HONEYD DETECTION VIA ABNORMAL BEHAVIORS GENERATED BY THE ARPD DAEMON
A. Boulaiche, K. Adi
2008
Abstract
In this paper we describe some serious flaws in the software Honeyd that is one of the most popular software of honeypots, these flaws allow an attacker to easily identify the presence and the scope of a deployed honeypot. Hence, we describe in details both the flaws and how they can be used to attack the honeypot. Furthermore, we elaborate a set of possible solutions to fix each of these flaws. Our technique is mainly based on the detection of abnormal behaviors of the honeypot.
References
- (2005). Detecting targeted attacks using shadow honeypots. In SSYM'05: Proceedings of the 14th conference on USENIX Security Symposium.
- Dornseif, M., Holz, T., and Klein, C. (2004). Nosebreak - attacking honeynets. In Proceedings of the 5th IEEE Information Assurance Workshop.
- Fu, X., Yu, W., Cheng, D., Tan, X., Streff, K., and Graham, S. (2006). On recognizing virtual honeypots and countermeasures. DASC, IEEE Computer Society.
- Holz, T. and Raynal, F. (2005). Detecting honeypots and other suspicious environments. In Systems, Man and Cybernetics (SMC) Information Assurance Workshop.
- Jiang, X. and Xu, D. (2004). Collapsar: A vm-based architecture for network attack detention center. In Proceedings of 13th USENIX Security Symposium.
- Krawetz, N. (2004). Anti-honeypot technology. IEEE Security and Privacy, 2.1.
- Lamping, U. (2004). Ethereal Developer's Guide: 18189 for Ethereal 0.10.14. The Free Software Foundation.
- Provos, N. (2003). Honeyd : A virtual honeypot daemon (extended abstract). In Security Workshop in networking System, Hamburg.
- Provos, N. (2005). Honeyd Project. http://www.honeyd.org. Documentation and tools for general ”honeyd” users.
- Song, D. and Provos, N. (2003). arpd. http://www.honeyd.org/tools.php. Documentation and tools for general ”honeyd” users.
- Spitzner, L. (2002). Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing, Boston.
- Website1 (2008). Vmware homepage. http://www.vmware.com. Documentation and tools for general ”vmware” users.
Paper Citation
in Harvard Style
Boulaiche A. and Adi K. (2008). HONEYD DETECTION VIA ABNORMAL BEHAVIORS GENERATED BY THE ARPD DAEMON . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008) ISBN 978-989-8111-59-3, pages 65-71. DOI: 10.5220/0001927200650071
in Bibtex Style
@conference{secrypt08,
author={A. Boulaiche and K. Adi},
title={HONEYD DETECTION VIA ABNORMAL BEHAVIORS GENERATED BY THE ARPD DAEMON},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)},
year={2008},
pages={65-71},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001927200650071},
isbn={978-989-8111-59-3},
}
in EndNote Style
TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)
TI - HONEYD DETECTION VIA ABNORMAL BEHAVIORS GENERATED BY THE ARPD DAEMON
SN - 978-989-8111-59-3
AU - Boulaiche A.
AU - Adi K.
PY - 2008
SP - 65
EP - 71
DO - 10.5220/0001927200650071