Professional Documents
Culture Documents
Countermeasure For Detection of Honeypot Deployment
Countermeasure For Detection of Honeypot Deployment
596
Three deception programs, honeyd [20], honeytrap[21]
and linux with sebek [14], are deployed as deception
servers.
5HFHLYHIURP 6HQGRXWYLD
([WHUQDO,QWHUIDFH ([WHUQDO,QWHUIDFH In order to validate the feasibility of the
honeyanole, several tests in the test environments of
direct, bait & switch, and honeyanole were conducted
$SSHDULQ
%ODFNOLVW"
<HV 7DUJHW0DVTXHUDGH 6RXUFH0DVTXHUDGH as shown in Figure 4. Apache web server was
employed as the production server and Microsoft web
1R
/D\HU)RUZDUGLQJ 77/0DVTXHUDGH application stress tool was adopted to generate http
connections from the traffic generator.
/D\HU)RUZDUGLQJ /D\HU)RUZDUGLQJ 77/0DVTXHUDGH /D\HU)RUZDUGLQJ
597
<
!"
#'
'
$!
#%
#
*++
;
<
= <
'
< <
|<
G`^<<
<@""
>
#'
<>#?@GQQ?@<GQ#><?Q@X?<??Q>Z\Q<?^>Q_<Z??`?^{?^ <>#?{@GQQ?@<GQ?><\^?>Q_`X`<?#?{?#_?<?@<GQ<?`<`
'( $ % &
! ! !
"#&
#'()
" " "
+=| }* +~~ }= +} = *#'#(+ )
+*} =| +|~ += ~
+~ =| ++ =+ + =
$ /0 #&
#'"45)
+* ~ +~* | += ~~
6#+
#&
#
|+ ~ | ||
*= *| | ~ =|} |} ("778
'9;#+<#=;#+
<#>;##?
#B8)
<>#?`?^{@?`\""G^<<?`< {@GQ@#\`GQ`
#
$ % & $ % &
>
'
\
=
}
> '
Z*
Z=
Z}'
=
!"#"
#
`
`
'
'
<
}<
598
REFERENCES [10] P. Defibaugh-Chavez, R. Veeraghattam, M. Kannappa, S.
Mukkamala, and A. H. Sung, "Network Based Detection of
[1] F. Raynal, Y. Berthier, P. Biondi, and D. Kaminsky, "Honeypot Virtual Environments and Low Interaction Honeypots", in
Forensics, Part I: Analyzing the Network", IEEE Security & Proceedings of the 2006 IEEE SMC, Workshop on Information
Privacy, vol. 2, pp. 72-78, Jul-Aug 2004. Assurance, 2006, pp. 283-289.
[2] F. R. Raynal, Y. Berthier, P. Biondi, and D. Kaminsky, [11] F. Xinwen, Y. Wei, D. Cheng, T. Xuejun, K. Streff, and S.
"Honeypot Forensics, Part II: Analyzing the Compromised Graham, "On Recognizing Virtual Honeypots and
Host", Ieee Security & Privacy, vol. 2, pp. 77-80, Sep-Oct Countermeasures", 2006, pp. 211-218.
2004. [12] T. Holz and F. Raynal, "Detecting Honeypots and Other
[3] A. Chuvakin, "Honeynets: High Value Security Data", in Suspicious Environments", 2005, pp. 29-36.
Network Security. vol. 2003, 2003, pp. 11-15. [13] N. C. Rowe, "Measuring the Effectiveness of Honeypot
[4] R. McGrew, "Experiences with Honeypot Systems: Counter-Counterdeception", in HICSS '06. Proceedings of the
Development, Deployment, and Analysis", in HICSS '06. 39th Annual Hawaii International Conference on 2006, pp.
Proceedings of the 39th Annual Hawaii International 129c-129c.
Conference on 2006, pp. 220a-220a. [14] M. A. Davis, "Sebek", 3.0.4 ed New York, USA: The Honeynet
[5] DFN-CERT, "European Network of Affined Honeypots - project, 2003.
Survey on the state-of-the-Art", Report Number: D0.1, 2005. [15] M. Dornseif, T. Holz, and C. N. Klein, "NoSEBrEaK -
[6] R. Tber, "A Practical Comparison of Low and High Attacking Honeynets", 2004, pp. 123-129.
Interactivity Honeypots", in Information Security Institute. vol. [16] L. Carter, "Setting Up a Honeypot Using a Bait and Switch
Master Australia Queensland University of Technology, 2005, Router": SANS' Information Security Reading Room, 2004.
p. 51. [17] Y. Geng, R. Chun-ming, and P. Lei, "A Novel Approach for
[7] H. Artaila, H. Safab, M. Sraja, I. Kuwatlya, and Z. Al-Masria, Redirecting Module in Honeypot Systems", The Journal of
"A Hybrid Honeypot Framework for Improving Intrusion China Universities of Posts and Telecommunications, vol. 12,
Detection Systems in Protecting Organizational Networks", 2005.
Comuters & Security, vol. 25, pp. 274-288, 2006. [18] P. Russell, "iptables", netfilter, http://www.netfilter.org/, 2007.
[8] N. Krawetz, "Anti-honeypot Technology", in IEEE Security & [19] M. Roesch, "Snort", Snort Sourcefire, 2007.
Privacy. vol. 2, 2004, pp. 76-79. [20] R. Chandran and S. Pakala, "Simulating Networks with
[9] S. Mukkamala, K. Yendrapalli, R. Basnet, M. K. Shankarapani, Honeyd", 2003.
and A. H. Sung, "Detection of Virtual Environments and Low [21] Honeytrap: http://honeytrap.mwcollect.org/, 2007.
Interaction Honeypots", 2007, pp. 92-98.
599