1 / 9

Intrusion Detection using Honeypots

Intrusion Detection using Honeypots. Patrick Brannan Honeyd with virtual machines. What is a honeypot?. A closely monitored network decoy serving several purposes Distract adversaries from vulnerable machines Provide early warning (new attack &exploits)

emily
Download Presentation

Intrusion Detection using Honeypots

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines

  2. What is a honeypot? • A closely monitored network decoy serving several purposes • Distract adversaries from vulnerable machines • Provide early warning (new attack &exploits) • Allow in-depth examination of adversaries during and after exploitation

  3. Problems and Solution • Physical machines are expensive and costly to maintain • Attacks can corrupt machines • Destroy box • Destroy software • Solution • Honeyd or similar product

  4. Honeyd • A program that can simulate multiple operating systems and multiple IPs • One box can run many honeypots • Simulate network stack of all OS • Provide arbitrary routing • Simulate stack • Can only monitor connection and compromise

  5. Why Honeyd is better? • NIDS requires signatures of known attack • With Honeyd all traffic is saved and can be viewed later so there is no worries about new means of exploit being unregistered • Honeypot has no value so all traffic is suspect therefore less false positives are found

  6. Honeyd + Virtual Machine • Honeyd can only simulate the TCP/IP stack • Combined with a virtual machine the hacker now can try exploits on the whole operating system • Can detect and learn about all new types of exploits and dangers as opposed to just connection

  7. Design • Honeyd will reply to network packets whose destination IP address belongs to one of the simulated honeypots • Router receives packet and sends it on via iptables • Honeypots can be set behind multiple firewalls

  8. Combination • Honeyd alone cannot provide us with enough information to prevent future attacks • Combined with a VM we can now register the new method of the attack and what attacker was after • New attack methods can potentially lead to more violent attacks

  9. Conclusion • Since all traffic is monitored no attack goes unnoticed • With VM we can build new defense for real systems • Great flexibility and record keeping is possible

More Related