• DocumentCode
    2906026
  • Title

    On Recognizing Virtual Honeypots and Countermeasures

  • Author

    Fu, Xinwen ; Yu, Wei ; Cheng, Dan ; Tan, Xuejun ; Streff, Kevin ; Graham, Steve

  • fYear
    2006
  • fDate
    Sept. 29 2006-Oct. 1 2006
  • Firstpage
    211
  • Lastpage
    218
  • Abstract
    Honeypots are decoys designed to trap, delay, and gather information about attackers. We can use honeypot logs to analyze attackers\´ behaviors and design new defenses. A virtual honeypot can emulate multiple honeypots on one physical machine and provide great flexibility in representing one or more networks of machines. But when attackers recognize a honeypot, it becomes useless. In this paper, we address issues related to detecting and "camouflaging" virtual honeypots, in particular Honeyd, which can emulate any size of network on physical machines. We find that an attacker may remotely fingerprint Honeyd by measuring the latency of the network links emulated by Honeyd. We analyze the threat from this fingerprint attack based on the Neyman-Pearson decision theory and find that this class of attack can achieve a high detection rate and low false alarm rate. In order to counter this fingerprint attack, we make virtual honeypots behave like their surrounding networks and blend in with their surroundings. We design a camouflaged Honeyd by revising a small part of the Honeyd toolkit code and by appropriately patching the operating system. Our experiments demonstrate the effectiveness of our approach to camouflaging Honeyd
  • Keywords
    security of data; Honeyd; Neyman-Pearson decision theory; attacker behavior analysis; fingerprint attack; virtual honeypots; Computer networks; Counting circuits; Decision theory; Delay; Fingerprint recognition; IP networks; Intrusion detection; Law; Legal factors; Operating systems;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Dependable, Autonomic and Secure Computing, 2nd IEEE International Symposium on
  • Conference_Location
    Indianapolis, IN
  • Print_ISBN
    0-7695-2539-3
  • Type

    conf

  • DOI
    10.1109/DASC.2006.36
  • Filename
    4030885