Honeypots mailing list archives
diploma thesis - "Usage of Honeypots for Detection and Analysis of Unknown Security Attacks"
From: Patrick Diebold <p.diebold () arcor de>
Date: Thu, 17 Jun 2004 13:49:36 +0200
Dear Commmunity, My name is Patrick Diebold and I am graduate student of the Technical University Berlin (TU-Berlin) in Germany. I have just finished my diploma thesis "Usage of Honeypots for Detection and Analysis of Unknown Security Attacks" and wanted to share my experiences with the community. The aim of my thesis was to develop a honeypot architecture that gathers intrusion related information. The focus was on unknown attacks. The evaluation of several honeypot tests using honeyd and some simple shell-scripts led to the conclusion that not every traffic directed to a honeypot is an attack. Furtheremore, I was astonished to see how much known attacks and worms attacked my honeypot: honeyd collected more than 18 MB attack traffic omitting the nonreadable data - so far so good nothing new up to here. There are two problems one has to deal with when concentrating on unknown attacks: known attacks and non attack connections - false positives. In order to filter known attacks an IPS (Intrusion Prevention System) can be used. The remaining traffic has to be analyzed whether it is a successful attack or not. In the best case the honeypot should do this automated. I have developed a honeypot architecture that logs the traffic to the honeypot in a way that makes it possible to replay the attack and tag the logfiles of a successful attack automatically. The honeypot architecture is able to replay attacks from the logs without the attacker's exploit at hand (some tests with buffer overflow attacks were succesful). To detect an attack I have written a simple host-IDS (H-IDS) that detects an attack on the basis of unexpected system calls. The H-IDS and the logging component can be distributed on several hosts to reduce the risk of an eventually compromised honeypot. The logging component and the H-IDS are synchronized via a control channel that allows the tracking of the honeypot processes and the corresponding traffic. On a successful attack an alarm is raised, the corresponding logfile is tagged and an e-mail is sent to the administrator. This way it should be possible to detect unknown attacks on the honeypot. The software is written in C++ and the H-IDS is realized as a Linux Kernel Module. The H-IDS does system call interception by redirecting the function pointers in the system-call table. Stress tests with tcpdump have shown that tcpdump skips packets under heavy load so I decided to implement the logging via a socket interceptor. The software is easily extensible to realize a cluster of honeypot services that receive the same traffic from the attacker simultaneously. A lead process sends back the response to the attacker. Whenever the H-IDS raises an alarm in one of the honeypot services the logfile is tagged. This way several varying honeypot installations can be tested simultaneously. Any feedback and suggestions to this work are welcome and appreciated. With kind regards, Patrick Diebold
Current thread:
- diploma thesis - "Usage of Honeypots for Detection and Analysis of Unknown Security Attacks" Patrick Diebold (Jun 17)