论文信息 - BAIT-TRAP : a Catering Honeypot Framework

BAIT-TRAP : a Catering Honeypot Framework

The honeypot has been proved effective in understanding intruders’ tactics and tools which exploit system or software vulnerabilities. However, most current honeypots are manually and statically composed and deployed, leading to the following disadvantages: (1) It only exhibits a small and fixed spatial vulnerability window in terms of number and variety of vulnerable services; (2) It ignores current network activities and can only provide information on threats to deployed services. New vulnerabilities in a service not deployed in the honeypot will remain undetected. To address the limitations, this paper proposes the notion of catering honeypots and presents a catering honeypot architecture called BAIT-TRAP. The catering honeypot is a honeypot architecture that constantly monitors network traffic, identifies “bait” services that are currently attractive to intruders, and dynamically creates honeypots running such services in the hope of quickly trapping the subsequent exploitations. To the best of our knowledge, this is the first proposal and implementation of catering honeypots. Our real-world deployment of BAIT-TRAP has captured a number of “trendy” attack incidents, demonstrating the timeliness and trend awareness of catering honeypots.

Xuxian Jiang | Dongyan Xu

[1] Samuel T. King,et al. ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[2] Niels Provos,et al. A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[3] Samuel T. King,et al. Backtracking intrusions , 2003, SOSP '03.

[4] Tal Garfinkel,et al. A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[5] Samuel T. King,et al. Proceedings of the 2003 Symposium on Operating Systems Principles (SOSP) , 2003 .

[6] SpitznerLance. The Honeynet Project , 2003, S&P 2003.

[7] L. Spitzner,et al. Honeypots: Tracking Hackers , 2002 .

[8] Henry L. Owen,et al. The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..