To learn more about attack patterns and attacker behavior, the concept of electronic decoys, i.e. network resources (computers, routers, switches, etc.) deployed to be probed, attacked, and compromised, is used in the area of IT security under the name honeypots. These electronic baits lure in attackers and help in assessment of vulnerabilities. Because honeypots are more and more deployed within computer networks, malicious attackers start to devise techniques to detect and circumvent these security tools. This paper will explain how an attacker typically proceeds in order to attack this kind of systems. We will introduce several techniques and present diverse tools and techniques which help attackers. In addition, we present several methods to detect suspicious environments (e.g. virtual machines and presence of debuggers). The article aims at showing the limitation of current honey pot-based research. After a brief theoretical introduction, we present several technical examples of different methodologies.
[1]
Felix C. Freiling,et al.
Vulnerability Assessment using Honeypots
,
2004,
PIK Prax. Informationsverarbeitung Kommun..
[2]
Edgar Barbosa.
Avoiding Windows Rootkit Detection
,
2004
.
[3]
Cynthia E. Irvine,et al.
Analysis of the Intel Pentium's Ability to Support a Secure Virtual Machine Monitor
,
2000,
USENIX Security Symposium.
[4]
Gustavus J. Simmons,et al.
The Prisoners' Problem and the Subliminal Channel
,
1983,
CRYPTO.
[5]
Thorsten Holz,et al.
NoSEBrEaK - attacking honeynets
,
2004,
Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..