The bilateral communication-based dynamic extensible honeypot

With network getting progressed, it is very crucial for us to guard the information that we have. One of these methods is the honeypot which is also a very powerful component for security analysts to collect malicious data for a long time. We need to let attackers intrude into a honeypot, so that we can analyze the malicious data we get, and find a method to prevent related attacks. Because it is important to prevent attackers to attack another computer through a honeypot, almost all of the honeypots block outgoing traffic. This may create a serious problem. Some assailants would test whether the computer which they attack is a honeypot by creating some simple external connections. If they know the computer they are attacking is a honeypot, they will not do further malicious behavior. If a honeypot cannot collect attack patterns anymore, it becomes useless. In this paper, we introduce a new design of honeypot, DEH (Dynamic Extensible Two-way Honeypot), to fix this serious problem with a bilateral communication mechanism. DEH based on the bilateral communication allows not only incoming traffic but outgoing traffic. If the outgoing traffic includes malicious shellcode, we can hold this traffic and copy the shellcode, and then DEH replace it with our own code to set up the bilateral communication and protective mechanism of the computer that the attacker wants to intrude into. After we set up the mechanism, we let the attacker intrude into a victim, but he is monitored by our protective mechanism. When attacker wants to send traffic out of the victim, DEH can extend the protective mechanism to other computers or redirected the connections back to the honeypot. Therefore, the mechanism can efficiently not only protect the honeypot from being detected but also prevent the attack from being spread, in the same time we could also get more information from attackers.

[1]  Michael Shuey,et al.  StackGhost: Hardware Facilitated Stack Protection , 2001, USENIX Security Symposium.

[2]  Adel Bouhoula,et al.  Honeypot router for routing protocols protection , 2009, 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009).

[3]  Christopher Krügel,et al.  Accurate Buffer Overflow Detection via Abstract Payload Execution , 2002, RAID.

[4]  Sotiris Ioannidis,et al.  HoneyLab: Large-Scale Honeypot Deployment and Resource Sharing , 2009, 2009 Third International Conference on Network and System Security.

[5]  Tao Zhang,et al.  Using Branch Correlation to Identify Infeasible Paths for Anomaly Detection , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[6]  Evangelos P. Markatos,et al.  Emulation-Based Detection of Non-self-contained Polymorphic Shellcode , 2007, RAID.

[7]  Zhang Jian,et al.  Exploration on the Connotation of Management Honeypot , 2010, ICEE 2010.

[8]  Lei Wu,et al.  Honeypot detection in advanced botnet attacks , 2010, Int. J. Inf. Comput. Secur..

[9]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[10]  Tzi-cker Chiueh,et al.  Scalable network-based buffer overflow attack detection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[11]  Vasaka Visoottiviseth,et al.  Distributed Honeypot log management and visualization of attacker geographical distribution , 2011, 2011 Eighth International Joint Conference on Computer Science and Software Engineering (JCSSE).

[12]  Yong Tang,et al.  Defending against Internet worms: a signature-based approach , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[13]  Ryan Cunningham,et al.  Honeypot-Aware Advanced Botnet Construction and Maintenance , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[14]  Evangelos P. Markatos,et al.  STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis , 2005, SEC.

[15]  Ruby B. Lee,et al.  A processor architecture defense against buffer overflow attacks , 2003, International Conference on Information Technology: Research and Education, 2003. Proceedings. ITRE2003..

[16]  Liang Hongxia,et al.  Notice of RetractionOn the incentives of management honeypot , 2011, 2011 International Conference on Business Management and Electronic Information.

[17]  Ruby B. Lee,et al.  Enlisting Hardware Architecture to Thwart Malicious Code Injection , 2004, SPC.

[18]  George Varghese,et al.  Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[19]  Neal Krawetz,et al.  Anti-honeypot technology , 2004, IEEE Security & Privacy Magazine.

[20]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[21]  Jian Zhang,et al.  Exploration on the Connotation of Management Honeypot , 2010, 2010 International Conference on E-Business and E-Government.

[22]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.