Countermeasure for Detection of Honeypot Deployment

Proceedings of the International Conference on Computer and Communication Engineering 2008

May 13-15, 2008 Kuala Lumpur, Malaysia

Countermeasure for Detection of Honeypot Deployment Lai-Ming Shiue1, Shang-Juh Kao2 1 Department of Applied Mathematics 2 Department of Computer Science and Engineering National Chung-Hsing University, Taiwan Email: [email protected]

Since the essential task of the honeypot strategy is to make indistinguishable to attackers between a deceptive system and a regular host, how to not expose the honeypot deployment becomes critical. In general, deception detection [8] could be service support detection, connection feature detection, or system level detection. Service support detection [9, 10] launches all kinds of service requests to check for a honeypot. Usually, an emulated service can be easily examined as a deceptive system. Connection feature detection [10] refers to remotely test a target host and collect the transmission features, such as latency, error, and protocol header. Through the connection features analysis, a fabricated operating system or a virtual network interface can easily be discovered. For instance, a high detection rate of recognizing a low-interaction honeypot was reported in [11] by using Neyman-Pearson decision theory to analyze information collected from round trip time of icmp and tcp connections. And, Mukkamala et al [9] demonstrated that high detection accuracy (higher than 95%) can be derived in identifying a honeypot by using SVMs to analyze 49 various features of tcp connections. System level features, such as type of physical devices, type of file systems, and the memory usage of hidden programs, are required to detect [12, 13] a high-interaction honeypot, no matter the real system is deployed at a physical or virtual machine. There already exists some collection tool for high-interaction honeypots, for instance the Sebek [14], which works in the kernel module to monitor system call invocations and record data of interest. In [15], the NoSEBrEak project has shown that Sebek can be detected and disabled. Briefly, the three deception detection techniques for discovering different types of honeypot systems can be listed as in Table 1.

Abstract In this paper, a deceptive system, called honeyanole, is developed to escape from honeypot hunting as well as to collect attacking information. In honeyanole, three phases of collection, redirection and deception are implemented. In the collection phase, four types of attacking information are gathered for cross analysis to build up the blacklist. Upon the blacklist being developed, two redirection techniques, layer-2 and layer-3 redirection, are employed to dynamically transmit incoming traffic to a production or a deception server in the redirection phase. Finally, the deception server could transparently capture the attacking behaviors in the deception phase. With honeyanole, we can effectively prevent honeypot deployment from hunting, build an early warning system, and enhance the system defense. I. INTRODUCTION As threats to network security increase with the exponential growth, the traditional defensive systems, such as firewall and intrusion detection systems, is insufficient. Honeypots [1-4], a deceptive approach, are introduced to trap hackers. Without being noticed by hackers, attacking information is gathered and analyzed in order to trace attacking behaviors. There are two approaches to classify honeypots [5-7], depending upon either the deployment purpose or the interactions with the honeypot. Regarding with the purpose of deployment, a honeypot could be constructed for the production or research purpose. Based on the interactions with the honeypot, a honeypot could be either low-interaction or highinteraction. No matter how a honeypot is classified, either by purpose or by interaction, only when the deployment is transparent, honeypot approach is useful.

978-1-4244-1692-9/08/$25.00 ©2008 IEEE

595

TABLE I.

collecting and analyzing attacking information. We categorize network connections into regular service requests, probe requests, and attacking service requests. Under the layer-2 redirection, regular service connections and probe requests are directed to the real system. In this case, the redirection latency is insignificant, and hence the honeypot is not suspicious to honeypot hunters. Once an attacking service connection is discovered, layer-3 redirection is active and the connection is redirected to the fabricated system. There are three phases in honeyanole: collection phase, redirection phase, and deception phase. The main task of collection phase is to build a blacklist of possible attackers to support the redirection server. As shown in Figure 1, all traffic flows from Internet to production server will be mirrored to the detection module for intrusion inspecting. The information of possible attackers will be gathered by collection module from detection module and other three defensive systems, including the illegal access log, the record of probes, and exchanged defensive information.

DETECTABILITY OF DECEPTION DETECTION METHODS Detection Method

Interactio n Level

Machine Type

low

Connection Feature

Service Support

System Level

virtual

detectable

detectable

undetectabl e

virtual

detectable

undetectable

detectable

physical

undetectable

undetectable

detectable

high

While the development of a honeypot system focuses on the integration and analysis of attacking information, the exposure of honeypot deployment will make the deceptive system to be invalid. A common countermeasure against the deployment exposure is to redirect the connection to avoid directly interacting with a honeypot. The redirection technique is to decompose Internet traffic into two destinations: a production server or a honeypot. In general, the direction of traffic flows is decided upon the intrusion detection engine. In [16], a bait & switch honeypot router is constructed at the network layer and uses network address translation (NAT) to dispatch the traffic flows. However, such a pure layer3 redirection could easily slow down non-attacking service connections and the deployment could be revealed via the latency trace, such as via the icmp protocol. In [17], a redirection module in honeypot system at the data link layer is presented to lure suspicious traffic into a honeypot system via changing the MAC address. Unfortunately, when the layer-2 redirection is implemented in a connection oriented network, the sequence number failure due to the reconnection operation makes the honeypot system to be suspicious. In this paper, a deceptive system, called honeyanole, is developed to escape from honeypot hunters as well as to collect attacking information to enhance further defense. In this system, non-attacking service connections and probing connections are monitored and transmitted, while the attacking service connections are transparently redirected to the fabricated system for the attacking process collection. Finally, the system implementation and its evaluation are reported.

redirection server

Detection Module

Mirrored Traffic

attacking information from other systems

Collection Module

Analysis Module

Decision Module

Figure 1. Modules inside the collection phase.

After the collection, the alerts of attacking information for eliminating the same attack and incurring a new threat based on alert type, source address, and target address are raised. Then, the analysis module performs the correlation of collected attacking information to predefine attack scenarios, such as network scans, port scans, or vulnerability attacks. Upon finishing the analysis, the decision module would build an orderly list of possible attackers according to temporal information and involved services. Finally, a blacklist is distributed to redirection server dynamically. For redirection, the server with external, internal, and redirection interfaces are designated to connect to Internet, a production network, and a deception server respectively. When an incoming traffic arrives from Internet interface, redirection module will transmit it to a production server or a deception server with the aid of the blacklist. Operational flows of the redirection module can be depicted in Figure 2.

II. THE HONEYANOLE SYSTEM In honeyanole, both layer-2 and layer-3 redirection mechanisms are employed to dynamically transmit incoming traffic flows for the purpose of resisting the detection of honeypot hunters as well as

596

5HFHLYHIURP ([WHUQDO,QWHUIDFH

$SSHDULQ %ODFNOLVW"

1R

Three deception programs, honeyd [20], honeytrap[21] and linux with sebek [14], are deployed as deception servers. In order to validate the feasibility of the honeyanole, several tests in the test environments of direct, bait & switch, and honeyanole were conducted as shown in Figure 4. Apache web server was employed as the production server and Microsoft web application stress tool was adopted to generate http connections from the traffic generator.

6HQGRXWYLD ([WHUQDO,QWHUIDFH