The Experts below are selected from a list of 6693 Experts worldwide ranked by ideXlab platform
Xuxian Jiang - One of the best experts on this subject based on the ideXlab platform.
-
out of the box monitoring of vm based high interaction Honeypots
Recent Advances in Intrusion Detection, 2007Co-Authors: Xuxian Jiang, Xinyuan WangAbstract:Honeypot has been an invaluable tool for the detection and analysis of network-based attacks by either human intruders or automated malware in the wild. The insights obtained by deploying Honeypots, especially high-interaction ones, largely rely on the monitoring capability on the Honeypots. In practice, based on the location of sensors, Honeypots can be monitored either internally or externally. Being deployed inside the monitored Honeypots, internal sensors are able to provide a semantic-rich view on various aspects of system dynamics (e.g., system calls). However, their very internal existence makes them visible, tangible, and even subvertible to attackers after break-ins. From another perspective, existing external honeypot sensors (e.g., network sniffers) could be made invisible to the monitored honeypot. However, they are not able to capture any internal system events such as system calls executed. It is desirable to have a honeypot monitoring system that is invisible, tamper-resistant and yet is capable of recording and understanding the honeypot's system internal events such as system calls. In this paper, we present a virtualization-based system called VMscope which allows us to view the system internal events of virtual machine (VM)-based Honeypots from outside the Honeypots. Particularly, by observing and interpreting VM-internal system call events at the virtual machine monitor (VMM) layer, VMscope is able to provide the same deep inspection capability as that of traditional inside-the-honeypot monitoring tools (e.g., Sebek) while still obtaining similar tamper-resistance and invisibility as other external monitoring tools. We have built a proof-of-concept prototype by leveraging and extending one key virtualization technique called binary translation. Our experiments with real-world Honeypots show that VMscope is robust against advanced countermeasures that can defeat existing internally-deployed honeypot monitors, and it only incurs moderate run-time overhead.
-
collapsar a vm based honeyfarm and reverse honeyfarm architecture for network attack capture and detention
Journal of Parallel and Distributed Computing, 2006Co-Authors: Xuxian Jiang, Yimin WangAbstract:The honeypot has emerged as an effective tool to provide insights into new attacks and exploitation trends. However, a single honeypot or multiple independently operated Honeypots only provide limited local views of network attacks. Coordinated deployment of Honeypots in different network domains not only provides broader views, but also create opportunities of early network anomaly detection, attack correlation, and global network status inference. Unfortunately, coordinated honeypot operation require close collaboration and uniform security expertise across participating network domains. The conflict between distributed presence and uniform management poses a major challenge in honeypot deployment and operation. To address this challenge, we present Collapsar, a virtual machine-based architecture for network attack capture and detention. A Collapsar center hosts and manages a large number of high-interaction virtual Honeypots in a local dedicated network. To attackers, these Honeypots appear as real systems in their respective production networks. Decentralized logical presence of Honeypots provides a wide diverse view of network attacks, while the centralized operation enables dedicated administration and convenient event correlation, eliminating the need for honeypot expertise in every production network domain. Collapsar realizes the traditional honeyfarm vision as well as our new reverse honeyfarm vision, where Honeypots act as vulnerable clients exploited by real-world malicious servers. We present the design, implementation, and evaluation of a Collapsar prototype. Our experiments with a number of real-world attacks demonstrate the effectiveness and practicality of Collapsar.
-
collapsar a vm based architecture for network attack detention center
USENIX Security Symposium, 2004Co-Authors: Xuxian Jiang, Dongyan XuAbstract:The honeypot has emerged as an effective tool to provide insights into new attacks and current exploitation trends. Though effective, a single honeypot or multiple independently operated Honeypots only provide a limited local view of network attacks. Deploying and managing a large number of coordinating Honeypots in different network domains will not only provide a broader and more diverse view, but also create potentials in global network status inference, early network anomaly detection, and attack correlation in large scale. However, coordinated honeypot deployment and operation require close and consistent collaboration across participating network domains, in order to mitigate potential security risks associated with each honeypot and the non-uniform level of security expertise in different network domains. It is challenging, yet desirable, to provide the two conflicting features of decentralized presence and uniform management in honeypot deployment and operation. To address these challenges, this paper presents Collapsar, a virtual-machine-based architecture for network attack detention. A Collapsar center hosts and manages a large number of high-interaction virtual Honeypots in a local dedicated network. These Honeypots appear, to potential intruders, as typical systems in their respective production networks. Decentralized logical presence of Honeypots provides a wide diverse view of network attacks, while the centralized operation enables dedicated administration and convenient event correlation, eliminating the need for honeypot experts in each production network domain. We present the design, implementation, and evaluation of a Collapsar testbed. Our experiments with several real-world attack incidences demonstrate the effectiveness and practicality of Collapsar.
Jonathan Rouzaud-cornabas - One of the best experts on this subject based on the ideXlab platform.
-
HoneyCloud: elastic Honeypots - On-attack provisioning of high-interaction Honeypots
2012Co-Authors: Patrice Clemente, Jean-françois Lalande, Jonathan Rouzaud-cornabasAbstract:This paper presents HoneyCloud: a large-scale high-interaction Honeypots architecture based on a cloud infrastructure. The paper shows how to setup and deploy on-demand virtualized honeypot hosts on a private cloud. Each attacker is elastically assigned to a new virtual honeypot instance. HoneyCloud offers a high scalability. With a small number of public IP addresses, HoneyCloud can multiplex thousands of attackers. The attacker can perform malicious activities on the honeypot and launch new attacks from the compromised host. The HoneyCloud architecture is designed to collect operating system logs about attacks, from various IDS, tools and sensors. Each virtual honeypot instance includes network and especially system sensors that gather more useful information than traditional network oriented Honeypots. The paper shows how are collected the activities of attackers into the cloud storage mechanism for further forensics. HoneyCloud also addresses efficient attacker's session storage, long term session management, isolation between attackers and fidelity of hosts.
-
SECRYPT - HoneyCloud: elastic Honeypots - On-attack provisioning of high-interaction Honeypots
2012Co-Authors: Patrice Clemente, Jean-françois Lalande, Jonathan Rouzaud-cornabasAbstract:This paper presents HoneyCloud: a large-scale high-interaction Honeypots architecture based on a cloud infrastructure. The paper shows how to setup and deploy on-demand virtualized honeypot hosts on a private cloud. Each attacker is elastically assigned to a new virtual honeypot instance. HoneyCloud offers a high scalability. With a small number of public IP addresses, HoneyCloud can multiplex thousands of attackers. The attacker can perform malicious activities on the honeypot and launch new attacks from the compromised host. The HoneyCloud architecture is designed to collect operating system logs about attacks, from various IDS, tools and sensors. Each virtual honeypot instance includes network and especially system sensors that gather more useful information than traditional network oriented Honeypots. The paper shows how are collected the activities of attackers into the cloud storage mechanism for further forensics. HoneyCloud also addresses efficient attacker's session storage, long term session management, isolation between attackers and fidelity of hosts.
Gérard Wagener - One of the best experts on this subject based on the ideXlab platform.
-
Heliza: talking dirty to the attackers
Journal in Computer Virology, 2011Co-Authors: Gérard Wagener, Alexandre Dulaunoy, Radu State, Thomas EngelAbstract:In this article we describe a new paradigm for adaptive Honeypots that are capable of learning from their interaction with attackers. The main objective of such Honeypots is to get as much information as possible about the profile of an intruder, while decoying their true nature and goals. We have leveraged machine learning techniques for this task and have developed a honeypot that uses a variant of reinforcement learning in order to learn the best behavior when facing attackers. The honeypot is capable of adopting behavioral strategies that vary from blocking commands, returning erroneous messages right up to insults that aim to irritate the intruder and serve as reverse Turing Test. Our preliminary experimental results show that behavioral strategies are dependent on contextual parameters and can serve as advanced building blocks for intelligent Honeypots.
-
Self-Adaptive Honeypots Coercing and Assessing Attacker Behaviour
2011Co-Authors: Gérard WagenerAbstract:Information security communities are always talking about "attackers" or "blackhats", but in reality very little is known about their skills. The idea of studying attacker behaviors was pioneered in the early nineties. In the last decade the number of attacks has increased exponentially and Honeypots were introduced in order to gather information about attackers and to develop early-warning systems. Honeypots come in different flavors with respect to their interaction potential. A honeypot can be very restrictive, but this implies only a few interactions. However, if a honeypot is very tolerant, attackers can quickly achieve their goal. Choosing the best trade-off between attacker freedom and honeypot restrictions is challenging. In this dissertation, we address the issue of self-adaptive Honeypots that can change their behavior and lure attackers into revealing as much information as possible about themselves. Rather than being allowed simply to carry out attacks, attackers are challenged by strategic interference from adaptive Honeypots. The observation of the attackers' reactions is particularly interesting and, using derived measurable criteria, the attacker's skills and capabilities can be assessed by the honeypot operator. Attackers enter sequences of inputs on a compromised system which is generic enough to characterize most attacker behaviors. Based on these principles, we formally model the interactions of attackers with a compromised system. The key idea is to leverage game-theoretic concepts to define the configuration and reciprocal actions of high-interaction Honeypots. We have also leveraged machine learning techniques for this task and have developed a honeypot that uses a variant of reinforcement learning in order to arrive at the best behavior when facing attackers. The honeypot is capable of adopting behavioral strategies that vary from blocking commands or returning erroneous messages, right up to insults that aim to irritate the intruder and serve as a reverse Turing Test distinguishing human attackers from machines. Our experimental results show that behavioral strategies are dependent on contextual parameters and can serve as advanced building blocks for intelligent Honeypots. The knowledge obtained can be used either by the adaptive Honeypots themselves or to reconfigure low-interaction Honeypots.
-
Paradigme de pot de miel adaptatif permettant d'étudier et d'évaluer le comportement et compétences des pirates informatiques
2011Co-Authors: Gérard WagenerAbstract:Information security communities are always talking about "attackers" but in reality very little is known about their skills.In the last decade the number of attacks has increased exponentially and Honeypots were introduced in order to gather information about attackers. Honeypots come in different flavors with respect to their interaction potential. Choosing the best trade-off between attacker freedom and honeypot restrictions is challenging. In this dissertation, we address the issue ofself-adaptive Honeypots that can change their behavior and lure attackers into revealing as much information as possible about themselves. Rather than being allowed simply to carry out attacks, attackers are challenged by strategic interference from adaptive Honeypots. The observation of the attackers' reactions is particularly interesting and, using derivedmeasurable criteria, the attacker's skills and capabilities can be assessed by the honeypot operator. We formally model the interactions of attackers with a compromised system. The key idea is to leverage game-theoretic concepts to define the configuration and reciprocal actions of high-interaction Honeypots. We have also leveraged reinforcement learningmachine learning in order to arrive at the best behavior when facing attackers. Our experimental results show that behavioral strategies are dependent on contextual parameters and can serve as advanced building blocks forintelligent Honeypots
-
Adaptive and self-configurable Honeypots
Proceedings of the 12th IFIP IEEE International Symposium on Integrated Network Management IM 2011, 2011Co-Authors: Gérard Wagener, Radu State, Thomas Engel, Alexandre DulaunoyAbstract:-Honeypot evangelists propagate the message that Honeypots are particularly useful for learning from attackers. However, by looking at current Honeypots, most of them are statically configured and managed, which requires a priori knowledge about attackers. In this paper we propose a high interaction honeypot capable of learning from attackers and capable of dynamically changing its behavior using a variant of reinforcement learning. It can strategically block the execution of programs, lure the attacker by substituting programs and insult attackers with the intent of revealing the attacker's nature and ethnic background. We also investigated the fact that attackers could learn to defeat the honeypot and discovered that attacker and honey pot interests sometimes diverge.
-
Self adaptive high interaction Honeypots driven by game theory
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2009Co-Authors: Gérard Wagener, Alexandre Dulaunoy, Radu State, Thomas EngelAbstract:High-interaction Honeypots are relevant to provide rich and useful information obtained from attackers. Honeypots come in different flavors with respect to their interaction potential. A honeypot can be very restrictive, but then only a few interactions can be observed. If a honeypot is very tolerant though, attackers can quickly achieve their goal. Having the best trade-off between attacker freedom and honeypot restrictions is challenging. In this paper, we address the issue of self adaptive Honeypots, that can change their behavior and lure attackers into revealing as much information as possible about themselves. The key idea is to leverage game-theoretic concepts for the configuration and reciprocal actions of high-interaction Honeypots.
Leyi Shi - One of the best experts on this subject based on the ideXlab platform.
-
A Game-Theoretic Analysis for Distributed Honeypots
Future Internet, 2019Co-Authors: Leyi Shi, Haijie FengAbstract:A honeypot is a decoy tool for luring an attacker and interacting with it, further consuming its resources. Due to its fake property, a honeypot can be recognized by the adversary and loses its value. Honeypots equipped with dynamic characteristics are capable of deceiving intruders. However, most of their dynamic properties are reflected in the system configuration, rather than the location. Dynamic Honeypots are faced with the risk of being identified and avoided. In this paper, we focus on the dynamic locations of Honeypots and propose a distributed honeypot scheme. By periodically changing the services, the attacker cannot distinguish the real services from Honeypots, and the illegal attack flow can be recognized. We adopt game theory to illustrate the effectiveness of our system. Gambit simulations are conducted to validate our proposed scheme. The game-theoretic reasoning shows that our system comprises an innovative system defense. Further simulation results prove that the proposed scheme improves the server’s payoff and that the attacker tends to abandon launching attacks. Therefore, the proposed distributed honeypot scheme is effective for network security.
-
Dynamic Distributed Honeypot Based on Blockchain
IEEE Access, 2019Co-Authors: Leyi Shi, Liu Tianxu, Liu Jia, Shan Baoying, Honglong ChenAbstract:Honeypot technology can be applied to efficiently attract attackers and exhaust their resources. However, the traditional static honeypot is easy to be recognized by anti-honeypot technology. By contrast, most of the dynamic Honeypots can simulate the real system in time, thus interacting with an intruder in disguise. In this paper, we employ the dynamic property of honeypot in four kinds of services of our system. However, this dynamic property shows up in a location and identification, indicating that genuine or fake services (Honeypots) are changeable in different hosts. Thus, the dynamic property of our system differs from the dynamic honeypot aforementioned. Besides, we adopt the blockchain platform (Ethereum) to decentralize our system and store the port access data by delivering a private chain. To illustrate the effectiveness of our scheme in theory and practice, security analysis, eavesdropping attack, scanning attack, and DoS attack experiments are conducted. The results show that our scheme is valid in safeguarding against network attack.
Farouk Samu - One of the best experts on this subject based on the ideXlab platform.
-
RIIT - In Search of Effective Honeypot and Honeynet Systems for Real-Time Intrusion Detection and Prevention
Proceedings of the 5th Annual Conference on Research in Information Technology - RIIT '16, 2016Co-Authors: Amos O. Olagunju, Farouk SamuAbstract:A honeypot is a deception tool for enticing attackers to make efforts to compromise the electronic information systems of an organization. A honeypot can serve as an advanced security surveillance tool for use in minimizing the risks of attacks on information technology systems and networks. Honeypots are useful for providing valuable insights into potential system security loopholes. The current research investigated the effectiveness of the use of centralized system management technologies called Puppet and Virtual Machines in the implementation automated Honeypots for intrusion detection, correction and prevention. A centralized logging system was used to collect information of the source address, country and timestamp of intrusions by attackers. The unique contributions of this research include: a demonstration how open source technologies is used to dynamically add or modify hacking incidences in a high-interaction honeynet system; a presentation of strategies for making Honeypots more attractive for hackers to spend more time to provide hacking evidences; and an exhibition of algorithms for system and network intrusion prevention.
-
in search of effective honeypot and honeynet systems for real time intrusion detection and prevention
Proceedings of the 5th Annual Conference on Research in Information Technology, 2016Co-Authors: Amos O. Olagunju, Farouk SamuAbstract:A honeypot is a deception tool for enticing attackers to make efforts to compromise the electronic information systems of an organization. A honeypot can serve as an advanced security surveillance tool for use in minimizing the risks of attacks on information technology systems and networks. Honeypots are useful for providing valuable insights into potential system security loopholes. The current research investigated the effectiveness of the use of centralized system management technologies called Puppet and Virtual Machines in the implementation automated Honeypots for intrusion detection, correction and prevention. A centralized logging system was used to collect information of the source address, country and timestamp of intrusions by attackers. The unique contributions of this research include: a demonstration how open source technologies is used to dynamically add or modify hacking incidences in a high-interaction honeynet system; a presentation of strategies for making Honeypots more attractive for hackers to spend more time to provide hacking evidences; and an exhibition of algorithms for system and network intrusion prevention.
