DEH:Dynamic Extensible Two-way Honeypot

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：11

、訪客IP：3.15.193.45

姓名

趙亞略(Ya-Lyue Jhao) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

DEH:Dynamic Extensible Two-way Honeypot
(DEH:Dynamic Extensible Two-way Honeypot)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

電腦與網路的普及，使得電腦與網路的攻擊手法也日新月異，為了蒐集與了解層出不窮的攻擊手法，資訊安全人員發展出各式各樣方法來收集與分析各種攻擊程式與行為，以期及時找出防禦之道。Honeypot是最常被使用的方法之一，Honeypot需要讓攻擊者能夠入侵且避免被偵測才能發揮它的效果。由於Honeypot要讓攻擊者能夠入侵，因此目前的Honeypot大多無法對外連線以避免攻擊者利用Honeypot做為跳板攻擊其他電腦，雖然本意是好的，但這也使得攻擊者很容易藉由測試對外連線是否被管制，了解他是否是陷入在Honeypot中，以決定他是否需停止其攻擊行為以避免被觀察、分析。本篇論文在此提出了一個新的Honeypot架構—DEH (Dynamic Extensible Two-way Honeypot) 來解決Honeypot容易被偵測的嚴重問題，DEH允許對內及對外的網路連線，但對外的連線內含攻擊外部主機的shellcode時，DEH會先暫緩傳送該攻擊字串至目標主機並複製包含該shellcode的攻擊字串，但將shellcode以DEH的code取代，DEH接着循著攻擊者原定的攻擊方式將DEH的code注入至攻擊者原定的目標主機上被鎖定的有漏洞的程式以保護及監測該程式，因此當上述步驟完成，DEH讓原先的攻擊字串攻擊該目標主機的漏洞程式並使得攻擊者的shellcode被執行時，該shellcode是在DEH注入的code的控制及觀察下執行的。當攻擊者要從該受害者再對外攻擊其他的主機時，DEH可重複上述的機制擴充Honeypot的觀察範圍或將攻擊導回原Honeypot，因此DEH不僅降低了Honeypot被發現的機會，也可以收集到更多攻擊者的資訊。

摘要(英)

Honeypot is very powerful for security analysts to collect malicious data for a long time. We need to let attacker intrudes into honeypot, so that we can analyze the malicious data we get, and find a method to prevent the attack. Because we have to prevent attackers to attack another computer through honeypot, almost all of the honeypots block the outgoing traffic. This is a serious problem. Some assailants would test whether the computer they attack is a honeypot by sending some simple connections out. If they know the computer they are attacking is a honeypot, they will not do the further malicious behavior. If honeypot cannot collect the attack pattern anymore, it becomes useless. In this thesis, we introduce a new design of honeypot, DEH (Dynamic Extensible Two-way Honeypot), to fix this serious problem. DEH allows not only incoming traffic but outgoing traffic. If the outgoing traffic includes malicious shellcode, we can hold this traffic and copy the shellcode, and then DEH replace it with our own code to set the protective mechanism on the computer that the attacker wants to intrude into. After we set the mechanism, we let the attacker intrude in, and he is monitored by our protective mechanism. When attacker wants to send traffic out from the victim, DEH can extend the protective mechanism to other computers or redirected the connections back to honeypot. We can efficiently protect honeypot from being detected and prevent the attack being spread, in the same time we could also get more information from attackers.

關鍵字(中)

★ 蜜罐

關鍵字(英)

★ Honeypot

論文目次

摘要 i
Abstract ii
Acknowledgements iii
Table of Contents iv
List of Figures vi
List of Tables vii
1. Introduction 1
2. Related Work 4
2-1 Code Injection 4
2-2 Honeypot 5
3. System Design 7
3-1 DEH 7
3-2 Syringe 9
3-2-1DLL Injection 9
3-2-2Targets at victim-side 10
3-3 Serum 12
3-3-1 Replace Code 12
3-3-2 Connecting to Scale Controller 15
3-3-3 Different Behavior of Serum 15
3-3-4 Protect Mechanism 17
3-4 Attack Information Collector 17
3-5 Scale Controller 18
3-5-1 Setting Count 18
3-5-2 Reading Count 18
4. Implementation 20
4-1 Syringe 20
4-2 Serum 20
5. Evaluation 25
5-1 Functionality Test 25
5-2 Other Information 28
5-3 Discussion 29
6. Conclusions 32
6-1 Contribution 32
6-2 Future Work 32
6-2-1 Botnet Detection 33
6-2-2 Fit More Platforms 33
References 34

參考文獻

[1] Microsoft, HoneyMonkey. http://research.microsoft.com/en-us/um/redmond/projects/strider/honeymonkey
[2] Yi-Min Wang, Doug Beck, Xuxian Jiang, and Roussi Roussev. “Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities.”
ftp://ftp.research.microsoft.com/pub/tr/TR-2005-72.pdf
[3] honeynet.org. http://www.honeynet.org/
[4] Sebek. http://www.honeynet.org/project/sebek/
[5] Honeybot. http://www.atomicsoftwaresolutions.com/honeybot.php
[6] KFSensor. http://www.keyfocus.net/kfsensor/
[7] Xiaotong Zhuang, Tao Zhang, and Santosh Pande, “Using Branch Correlation to Identify Infeasible Paths for Anomaly Detection,” 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO-39), Orlando, Florida, USA, December, 2006.
[8] Nathan Tuck, Brad Calder, and George Varghese, “Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow,” 37th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO-37), Doubletree Hotel, Portland, Oregon, December, 2004.
[9] Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton, “StackGuard: Automatic adaptive detection and prevention of bufferoverflow attacks,” in Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, January, 1998.
[10] Mike Frantzen and Mike Shuey, “StackGhost: Hardware facilitated stack protection,” in Proceedings of the 10th USENIX Security Symposium, Washington, D.C., August, 2001.
[11] Ruby B. Lee, David K. Karig, John P. McGregor, and Zhijie Shi, “Enlisting hardware architecture to thwart malicious code injection,” First International Conference on Security in Pervasive Computing, Boppard, Germany, March, 2003.
[12] John P. McGregor, David K. Karig, Zhijie Shi, and Ruby B. Lee, “A processor architecture defense against buffer overflow attacks,” in Proceedings of International Conference on Information Technology: Research and Education (ITRE 2003), Newark, New Jersey, USA, August, 2003.
[13] Fu-Hau Hsu, Fanglu Guo, Tzi-cker Chiueh, “Scalable Network-based Buffer Overﬂow Attack Detection,” in Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS 2006), San Jose, California, USA, December, 2006.
[14] Paruj Ratanaworabhan, Benjamin Livshits, and Benjamin Zorn, “NOZZLE: A Defense Against Heap-spraying Code Injection Attacks,” in Proceedings of 2009 USENIX Annual Technical Conference, San Diego, CA, USA, June, 2009.
[15] P. Akritidis, E. P. Markatos, M. Polychronakis, and K. Anagnostakis, “STRIDE: Polymorphic sled detection through instruction sequence analysis,” in Proceedings of the IFIP TC 11 20th International Information Security Conference, Chiba, Japan, May, 2005.
[16] Michalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos, “Emulation-based detection of non-self-contained polymorphic shellcode,” in Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID 2007), Menlo Park, California, USA, September, 2007.
[17] Thomas Toth and Christopher Kruegel, “Accurate buffer overﬂow detection via abstract payload execution,” in Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), Zurich, Switzerland, October, 2002.
[18] Neal Krawetz, “Anti-honeypot technology,” in Proceedings of the 25th IEEE Symposium on Security and Privacy (S&P 2004), Berkeley, California, USA, May, 2004.
[19] Abdallah Ghourabi, Tarek Abbes, and Adel Bouhoula, “Honeypot Router for routing protocols protection,” in Proceedings of the 4th International Conference on Risks and Security of Internet and Systems (CRiSIS 2009), Toulouse, France, October, 2009.
[20] Vasaka Visoottiviseth, Uttapol Jaralrungroj, Ekkachai Phoomrungraungsuk, and Pongpak Kultanon, “Distributed Honeypot Log Management and Visualization of Attacker Geographical Distribution,” in Proceedings of the 8th International Joint Conference on Computer Science and Software Engineering (JCSSE 2011), Nakhon Pathom, Thailand, May, 2011
[21] Li Hong-Xia, Wang Pu, Zhang Jian, and Yang Xiao-Qiong, “Exploration on the Connotation of Management Honeypot,” in Proceedings of the International Conference on E-Business and E-Government (ICEE 2010), Guangzhou, China, May, 2010.
[22] Li Hong-xia and Liu Huijun, “On the Incentives of Management Honeypot,” in Proceedings of the 4th International Conference on Biomedical Engineering and Informatics (BMEI 2011), Shanghai, China, October, 2011.
[23] W. Y. Chin, Evangelos P. Markatos, Spiros Antonatos, and Sotiris Ioannidis, “HoneyLab: Large-scale Honeypot Deployment and Resource Sharing,” in Proceedings of the Third International Conference on Network and System Security (NSS 2009), Gold Coast, Queensland, Australia, October, 2009
[24] Cliff C. Zou and Ryan Cunningham, “Honeypot-Aware Advanced Botnet Construction and Maintenance,” in Proceedings of the International Conference on Dependable Systems and Networks (DSN 2006), Philadelphia, Pennsylvania, USA, June, 2006.
[25] Ping Wang, Lei Wu, Ryan Cunningham and Cliff C. Zou, “Honeypot detection in advanced botnet attacks,” International Journal of Information and Computer Security, Volume 4, Issue:1, pages 30 – 51, February, 2010.
[26] OS Platform Statistics. http://www.w3schools.com/browsers/browsers_os.asp
[27] James Shewmaker. Analyzing DLL Injection. GSM Presentation, 2006.http://www.bluenotch.com/files/Shewmaker-DLL-Injection.pdf
[28] Windows Sockets 2.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms740673(v=vs.85).aspx
[29] Winsock Functions.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms741394(v=vs.85).aspx
[30] Process and Thread Functions.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684847(v=vs.85).aspx
[31] Dynamic-Link Library Functions.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms682599(v=vs.85).aspx
[32] nologin.org, “Understanding Windows Shellcode.”
http://www.hick.org/code/skape/papers/win32-shellcode.pdf
[33] Safe Group.pl MALWARES. http://malwares.safegroup.pl
[34] Wireshark. http://www.wireshark.org/about.html
[35] Anubis: Analyzing Unknown Binaries. http://anubis.iseclab.org
[36] McAfee Labs Threat Advisory.
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23029/en_US/McAfee%20Labs%20Threat%20Advisory-Rimecud.pdf
[37] Honeynet Project, Know your enemy:GenII honeynets, 2005.
http://www.honeynet.org/papers/gen2
[38] Yong Tang and Shigang Chen, “Defending against internet worms: a signature-based approach,” in Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM 2005), Miami, FL, USA, March, 2005.
[39] Niels Provos, “A Virtual Honeypot Framework,” in Proceedings of the 13th USENIX Security Symposium, San Diego, CA, USA, August, 2004.
[40] Xuxian Jiang, Dongyan Xu. “Collapsar: a VM-based architecture for network attack detention center.” in Proceedings of the 13th USENIX Security Symposium, San Diego, CA, USA, August, 2004.
[41] Militan (C. Lin), “Linux/x86 Connect back, Download a File and Execute 149 bytes,” Exploit-db, http://www.exploit-db.com/exploits/13337/.

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2012-7-23

推文