(3.231.226.13) 您好!臺灣時間:2020/05/27 02:07
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
本論文永久網址: 
line
研究生:趙亞略
研究生(外文):Ya-Lyue Jhao
論文名稱:DEH:Dynamic Extensible Two-way Honeypot
論文名稱(外文):DEH:Dynamic Extensible Two-way Honeypot
指導教授:許富皓
指導教授(外文):Fu-Hau Hsu
學位類別:碩士
校院名稱:國立中央大學
系所名稱:資訊工程研究所
學門:工程學門
學類:電資工程學類
論文出版年:2012
畢業學年度:100
語文別:英文
論文頁數:49
中文關鍵詞:蜜罐
外文關鍵詞:Honeypot
相關次數:
  • 被引用被引用:1
  • 點閱點閱:108
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
電腦與網路的普及,使得電腦與網路的攻擊手法也日新月異,為了蒐集與了解層出不窮的攻擊手法,資訊安全人員發展出各式各樣方法來收集與分析各種攻擊程式與行為,以期及時找出防禦之道。Honeypot是最常被使用的方法之一,Honeypot需要讓攻擊者能夠入侵且避免被偵測才能發揮它的效果。由於Honeypot要讓攻擊者能夠入侵,因此目前的Honeypot大多無法對外連線以避免攻擊者利用Honeypot做為跳板攻擊其他電腦,雖然本意是好的,但這也使得攻擊者很容易藉由測試對外連線是否被管制,了解他是否是陷入在Honeypot中,以決定他是否需停止其攻擊行為以避免被觀察、分析。本篇論文在此提出了一個新的Honeypot架構—DEH (Dynamic Extensible Two-way Honeypot) 來解決Honeypot容易被偵測的嚴重問題,DEH允許對內及對外的網路連線,但對外的連線內含攻擊外部主機的shellcode時,DEH會先暫緩傳送該攻擊字串至目標主機並複製包含該shellcode的攻擊字串,但將shellcode以DEH的code取代,DEH接着循著攻擊者原定的攻擊方式將DEH的code注入至攻擊者原定的目標主機上被鎖定的有漏洞的程式以保護及監測該程式,因此當上述步驟完成,DEH讓原先的攻擊字串攻擊該目標主機的漏洞程式並使得攻擊者的shellcode被執行時,該shellcode是在DEH注入的code的控制及觀察下執行的。當攻擊者要從該受害者再對外攻擊其他的主機時,DEH可重複上述的機制擴充Honeypot的觀察範圍或將攻擊導回原Honeypot,因此DEH不僅降低了Honeypot被發現的機會,也可以收集到更多攻擊者的資訊。
Honeypot is very powerful for security analysts to collect malicious data for a long time. We need to let attacker intrudes into honeypot, so that we can analyze the malicious data we get, and find a method to prevent the attack. Because we have to prevent attackers to attack another computer through honeypot, almost all of the honeypots block the outgoing traffic. This is a serious problem. Some assailants would test whether the computer they attack is a honeypot by sending some simple connections out. If they know the computer they are attacking is a honeypot, they will not do the further malicious behavior. If honeypot cannot collect the attack pattern anymore, it becomes useless. In this thesis, we introduce a new design of honeypot, DEH (Dynamic Extensible Two-way Honeypot), to fix this serious problem. DEH allows not only incoming traffic but outgoing traffic. If the outgoing traffic includes malicious shellcode, we can hold this traffic and copy the shellcode, and then DEH replace it with our own code to set the protective mechanism on the computer that the attacker wants to intrude into. After we set the mechanism, we let the attacker intrude in, and he is monitored by our protective mechanism. When attacker wants to send traffic out from the victim, DEH can extend the protective mechanism to other computers or redirected the connections back to honeypot. We can efficiently protect honeypot from being detected and prevent the attack being spread, in the same time we could also get more information from attackers.
摘 要 i
Abstract ii
Acknowledgements iii
Table of Contents iv
List of Figures vi
List of Tables vii
1. Introduction 1
2. Related Work 4
2-1 Code Injection 4
2-2 Honeypot 5
3. System Design 7
3-1 DEH 7
3-2 Syringe 9
3-2-1DLL Injection 9
3-2-2Targets at victim-side 10
3-3 Serum 12
3-3-1 Replace Code 12
3-3-2 Connecting to Scale Controller 15
3-3-3 Different Behavior of Serum 15
3-3-4 Protect Mechanism 17
3-4 Attack Information Collector 17
3-5 Scale Controller 18
3-5-1 Setting Count 18
3-5-2 Reading Count 18
4. Implementation 20
4-1 Syringe 20
4-2 Serum 20
5. Evaluation 25
5-1 Functionality Test 25
5-2 Other Information 28
5-3 Discussion 29
6. Conclusions 32
6-1 Contribution 32
6-2 Future Work 32
6-2-1 Botnet Detection 33
6-2-2 Fit More Platforms 33
References 34
[1]Microsoft, HoneyMonkey. http://research.microsoft.com/en-us/um/redmond/projects/strider/honeymonkey
[2]Yi-Min Wang, Doug Beck, Xuxian Jiang, and Roussi Roussev. “Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities.”
ftp://ftp.research.microsoft.com/pub/tr/TR-2005-72.pdf
[3]honeynet.org.http://www.honeynet.org/
[4]Sebek.http://www.honeynet.org/project/sebek/
[5]Honeybot.http://www.atomicsoftwaresolutions.com/honeybot.php
[6]KFSensor.http://www.keyfocus.net/kfsensor/
[7]Xiaotong Zhuang, Tao Zhang, and Santosh Pande, “Using Branch Correlation to Identify Infeasible Paths for Anomaly Detection,” 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO-39), Orlando, Florida, USA, December, 2006.
[8]Nathan Tuck, Brad Calder, and George Varghese, “Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow,” 37th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO-37), Doubletree Hotel, Portland, Oregon, December, 2004.
[9]Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton, “StackGuard: Automatic adaptive detection and prevention of bufferoverflow attacks,” in Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, January, 1998.
[10]Mike Frantzen and Mike Shuey, “StackGhost: Hardware facilitated stack protection,” in Proceedings of the 10th USENIX Security Symposium, Washington, D.C., August, 2001.
[11]Ruby B. Lee, David K. Karig, John P. McGregor, and Zhijie Shi, “Enlisting hardware architecture to thwart malicious code injection,” First International Conference on Security in Pervasive Computing, Boppard, Germany, March, 2003.
[12]John P. McGregor, David K. Karig, Zhijie Shi, and Ruby B. Lee, “A processor architecture defense against buffer overflow attacks,” in Proceedings of International Conference on Information Technology: Research and Education (ITRE 2003), Newark, New Jersey, USA, August, 2003.
[13]Fu-Hau Hsu, Fanglu Guo, Tzi-cker Chiueh, “Scalable Network-based Buffer Overflow Attack Detection,” in Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS 2006), San Jose, California, USA, December, 2006.
[14]Paruj Ratanaworabhan, Benjamin Livshits, and Benjamin Zorn, “NOZZLE: A Defense Against Heap-spraying Code Injection Attacks,” in Proceedings of 2009 USENIX Annual Technical Conference, San Diego, CA, USA, June, 2009.
[15]P. Akritidis, E. P. Markatos, M. Polychronakis, and K. Anagnostakis, “STRIDE: Polymorphic sled detection through instruction sequence analysis,” in Proceedings of the IFIP TC 11 20th International Information Security Conference, Chiba, Japan, May, 2005.
[16]Michalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos, “Emulation-based detection of non-self-contained polymorphic shellcode,” in Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID 2007), Menlo Park, California, USA, September, 2007.
[17]Thomas Toth and Christopher Kruegel, “Accurate buffer overflow detection via abstract payload execution,” in Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), Zurich, Switzerland, October, 2002.
[18]Neal Krawetz, “Anti-honeypot technology,” in Proceedings of the 25th IEEE Symposium on Security and Privacy (S&P 2004), Berkeley, California, USA, May, 2004.
[19]Abdallah Ghourabi, Tarek Abbes, and Adel Bouhoula, “Honeypot Router for routing protocols protection,” in Proceedings of the 4th International Conference on Risks and Security of Internet and Systems (CRiSIS 2009), Toulouse, France, October, 2009.
[20]Vasaka Visoottiviseth, Uttapol Jaralrungroj, Ekkachai Phoomrungraungsuk, and Pongpak Kultanon, “Distributed Honeypot Log Management and Visualization of Attacker Geographical Distribution,” in Proceedings of the 8th International Joint Conference on Computer Science and Software Engineering (JCSSE 2011), Nakhon Pathom, Thailand, May, 2011
[21]Li Hong-Xia, Wang Pu, Zhang Jian, and Yang Xiao-Qiong, “Exploration on the Connotation of Management Honeypot,” in Proceedings of the International Conference on E-Business and E-Government (ICEE 2010), Guangzhou, China, May, 2010.
[22]Li Hong-xia and Liu Huijun, “On the Incentives of Management Honeypot,” in Proceedings of the 4th International Conference on Biomedical Engineering and Informatics (BMEI 2011), Shanghai, China, October, 2011.
[23]W. Y. Chin, Evangelos P. Markatos, Spiros Antonatos, and Sotiris Ioannidis, “HoneyLab: Large-scale Honeypot Deployment and Resource Sharing,” in Proceedings of the Third International Conference on Network and System Security (NSS 2009), Gold Coast, Queensland, Australia, October, 2009
[24]Cliff C. Zou and Ryan Cunningham, “Honeypot-Aware Advanced Botnet Construction and Maintenance,” in Proceedings of the International Conference on Dependable Systems and Networks (DSN 2006), Philadelphia, Pennsylvania, USA, June, 2006.
[25]Ping Wang, Lei Wu, Ryan Cunningham and Cliff C. Zou, “Honeypot detection in advanced botnet attacks,” International Journal of Information and Computer Security, Volume 4, Issue:1, pages 30 – 51, February, 2010.
[26]OS Platform Statistics.http://www.w3schools.com/browsers/browsers_os.asp
[27]James Shewmaker. Analyzing DLL Injection. GSM Presentation, 2006.http://www.bluenotch.com/files/Shewmaker-DLL-Injection.pdf
[28]Windows Sockets 2.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms740673(v=vs.85).aspx
[29]Winsock Functions.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms741394(v=vs.85).aspx
[30]Process and Thread Functions.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684847(v=vs.85).aspx
[31]Dynamic-Link Library Functions.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms682599(v=vs.85).aspx
[32]nologin.org, “Understanding Windows Shellcode.”
http://www.hick.org/code/skape/papers/win32-shellcode.pdf
[33]Safe Group.pl MALWARES.http://malwares.safegroup.pl
[34]Wireshark.http://www.wireshark.org/about.html
[35]Anubis: Analyzing Unknown Binaries.http://anubis.iseclab.org
[36]McAfee Labs Threat Advisory.
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23029/en_US/McAfee%20Labs%20Threat%20Advisory-Rimecud.pdf
[37]Honeynet Project, Know your enemy:GenII honeynets, 2005.
http://www.honeynet.org/papers/gen2
[38]Yong Tang and Shigang Chen, “Defending against internet worms: a signature-based approach,” in Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM 2005), Miami, FL, USA, March, 2005.
[39]Niels Provos, “A Virtual Honeypot Framework,” in Proceedings of the 13th USENIX Security Symposium, San Diego, CA, USA, August, 2004.
[40]Xuxian Jiang, Dongyan Xu. “Collapsar: a VM-based architecture for network attack detention center.” in Proceedings of the 13th USENIX Security Symposium, San Diego, CA, USA, August, 2004.
[41]Militan (C. Lin), “Linux/x86 Connect back, Download a File and Execute 149 bytes,” Exploit-db, http://www.exploit-db.com/exploits/13337/.
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔