SGNET: a distributed infrastructure to handle zero-day exploits

This work builds upon the Leurré.com infrastructure and th e Scriptgen technology. Leurré.com is a worldwide distributed setup of low interaction honeypots whereas Scriptgen is a new class of honeypot: a medium intera ction one. In this paper, we see how Scriptgen can be enriched thanks to the Argo s and Nepenthes open source software in order to build a distributed system a ble to collect rich information about ongoing attacks and to collect malware, eve n for zero-day attacks, without facing the same liability and complexity issues enc ountered by classical high interaction honeypots. The design is precisely expose d as well as its implementation. Experimental results are offered that highl ight the validity of the proposed solution.

[1]  V. Paxson,et al.  GQ : Realizing a System to Catch Worms in a Quarter Million Places , 2006 .

[2]  Marc Dacier,et al.  Attack Processes Found on the Internet , 2004 .

[3]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[4]  Marc Dacier,et al.  ScriptGen: an automated script generation tool for Honeyd , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[5]  S. B. Needleman,et al.  A general method applicable to the search for similarities in the amino acid sequence of two proteins. , 1970, Journal of molecular biology.

[6]  Evangelos P. Markatos,et al.  Network-level polymorphic shellcode detection using emulation , 2006, Journal in Computer Virology.

[7]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[8]  Marc Dacier,et al.  Honeypots: practical means to validate malicious fault assumptions , 2004, 10th IEEE Pacific Rim International Symposium on Dependable Computing, 2004. Proceedings..

[9]  Frederic T. Chong,et al.  Experiences Using Minos as a Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities , 2005, DIMVA.

[10]  E. P. Markatos,et al.  STRIDE : POLYMORPHIC SLED DETECTION THROUGH INSTRUCTION SEQUENCE , 2006 .

[11]  Van-Hau Pham,et al.  HONEYNETS: FOUNDATIONS FOR THE DEVELOPMENT OF EARLY WARNING INFORMATION SYSTEMS , 2005 .

[12]  Ralph E. Droms,et al.  Dynamic Host Configuration Protocol , 1993, RFC.

[13]  Christopher Krügel,et al.  Accurate Buffer Overflow Detection via Abstract Payload Execution , 2002, RAID.

[14]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[15]  Felix C. Freiling,et al.  The Nepenthes Platform: An Efficient Approach to Collect Malware , 2006, RAID.

[16]  Eric van den Berg,et al.  A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows , 2005, RAID.

[17]  Randy H. Katz,et al.  Protocol-Independent Adaptive Replay of Application Dialog , 2006, NDSS.

[18]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[19]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[20]  Herbert Bos,et al.  Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation , 2006, EuroSys.

[21]  Marc Dacier,et al.  Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots , 2006, RAID.