Deceiving Attackers using Record and Play based Honeypots
Papalitsas, Jarko (2018-05-22)
Deceiving Attackers using Record and Play based Honeypots
(22.05.2018)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
suljettu
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe2018052324576
https://urn.fi/URN:NBN:fi-fe2018052324576
Tiivistelmä
Firewalls, intrusion detection systems and other security measures are used to control unwanted access to various IT systems. Usually these technologies are used to block, redirect or detect intruders. Honeypots on the other hand are mechanisms designed to attract intruders. On implementation level they can be interesting-looking files or complete fake services created for the whole purpose of deceiving attackers. Their applications do vary as they can be used as an alarm trigger for intrusion detection, an intrusion delaying mechanism or a research tool to monitor the intrusion progress safely.
The record and play honeypots differ from the traditional honeypots by their creation method. Instead of creating whole fake service from the start, they are based on an idea of using the existing service in background either directly or by recording the normal traffic and then modifying the gathered traffic to contain fake information. In this thesis, existing honeypot designs are examined, background information on necessary protocols are revised, multiple record and play designs are proposed, two different proof-of-concept implementations based on previous designs are developed and experimented with. Finally, a set of challenges appeared during the thesis are assessted.
In its current form, the record and play system does produce a decent copy of a service in our test cases, but requires a lot of manual work to detect fields containing possible entities. Also failing to detect such fields will default the system to reveal the original, possibly confidential, piece of data. Comparing to other fake service methods, the record and play system is not faster to deploy in its current state.
The record and play honeypots differ from the traditional honeypots by their creation method. Instead of creating whole fake service from the start, they are based on an idea of using the existing service in background either directly or by recording the normal traffic and then modifying the gathered traffic to contain fake information. In this thesis, existing honeypot designs are examined, background information on necessary protocols are revised, multiple record and play designs are proposed, two different proof-of-concept implementations based on previous designs are developed and experimented with. Finally, a set of challenges appeared during the thesis are assessted.
In its current form, the record and play system does produce a decent copy of a service in our test cases, but requires a lot of manual work to detect fields containing possible entities. Also failing to detect such fields will default the system to reveal the original, possibly confidential, piece of data. Comparing to other fake service methods, the record and play system is not faster to deploy in its current state.