Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection...
Transcript of Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection...
![Page 1: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/1.jpg)
Tema 9. Intrusion Detec2on
Garantía y Seguridad en Sistemas y Redes
Esteban Stafford
Departamento de Ingeniería Informá2ca y Electrónica
Este tema se publica bajo Licencia:
Crea2ve Commons BY-‐NC-‐SA 4.0
![Page 2: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/2.jpg)
Grupo deIngeniería deComputadores
9. Intrusion DetectionG678: Garantía y Seguridad en Sistemas y RedesEsteban StaffordSantander, November 27, 2015
Contents
Intruders
Intrusion Detection
Host-Based Intrusion Detection
Network-Based Intrusion Detection
Distributed Adaptive Intrusion Detection
Honeypots
Grupo deIngeniería deComputadores
2
![Page 3: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/3.jpg)
Intruder classificationMasquerader Enters system by ilegally using legitimateuser’s account.Misfeasor Legitimate user accesses unauthorized data ormisuses privileges.Clandestine User Gains access to system by eludingcontrols.
Grupo deIngeniería deComputadores
3
Intruder behaviourHacker Seek thrill or status. Opportunistic.
Select the target using IP lookup tools.Map network for accessible (Port scanning).Identify potentially vulnerable services.Install rootkit.Wait for administrator to log on and capture his password.
Criminal Look for sensitive data. Targeted.Act quickly and precisely to make their activities harder to detect.Exploit perimeter through vulnerable ports.Use Trojan horses (hidden software) to leave back doors for reentry.Retrieve valuable data from databases.Make few or no mistakes.
Insider Revenge or feel entitled. Most difficult.Create network accounts for themselves and their friends.Access accounts and applications they wouldn’t normally use.E-mail former and prospective employers.Conduct furtive instant-messaging chats.Perform large downloads and file copying.Access the network during off hours.
Grupo deIngeniería deComputadores
4
![Page 4: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/4.jpg)
Intruder classificationMasquerader Enters system by ilegally using legitimateuser’s account.Misfeasor Legitimate user accesses unauthorized data ormisuses privileges.Clandestine User Gains access to system by eludingcontrols.
Grupo deIngeniería deComputadores
3
Intruder behaviourHacker Seek thrill or status. Opportunistic.
Select the target using IP lookup tools.Map network for accessible (Port scanning).Identify potentially vulnerable services.Install rootkit.Wait for administrator to log on and capture his password.
Criminal Look for sensitive data. Targeted.Act quickly and precisely to make their activities harder to detect.Exploit perimeter through vulnerable ports.Use Trojan horses (hidden software) to leave back doors for reentry.Retrieve valuable data from databases.Make few or no mistakes.
Insider Revenge or feel entitled. Most difficult.Create network accounts for themselves and their friends.Access accounts and applications they wouldn’t normally use.E-mail former and prospective employers.Conduct furtive instant-messaging chats.Perform large downloads and file copying.Access the network during off hours.
Grupo deIngeniería deComputadores
4
![Page 5: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/5.jpg)
Intrusion DetectionIDS motivation
Quick detection might allow ejecting intruder beforeconsequences.Deployment of effective IDS can act as deterrent.Information gathering can help strengthen securitymeasures.
Placement
Host Distributed Network Distributed Adaptive
Grupo deIngeniería deComputadores
5
Intrusion Detection
Logical components
Sensors: Network monitor, log files, sys-tem call traces...
Analyzers: Combine the information ofsensors to decide if an intrusion has oc-cured. Indicates intrusion and suppliesevidence and possible actions.
User interface: Used to configure thebehaviour of the IDS and view intrusioninformation.
Grupo deIngeniería deComputadores
6
![Page 6: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/6.jpg)
Intrusion DetectionIDS motivation
Quick detection might allow ejecting intruder beforeconsequences.Deployment of effective IDS can act as deterrent.Information gathering can help strengthen securitymeasures.
Placement
HostDistributedNetworkDistributedAdaptive
Grupo deIngeniería deComputadores
5
Intrusion Detection
Logical components
Sensors: Network monitor, log files, sys-tem call traces...
Analyzers: Combine the information ofsensors to decide if an intrusion has oc-cured. Indicates intrusion and suppliesevidence and possible actions.
User interface: Used to configure thebehaviour of the IDS and view intrusioninformation.
Grupo deIngeniería deComputadores
6
![Page 7: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/7.jpg)
Detection Principles
Legitimate Behaviour
p
Intruder
False positives False negatives
False positives mean that the security team has toinvestigate a suspicious event.High number of false positives mean a lot of unnecessarywork (Paranoid setting).False negatives are intrusions that have not been detected.High number of false positives give a false sense ofsecurity (Relaxed setting).
Grupo deIngeniería deComputadores
7
Base-Rate FallacyIntrusion Detection System with 0.1% error probability.We guess there is a chance of 1:10000 of intrusion.The alarm goes of! Shall we call the marines?Wait! False alarm probability is 0.909For a reasonable false alarm probability with lots of events,error probability must be REALY low.
Grupo deIngeniería deComputadores
8
![Page 8: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/8.jpg)
Detection Principles
Legitimate Behaviour
p
Intruder
False positives False negatives
False positives mean that the security team has toinvestigate a suspicious event.High number of false positives mean a lot of unnecessarywork (Paranoid setting).False negatives are intrusions that have not been detected.High number of false positives give a false sense ofsecurity (Relaxed setting).
Grupo deIngeniería deComputadores
7
Base-Rate FallacyIntrusion Detection System with 0.1% error probability.We guess there is a chance of 1:10000 of intrusion.The alarm goes of! Shall we call the marines?Wait! False alarm probability is 0.909For a reasonable false alarm probability with lots of events,error probability must be REALY low.
Grupo deIngeniería deComputadores
8
![Page 9: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/9.jpg)
Detection methods
Detection methodsChange detection
Store hash of sensitive files and check periodically.Only usefull for seldom changed files.
Statistical anomaly detectionDetect suspicious behaviour.Allows detecting novel intrusions.
Signature detectionIdentify known intrusion patterns.Unable to detect variations on intrusion patterns.
Grupo deIngeniería deComputadores
9
Statistical anomaly detectionThreshold detection.
Count occurrences of specific event over time.If exceeds a reasonable value - assume intrusion.By itself a crude and ineffective detector.
Profile based detection.Characterize past behavior of users: mean and std.deviation, multivariate analysis, Markov processes, timingparameters.Detect significant deviations from known behaviour.
Grupo deIngeniería deComputadores
10
![Page 10: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/10.jpg)
Detection methods
Detection methodsChange detection
Store hash of sensitive files and check periodically.Only usefull for seldom changed files.
Statistical anomaly detectionDetect suspicious behaviour.Allows detecting novel intrusions.
Signature detectionIdentify known intrusion patterns.Unable to detect variations on intrusion patterns.
Grupo deIngeniería deComputadores
9
Statistical anomaly detectionThreshold detection.
Count occurrences of specific event over time.If exceeds a reasonable value - assume intrusion.By itself a crude and ineffective detector.
Profile based detection.Characterize past behavior of users: mean and std.deviation, multivariate analysis, Markov processes, timingparameters.Detect significant deviations from known behaviour.
Grupo deIngeniería deComputadores
10
![Page 11: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/11.jpg)
Signature detectionObserve events on system and apply rules to decide ifactivity is suspicious or not.Rule-based anomaly detection:
Analyze historical audit records to identify usage patterns.Auto-generate rules for usage patterns, might require 104 to106 rules.Observe current behavior and match against rules.Does not require prior knowledge of security flaws.
Rule-based penetration identification:Rules identify known penetration, weakness patterns orsuspicious behavior.Rules usually machine and OS specific.Rules are generated by experts who review and codeknowledge of previous attacks.Quality depends on how well this is done.
Grupo deIngeniería deComputadores
11
Host-Based Intrusion Detection
System RequirementsRun continually with minimal human supervision. Recoverfrom reboot.Resist subversion. Must be able detect if modified byattacker.Impose a minimal overhead on the system.Be able to adapt to changes in system and user behavior.Be able to scale to monitor a large number of hosts.Provide graceful degradation of service. Modular.Allow reconfiguration without having to restart.
Grupo deIngeniería deComputadores
12
![Page 12: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/12.jpg)
Signature detectionObserve events on system and apply rules to decide ifactivity is suspicious or not.Rule-based anomaly detection:
Analyze historical audit records to identify usage patterns.Auto-generate rules for usage patterns, might require 104 to106 rules.Observe current behavior and match against rules.Does not require prior knowledge of security flaws.
Rule-based penetration identification:Rules identify known penetration, weakness patterns orsuspicious behavior.Rules usually machine and OS specific.Rules are generated by experts who review and codeknowledge of previous attacks.Quality depends on how well this is done.
Grupo deIngeniería deComputadores
11
Host-Based Intrusion Detection
System RequirementsRun continually with minimal human supervision. Recoverfrom reboot.Resist subversion. Must be able detect if modified byattacker.Impose a minimal overhead on the system.Be able to adapt to changes in system and user behavior.Be able to scale to monitor a large number of hosts.Provide graceful degradation of service. Modular.Allow reconfiguration without having to restart.
Grupo deIngeniería deComputadores
12
![Page 13: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/13.jpg)
Host-Based Intrusion DetectionAudit Records
Native audit recordsPart of all common multi-user O/S.Already available for use.May not have the required info in desired form.
Detection-specific audit records.Created specifically to collect required info.At cost of additional overhead on the system.Time-stamp, subject, action, object, exception-conditions,resource-usage
smith@localhost :~$ cp game.exe /usr/bin
10821678 smith execute /bin/cp , 0, cpu =0002
10821679 smith read /home/smith/game.exe , 0, records =0
10821679 smith write /usr/bin/game.exe , write -violation , records =0
Grupo deIngeniería deComputadores
13
Host-Based Intrusion DetectionMetric/Model Combination Examples
Login Frequency by day and time (event counter,mean/std. deviation model)Location Frequency (event counter, mean/std. deviationmodel)Output Volume (resource measure, mean/std. deviationmodel)Password Fails (event counter, operational model)Execution Frequency (event counter, mean/std. deviationmodel)Execution Denied (event counter, operational model)Record Access (event counter, mean/std. deviation model)
Grupo deIngeniería deComputadores
14
![Page 14: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/14.jpg)
Host-Based Intrusion DetectionAudit Records
Native audit recordsPart of all common multi-user O/S.Already available for use.May not have the required info in desired form.
Detection-specific audit records.Created specifically to collect required info.At cost of additional overhead on the system.Time-stamp, subject, action, object, exception-conditions,resource-usage
smith@localhost :~$ cp game.exe /usr/bin
10821678 smith execute /bin/cp , 0, cpu =0002
10821679 smith read /home/smith/game.exe , 0, records =0
10821679 smith write /usr/bin/game.exe , write -violation , records =0
Grupo deIngeniería deComputadores
13
Host-Based Intrusion DetectionMetric/Model Combination Examples
Login Frequency by day and time (event counter,mean/std. deviation model)Location Frequency (event counter, mean/std. deviationmodel)Output Volume (resource measure, mean/std. deviationmodel)Password Fails (event counter, operational model)Execution Frequency (event counter, mean/std. deviationmodel)Execution Denied (event counter, operational model)Record Access (event counter, mean/std. deviation model)
Grupo deIngeniería deComputadores
14
![Page 15: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/15.jpg)
Distributed Host-Based IntrusionDetection
Traditional IDS focus is on single systems.Can’t information from several systems be combined?Not so easy:
Deal with varying audit record formats.Maintain integrity and confidentiality of networked data.Centralized or decentralized architecture?
Win Lin Sun Win
Internet
Lin Win Win Win
Mgr.
Grupo deIngeniería deComputadores
15
Network-Based IDS (NIDS)Monitor traffic at selected points on a network.May examine network, transport and/or application levelprotocol activity directed toward systems.Comprises a number of sensors (distributed):
Inline sensors: possibly as part of net devices.Switch with NIC in promiscuous mode.Slow NIDS might act as bottle neck.
Passive sensors: monitors copy of traffic.Wire/Optical Fiber taps.
Inline
Network
Passive
Grupo deIngeniería deComputadores
16
![Page 16: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/16.jpg)
Distributed Host-Based IntrusionDetection
Traditional IDS focus is on single systems.Can’t information from several systems be combined?Not so easy:
Deal with varying audit record formats.Maintain integrity and confidentiality of networked data.Centralized or decentralized architecture?
Win Lin Sun Win
Internet
Lin Win Win Win
Mgr.
Grupo deIngeniería deComputadores
15
Network-Based IDS (NIDS)Monitor traffic at selected points on a network.May examine network, transport and/or application levelprotocol activity directed toward systems.Comprises a number of sensors (distributed):
Inline sensors: possibly as part of net devices.Switch with NIC in promiscuous mode.Slow NIDS might act as bottle neck.
Passive sensors: monitors copy of traffic.Wire/Optical Fiber taps.
Inline
Network
Passive
Grupo deIngeniería deComputadores
16
![Page 17: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/17.jpg)
NIDS Sensor Deployment
Internet
fw
WWW
DNS
Router
fw
fw
WWWDB
1 2
3
4
1: Threats from outside. Highlight firewall problems. Checkoutgoing traffic.2: Measure attack pressure. Types and numbers. Highworkload.3: Protect internal services (Intranet). Spot insider threats.4: Dept. granularity. Protect critical systems. Restrictresource use.Grupo deIngeniería deComputadores
17
Intrusion Detection Techniques
Statistical anomaly detection:Denial of service attacks (flood or app.), scanning(fast/slow), worms (duplication activity)
Signature detection (Deep packet inspection):Application, Transport, Network layers. Unexpectedapplication services, unusual packets, policy violations.
When a potential violation is detected, a sensor sends analert and logs information
Used by analysis module to refine intrusion detectionparameters and algorithms.Used by security manager to improve protection.
Grupo deIngeniería deComputadores
18
![Page 18: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/18.jpg)
NIDS Sensor Deployment
Internet
fw
WWW
DNS
Router
fw
fw
WWWDB
1 2
3
4
1: Threats from outside. Highlight firewall problems. Checkoutgoing traffic.2: Measure attack pressure. Types and numbers. Highworkload.3: Protect internal services (Intranet). Spot insider threats.4: Dept. granularity. Protect critical systems. Restrictresource use.Grupo deIngeniería deComputadores
17
Intrusion Detection Techniques
Statistical anomaly detection:Denial of service attacks (flood or app.), scanning(fast/slow), worms (duplication activity)
Signature detection (Deep packet inspection):Application, Transport, Network layers. Unexpectedapplication services, unusual packets, policy violations.
When a potential violation is detected, a sensor sends analert and logs information
Used by analysis module to refine intrusion detectionparameters and algorithms.Used by security manager to improve protection.
Grupo deIngeniería deComputadores
18
![Page 19: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/19.jpg)
Distributed Adaptive Intrusion DetectionPerimeter defense and intrusion detection
Organizational defenses: Firewalls, HIDS, NIDSEach has limited data to analyze. Low-rate attacks arebelow thresholds.Difficult to recognize new attacks. Difficult to keep allprotections updated.Loose organization boundaries: Wifi, laptops, mobilephones.
Combine all IDSs togetherMore sensors at broader areas. Gossip protocol cancorrelate more data. Achieve higher statistical accuracy inshorter time.
When unsure about an attack, false positive rate may be toohigh.Once an attack is collaboratively identified, (when see similaractivities in other network,) predict the attack is on the way,false positive rate becomes low.
Host-based IDS provides rich App info
Grupo deIngeniería deComputadores
19
Distributed Adaptive Intrusion DetectionDDI: Distributed detection and inferencePEP: Policy enforce point
Distributed detectionand inference
Platformpolicies
Figure 8.6 Overall Architecture of an Autonomic Enterprise Security System
Platformpolicies
Platformpolicies
Adaptive feedbackbased policies
Networkpolicies
PEPevents
PEP = policy enforcement pointDDI = distributed detection and inference
DDIevents
Summaryevents
Platformevents
Platformevents
Collaborativepolicies
gossip
Grupo deIngeniería deComputadores
20
![Page 20: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/20.jpg)
Distributed Adaptive Intrusion DetectionPerimeter defense and intrusion detection
Organizational defenses: Firewalls, HIDS, NIDSEach has limited data to analyze. Low-rate attacks arebelow thresholds.Difficult to recognize new attacks. Difficult to keep allprotections updated.Loose organization boundaries: Wifi, laptops, mobilephones.
Combine all IDSs togetherMore sensors at broader areas. Gossip protocol cancorrelate more data. Achieve higher statistical accuracy inshorter time.
When unsure about an attack, false positive rate may be toohigh.Once an attack is collaboratively identified, (when see similaractivities in other network,) predict the attack is on the way,false positive rate becomes low.
Host-based IDS provides rich App info
Grupo deIngeniería deComputadores
19
Distributed Adaptive Intrusion DetectionDDI: Distributed detection and inferencePEP: Policy enforce point
Distributed detectionand inference
Platformpolicies
Figure 8.6 Overall Architecture of an Autonomic Enterprise Security System
Platformpolicies
Platformpolicies
Adaptive feedbackbased policies
Networkpolicies
PEPevents
PEP = policy enforcement pointDDI = distributed detection and inference
DDIevents
Summaryevents
Platformevents
Platformevents
Collaborativepolicies
gossip
Grupo deIngeniería deComputadores
20
![Page 21: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/21.jpg)
Honeypots
They are decoy systems:Filled with fabricated information.Instrumented with monitors or event-loggers.Divert and hold attacker to collect activity info.Do not expose production systems.
Initially were single-PC systems.More recently are/emulate entire networks.Virtual Machines (VMs) makes this easier.
Grupo deIngeniería deComputadores
21
Honeypot Deployment
Internet
fw
Mail WWW DNS
Router
fw
fw
WWWDB
Honeypot
Honeypot
Honeypot Honeypot
1: Outside external firewall. Diverts attackers but missesinsiders.2: Near externally available services. Need to open firewallto fake services.3: Attracts internal attacks. Feedback for firewall.Dangerous if compromised.Grupo deIngeniería deComputadores
22
![Page 22: Garantía y Seguridad en Sistemas y Redes. Tema 9 ... · Host-Based Intrusion Detection Metric/Model Combination Examples Login Frequency by day and time (event counter, mean/std.](https://reader034.fdocument.pub/reader034/viewer/2022042112/5e8e40099421c9008740a049/html5/thumbnails/22.jpg)
Honeypots
They are decoy systems:Filled with fabricated information.Instrumented with monitors or event-loggers.Divert and hold attacker to collect activity info.Do not expose production systems.
Initially were single-PC systems.More recently are/emulate entire networks.Virtual Machines (VMs) makes this easier.
Grupo deIngeniería deComputadores
21
Honeypot Deployment
Internet
fw
Mail WWW DNS
Router
fw
fw
WWWDB
Honeypot
Honeypot
Honeypot Honeypot
1: Outside external firewall. Diverts attackers but missesinsiders.2: Near externally available services. Need to open firewallto fake services.3: Attracts internal attacks. Feedback for firewall.Dangerous if compromised.Grupo deIngeniería deComputadores
22