A Hybrid Honeypot Architecture for Scalable Network Monitoring

To provide scalable, early warning and analysis of new Internet threats like worms or automated attacks, we propose a globally distributed, hybrid monitoring architecture that can capture and analyze new vulnerabilities and exploits as they occur. To achieve this, our architectures increases the exposure of high-interaction honeypots to these threats by employing low-interaction honeypots as frontend content filters. Host-based techniques capture relevant details such as packet payload of attacks while network monitoring provides wide coverage for quick detection and assessment. To reduce the load of the backends, we filter prevalent content at the network frontends and use a novel handoff mechanism to enable interactions between network and host components. We use measurements from live networks over five months to demonstrate the effectiveness of content prevalence as a filtering mechanism. Combining these observations with laboratory measurements, we demonstrate that our hybrid architecture is effective in preserving the detail of a specific threat while still achieving performance and scalability. We illustrate the benefits of this framework by showing how it enables earlier, higher-confidence detection, more detailed forensics, and robust signatures for mitigation of threats.

[1]  Mario Silva-Neto,et al.  Netflow services and applications , 2002 .

[2]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[3]  Willy Zwaenepoel,et al.  Efficient Support for P-HTTP in Cluster-Based Web Servers , 1999, USENIX Annual Technical Conference, General Track.

[4]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[5]  Sumeet Singh,et al.  The EarlyBird System for Real-time Detection of Unknown Worms , 2005 .

[6]  B. Cheswick An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied , 1997 .

[7]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[8]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[9]  David Watson,et al.  The Internet Motion Sensor: A distributed global scoped Internet threat monitoring system , 2004 .

[10]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[11]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[12]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[13]  Marina Thottan,et al.  Adaptive thresholding for proactive network problem detection , 1998, Proceedings of the IEEE Third International Workshop on Systems Management.

[14]  Kotagiri Ramamohanarao,et al.  A probabilistic approach to detecting network scans , 2002, NOMS 2002. IEEE/IFIP Network Operations and Management Symposium. ' Management Solutions for the New Communications World'(Cat. No.02CH37327).

[15]  Zhuoqing Morley Mao,et al.  Toward understanding distributed blackhole placement , 2004, WORM '04.

[16]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[17]  Iván Arce,et al.  An Analysis of the Slapper Worm , 2003, IEEE Secur. Priv..

[18]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[19]  Xuxian Jiang,et al.  Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[20]  Fan Zhang,et al.  A statistical approach to predictive detection , 2001, Comput. Networks.

[21]  Robert Stone,et al.  A Snapshot of Global Internet Worm Activity , 2001 .

[22]  Henry L. Owen,et al.  The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[23]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[24]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[25]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[26]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[27]  Salvatore J. Stolfo,et al.  Surveillance detection in high bandwidth environments , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[28]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[29]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.