Detecting honeypots and other suspicious environments

Author

Holz, Thorsten ; Raynal, Frederic

Author_Institution

Lab. for Dependable Distributed Syst., RWTH Aachen Univ., Germany

fYear

2005

Firstpage

29

Lastpage

36

Abstract

To learn more about attack patterns and attacker behavior, the concept of electronic decoys, i.e. network resources (computers, routers, switches, etc.) deployed to be probed, attacked, and compromised, is used in the area of IT security under the name honeypots. These electronic baits lure in attackers and help in assessment of vulnerabilities. Because honeypots are more and more deployed within computer networks, malicious attackers start to devise techniques to detect and circumvent these security tools. This paper will explain how an attacker typically proceeds in order to attack this kind of systems. We will introduce several techniques and present diverse tools and techniques which help attackers. In addition, we present several methods to detect suspicious environments (e.g. virtual machines and presence of debuggers). The article aims at showing the limitation of current honey pot-based research. After a brief theoretical introduction, we present several technical examples of different methodologies.

Keywords

computer networks; pattern recognition; security of data; IT security; attack patterns; attacker behavior; computer networks; debuggers; electronic baits; electronic decoys; honeypot detection; malicious attackers; network resources; security tools; suspicious environments; virtual machines; vulnerability assessment; Computer networks; Computer security; Forensics; Internet; Intrusion detection; Laboratories; Software systems; Steganography; Switches; Virtual machining;

fLanguage

English

Publisher

ieee

Conference_Titel

Information Assurance Workshop, 2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC

Print_ISBN

0-7803-9290-6

Type

conf

DOI

10.1109/IAW.2005.1495930

Filename

1495930