On Recognizing Virtual Honeypots and Countermeasures

Honeypots are decoys designed to trap, delay, and gather information about attackers. We can use honeypot logs to analyze attackers' behaviors and design new defenses. A virtual honeypot can emulate multiple honeypots on one physical machine and provide great flexibility in representing one or more networks of machines. But when attackers recognize a honeypot, it becomes useless. In this paper, we address issues related to detecting and "camouflaging" virtual honeypots, in particular Honeyd, which can emulate any size of network on physical machines. We find that an attacker may remotely fingerprint Honeyd by measuring the latency of the network links emulated by Honeyd. We analyze the threat from this fingerprint attack based on the Neyman-Pearson decision theory and find that this class of attack can achieve a high detection rate and low false alarm rate. In order to counter this fingerprint attack, we make virtual honeypots behave like their surrounding networks and blend in with their surroundings. We design a camouflaged Honeyd by revising a small part of the Honeyd toolkit code and by appropriately patching the operating system. Our experiments demonstrate the effectiveness of our approach to camouflaging Honeyd

[1]  Shigeo Abe DrEng Pattern Classification , 2001, Springer London.

[2]  B. Silverman Density estimation for statistics and data analysis , 1986 .

[3]  W. Richard Stevens,et al.  TCP/IP Illustrated, Volume 1: The Protocols , 1994 .

[4]  Thorsten Holz,et al.  NoSEBrEaK - attacking honeynets , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[5]  Thomas R. Gross,et al.  Topology discovery for large ethernet networks , 2001, SIGCOMM 2001.

[6]  B. A. Mar,et al.  pchar : A Tool for Measuring Internet Path Characteristics , 2000 .

[7]  Greg Kroah-Hartman,et al.  Linux device drivers, third edition , 2005 .

[8]  David G. Stork,et al.  Pattern Classification , 1973 .

[9]  Allen B. Downey Using pathchar to estimate Internet link characteristics , 1999, SIGCOMM '99.

[10]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[11]  Greg Kroah-Hartman,et al.  Linux Device Drivers , 1998 .

[12]  C. D. Kemp,et al.  Density Estimation for Statistics and Data Analysis , 1987 .

[13]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[14]  Mark Carson,et al.  NIST Net: a Linux-based network emulation tool , 2003, CCRV.

[15]  Greg Kroah-Hartman,et al.  Linux Device Drivers, 3rd Edition , 2005 .

[16]  George Yang,et al.  Network Characterization Service (NCS) , 2001, Proceedings 10th IEEE International Symposium on High Performance Distributed Computing.

[17]  SpitznerLance The Honeynet Project , 2003, S&P 2003.