[ Pobierz całość w formacie PDF ]
.When a honeypot is attacked, the intru-sion is detected, and the virtual machine image is reset.Statistical properties of the attack are recorded, such aswhich ports were active just before the attack was dis-covered.These observations are then combined withother observed attacks.A statistical analysis attemptsto discover patterns indicative of a worm outbreak.Figure 9: General pattern of Blaster worm attack.Be-So, while honeypots trap hackers, HoneyStat nodes trackcause of modular worm architectures, victims are firstworms.This approach differs from DSC in many ways.overflowed with a simple RPC exploit, and made toFirst, while DSC uses real network or honeypot traffic,obtain a separate worm egg , which contains the fullHoneyStat works only on special honeypot networks.worm.The network activity between the initial overflowSecond, while DSC matches the same port being usedand download of the egg constitutes a single observa-for source and destination scans, HoneyStat matches ar-tion.Multiple observations allow one to filter out otherbitrary pairs of ports.Potentially DSC will notice vic-scans arriving at the same time.tims earlier than HoneyStat, provided the infection vec-tor uses the same ports.However HoneyStat can poten-tially provide more information about the worm behav-during this time, other network traffic may arrive.ior.Traditional worm detection models deal with worm in- In more detail, we describe the deployment of HoneyStatfection at either the start or end of the cycle shown in nodes:Figure 9.For example, models based on darknets con-sider only the rate and origin of incoming scans the traf- First, an emulator (e.g., Bochs or VMWare) is used tofic at the top of the diagram.The DSC model also con- expose a virtual machine to the outside network.Thesiders scans, but also tracks outgoing probes from the guest operating system in the emulator is configured tovictim traffic from the bottom of the diagram.The ac- provide a wide range of services.Vendor patches fortivity in the middle from initial infection to subsequent any of the services are not applied, except in rare cases.attack has a distinct enough form that one can track it in An emulator is used instead of a live machine to facilitya network.rapid resets of the guest OS image.This lets one deployas many honeypots as possible, the goal being to interactEven if no buffer overflow is involved, as in the case with suspicious traffic as much as possible.of mail-based worms and LANMAN weak passwordguessing worms (e.g., pubstro worms), the infection still Additionally, the honeypots are configured to direct asfollows a general pattern: a small set of attack pack- much traffic as possible back towards other honeypotsets obtain initial results, and further network traffic fol- and darknets.For example, some worms such as the re-lows, either from the egg deployment, or from subse- cent MyDoom worm spread via e-mail, and would bequent scans.Thus, our proposal is not limited to Blaster, missed by simple darknet scan observation techniques.but uses it as an illustrative example.To track worms traveling under the radar , the honey-pots are configured with honeytokens: e-mail addressbooks for bogus users at other honeypots and darknetnodes.5.4 HoneyStat MonitoringSecond, the honeypot is configured to not generate anyoutward network traffic, e.g., windows NBT probes.TheWe propose a new variation of honeypots, called Hon-honeypot should remain silent, since originating out-eyStat, to provide early detection and local response for13ward traffic constitutes a trigger event.In our model, 5.5 Statistical Analysisa honeypot is deemed active or infected when it sendsout SYN or UDP traffic.Using the data collected from the 5,000-node network,Third, a separate process monitors the virtual machine swe can locate events where enough network data wasdisk image, and network activity.If outgoing connec- recorded to infer how HoneyStat performs.We there-tions are made from the honeypot, an HoneyStat eventfore provide a proof-of-concept of the algorithm, andis recorded, and after a suitable short period of time (e.g
[ Pobierz całość w formacie PDF ]