accesses. It is also useful for investigating the behavior of attackers, and in particular, unknown attacks. For the past 17 years plenty of effort has been invested in the research and development of honeypot techniques, and they have evolved to be an increasingly powerful means of defending against the creations of the blackhat community. In this paper, by studying a wide set of honeypots, the two essential elements of honeypots—the decoy and the captor—are captured and presented, together with two abstract organizational forms—independent and cooperative—where these two elements can be integrated. A novel decoy and captor (D-C) based taxonomy is proposed for the purpose of studying and classifying the various honeypot techniques. An extensive set of independent and cooperative honeypot projects and research that cover these techniques is surveyed under the taxonomy framework. Furthermore, two subsets of features from the taxonomy are identified, which can greatly influence the honeypot performances. These two subsets of features are applied to a number of typical independent and cooperative honeypots separately in order to validate the taxonomy and predict the honeypot development trends

Detection and analysis of misuse in SIP-based networks

Die Sprachkommunikation über „Voice over IP“-Netzwerke, basierend auf dem Session Initiation Protokoll (SIP), verbreitet sich auf Grund von Funktionalitäts- und Kostenvorteilen zunehmend und wird die klassischen Telefonnetze in den nächsten Jahren vollständig ablösen. Zusätzlich zu den Netzen der Telefonanbieter wird die Sprachkommunikation über das SIP-Protokoll auch im Unternehmens- und Privatanwenderumfeld unverzichtbar. So bietet VoIP die Möglichkeit, sich unabhängig von dem aktuellen Aufenthaltsort über das Internet bei dem jeweiligen Heimatnetzbetreiber oder der eigenen Firma anzumelden und über das dortige Nutzerkonto Gespräche zu führen. Da die Telefonie somit von einer geschlossenen und vergleichsweise sicheren Plattform auf eine viel offenere Plattform in das Internet migriert wird, ergeben sich neue Risiken und Missbrauchsmöglichkeiten im Bereich der Telefonie. In dieser Dissertation werden Angriffe untersucht, die mit der Einführung von SIP-basierten Sprachdiensten im Internet entstehen und nicht aus Bedrohungen der Netzwerkschicht oder aus rechtlichen Vertragsbestimmungen resultieren. Das Ziel dieser Angriffe ist das Erlangen eines finanziellen Vorteils, indem ein Angreifer kompromittierte Zugänge für Auslandstelefonate oder für Anrufe zu Premiumnummern auf Kosten der Anschlussinhaber nutzt („Toll Fraud“). Für die Realisierung der Bedrohungsanalyse und der Angriffserkennung wurden Konzepte, ein Versuchsnetzwerk sowie die notwendigen Softwarekomponenten ergebnisorientiert entwickelt. Im Vergleich zu anderen Forschungsarbeiten wurden Untersuchungen mit Ködersystemen (Honeypots) weiterentwickelt und es wurde ein System für eine verteilte, automatische Angriffserkennung entwickelt. Dafür wurden SIP-Verkehrsdaten über einen Zeitraum von sechs Jahren in zwei Class-C-Netzwerken aufgezeichnet und mit einem neuen Analyseansatz unabhängig von einzelnen SIP-Nachrichten automatisch ausgewertet. Die Ergebnisse des Feldversuches in dieser Dissertation zeigen, dass die Bedrohungen für die SIP-Infrastruktur ansteigen und dass bereits eine Weiterentwicklung und Optimierung der Angriffswerkzeuge nachzuweisen ist. Die zunehmende Anzahl der Toll Fraud-Versuche mit internationalen Anrufzielen (und auch zu Premium-Rufnummern) verdeutlicht, dass bei einem unzureichenden Schutz der SIP-Server für die Nutzer und Betreiber sehr schnell ein erheblicher finanzieller Schaden entstehen kann. Es ist daher unerlässlich, die vorgeschalteten, systematischen Angriffsstufen frühzeitig zu erkennen und Abwehrkomponenten zu benachrichtigen. Für die automatisierte, verteilte Angriffserkennung in Echtzeit und für die Maximierung des Beobachtungsgebietes wurde für diese Dissertation das „Security Sensor System“ entwickelt. Mit Hilfe von leichtgewichtigen Sensoren wurde eine weltweite signaturbasierte Angriffserkennung realisiert. Zusätzlich zu der standortbezogenen Angriffserkennung werden Angriffe durch einen zentralen Dienst korreliert. Dadurch können Angreifer netzwerkübergreifend bzw. länderübergreifend identifiziert und somit Gegenwehrkomponenten in Echtzeit benachrichtigt werden. Der Vergleich der verschiedenen Messstellen im Internet belegt, dass die analysierten Angriffsmuster nicht nur im Netzwerk der Universität Duisburg-Essen, sondern zeitlich zusammenhängend auch an anderen Standorten auftreten. Dadurch wird deutlich, dass die ermittelten Ergebnisse auch für andere Netzwerke gültig sind und dass die Toll Fraud-Problematik bereits für alle Betreiber von SIP-Servern relevant ist.Voice over IP networks based on the Session Initiation Protocol (SIP) are becoming more and more widespread in the Internet due to functionality and cost advantages and will soon replace the classic telephony networks. Therefore, support of open SIP-based interfaces is an increasingly important requirement for IP-based Public Branch eXchanges (PBXs) and provider systems. The VoIP service allows using the personal or company VoIP account from any location worldwide. The migration of the telephony service from a closed and comparatively secure environment to a network with open interfaces creates security issues and opens up new opportunities for misuse and fraud. In this thesis, attacks are analyzed which result from introducing SIP-based voice services and do not belong to the area of contract regulations or attacks on the network layer. The attacker’s goal is to gain immediate financial benefit by making toll calls (international, cellular, premium services) via cracked third party accounts (“Toll Fraud”). To realize the threat analysis and the attack detection concepts, a SIP-based testbed and required software components were developed. In comparison to the related work, analyses with Honeypots were enhanced and a mechanism for automatic, distributed attack detection was realized. Therefore, for gathering the required data, a Honeynet with two class-C networks captured the SIP traffic for a period of six years. The automatic analysis is based on attacks and operates independently of single SIP messages. The field test results of this thesis demonstrate that SIP-based threats increase over time and attack tools are optimized and enhanced. The increasing number of Toll Fraud attempts to international or premium numbers reveals that Toll Fraud attacks can cause the account owner substantial financial damage in a very short amount of time if there is insufficient attack detection and mitigation. Hence, it is necessary to implement an attack detection which is able to identify the different attack stages and sends a notification to mitigation components before a Toll Fraud call is established. In this thesis, the Security Sensor System was developed to maximize the monitoring scope and to realize the distributed, automatic attack detection in real-time. The light-weight sensor component provides worldwide signature-based attack detection. Additional to the location-based attack detection, all attack notifications are sent to a central service which correlates the incoming alarm messages and provides a comprehensive attacker identification to inform mitigation components in real-time. The comparison of different sensor nodes in the Internet shows that the analyzed attack patterns do not only occur in the University testbed, but also temporally coherent in other networks. Thus, the results are valid for different network environments and it is crucial to know that Toll Fraud attacks are already performed in reality

An examination of the Asus WL-HDD 2.5 as a nepenthes malware collector

The Linksys WRT54g has been used as a host for network forensics tools for instance Snort for a long period of time. Whilst large corporations are already utilising network forensic tools, this paper demonstrates that it is quite feasible for a non-security specialist to track and capture malicious network traffic. This paper introduces the Asus Wireless Hard disk as a replacement for the popular Linksys WRT54g. Firstly, the Linksys router will be introduced detailing some of the research that was undertaken on the device over the years amongst the security community. It then briefly discusses malicious software and the impact this may have for a home user. The paper then outlines the trivial steps in setting up Nepenthes 0.1.7 (a malware collector) for the Asus WL-HDD 2.5 according to the Nepenthes and tests the feasibility of running the malware collector on the selected device. The paper then concludes on discussing the limitations of the device when attempting to execute Nepenthes

Modeling Deception for Cyber Security

In the era of software-intensive, smart and connected systems, the growing power and so- phistication of cyber attacks poses increasing challenges to software security. The reactive posture of traditional security mechanisms, such as anti-virus and intrusion detection systems, has not been sufficient to combat a wide range of advanced persistent threats that currently jeopardize systems operation. To mitigate these extant threats, more ac- tive defensive approaches are necessary. Such approaches rely on the concept of actively hindering and deceiving attackers. Deceptive techniques allow for additional defense by thwarting attackers’ advances through the manipulation of their perceptions. Manipu- lation is achieved through the use of deceitful responses, feints, misdirection, and other falsehoods in a system. Of course, such deception mechanisms may result in side-effects that must be handled. Current methods for planning deception chiefly portray attempts to bridge military deception to cyber deception, providing only high-level instructions that largely ignore deception as part of the software security development life cycle. Con- sequently, little practical guidance is provided on how to engineering deception-based techniques for defense. This PhD thesis contributes with a systematic approach to specify and design cyber deception requirements, tactics, and strategies. This deception approach consists of (i) a multi-paradigm modeling for representing deception requirements, tac- tics, and strategies, (ii) a reference architecture to support the integration of deception strategies into system operation, and (iii) a method to guide engineers in deception mod- eling. A tool prototype, a case study, and an experimental evaluation show encouraging results for the application of the approach in practice. Finally, a conceptual coverage map- ping was developed to assess the expressivity of the deception modeling language created.Na era digital o crescente poder e sofisticação dos ataques cibernéticos apresenta constan- tes desafios para a segurança do software. A postura reativa dos mecanismos tradicionais de segurança, como os sistemas antivírus e de detecção de intrusão, não têm sido suficien- tes para combater a ampla gama de ameaças que comprometem a operação dos sistemas de software actuais. Para mitigar estas ameaças são necessárias abordagens ativas de defesa. Tais abordagens baseiam-se na ideia de adicionar mecanismos para enganar os adversários (do inglês deception). As técnicas de enganação (em português, "ato ou efeito de enganar, de induzir em erro; artimanha usada para iludir") contribuem para a defesa frustrando o avanço dos atacantes por manipulação das suas perceções. A manipula- ção é conseguida através de respostas enganadoras, de "fintas", ou indicações erróneas e outras falsidades adicionadas intencionalmente num sistema. É claro que esses meca- nismos de enganação podem resultar em efeitos colaterais que devem ser tratados. Os métodos atuais usados para enganar um atacante inspiram-se fundamentalmente nas técnicas da área militar, fornecendo apenas instruções de alto nível que ignoram, em grande parte, a enganação como parte do ciclo de vida do desenvolvimento de software seguro. Consequentemente, há poucas referências práticas em como gerar técnicas de defesa baseadas em enganação. Esta tese de doutoramento contribui com uma aborda- gem sistemática para especificar e desenhar requisitos, táticas e estratégias de enganação cibernéticas. Esta abordagem é composta por (i) uma modelação multi-paradigma para re- presentar requisitos, táticas e estratégias de enganação, (ii) uma arquitetura de referência para apoiar a integração de estratégias de enganação na operação dum sistema, e (iii) um método para orientar os engenheiros na modelação de enganação. Uma ferramenta protó- tipo, um estudo de caso e uma avaliação experimental mostram resultados encorajadores para a aplicação da abordagem na prática. Finalmente, a expressividade da linguagem de modelação de enganação é avaliada por um mapeamento de cobertura de conceitos