Hayatle, Osama, Youssef, Amr M. and Otrok, Hadi (2012) Dempster-Shafer Evidence Combining for (Anti)-Honeypot Technologies. Information Security Journal: A Global Perspective, 21 (6). pp. 306-316. ISSN 1939-3555
Preview |
Text (application/pdf)
186kBamr2012.pdf - Accepted Version |
Official URL: http://dx.doi.org/10.1080/19393555.2012.738375
Abstract
Honeypots are network surveillance architectures designed to resemble easy-to-compromise computer systems. They are deployed to trap hackers in order to help security professionals capture, control, and analyze malicious Internet attacks and other activities of hackers. A botnet is an army of compromised computers controlled by a bot herder and used for illicit financial gain. Botnets have become quite popular in recent Internet attacks. Since honeypots have been deployed in many defense systems, attackers constructing and maintaining botnets are forced to find ways to avoid honeypot traps. In fact, some researchers have even suggested equipping normal machines by misleading evidence so that they appear as honeypots in order to scare away rational attackers. In this paper, we address some aspects related to the problem of honeypot detection by botmasters. In particular, we show that current honeypot architectures and operation limitations may allow attackers to systematically collect, combine, and analyze evidence about the true nature of the machines they compromise. In particular, we show how a systematic technique for evidence combining such as Dempster-Shafer theory can allow botmasters to determine the true nature of compromised machines with a relatively high certainty. The obtained results demonstrate inherent limitations of current honeypot designs. We also aim to draw the attention of security professionals to work on enhancing the discussed features of honeypots in order to prevent them from being abused by botmasters.
Divisions: | Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering |
---|---|
Item Type: | Article |
Refereed: | Yes |
Authors: | Hayatle, Osama and Youssef, Amr M. and Otrok, Hadi |
Journal or Publication: | Information Security Journal: A Global Perspective |
Date: | 2012 |
Digital Object Identifier (DOI): | 10.1080/19393555.2012.738375 |
Keywords: | honeypots, anti-honeypot technology, botnets, dempster-shafer theory |
ID Code: | 976803 |
Deposited By: | Danielle Dennie |
Deposited On: | 28 Jan 2013 13:36 |
Last Modified: | 18 Jan 2018 17:43 |
References:
1. Akiyama, M., Kawamoto, T., Shimamura, M., Yokoyama, T., Kadobayashi, Y. and Yamaguchi, S. 2007. “A proposal of metrics for botnet detection based on its cooperative behavior”. In Proc. 2007 International Symposium on Applications and the Internet Workshops 82–85.2. Armbrust, M., Fox, A., Griffith, R., Joseph, A., Katz, R., Konwinski, A. and Zaharia, M. February 10 2009. Above the clouds: A berkeley view of cloud computing. Technical Report No. UCB/EECS-2009-28, February 10, University of California at Berkley.
3. Barford, P. and Yegneswaran, V. 2007. “An inside look at botnets”. In Malware detection, of Advances in information security, Edited by: Christodorescu, M., Jha, S., Maughan, D., Song, D. and Wang, C. Vol. 27, 171–191. US: IEEE. Springer.
4. Bethencourt, J., Franklin, J. and Vernon, M. 2005. “Mapping internet sensors with probe response attacks”. In Proc. USENIX Security Symposium 193–208.
5. Borgaonkar, R. July 2010. “An analysis of the asprox botnet”. In Emerging Security Information Systems and Technologies (SECURWARE), 2010 Fourth International Conference on July, 148–153.
6. Chen, T.M. and Venkataramanan, V. 2005. Dempster-shafer theory for intrusion detection in ad hoc networks. Internet Computing, IEEE, 9(6) November-December: 35–41.
7. Defibaugh-Chavez, P., Veeraghattam, R., Kannappa, M., Mukkamala, S. and Sung, A.H. June). Network based detection of virtual environments and low interaction honeypots 2006. Information Assurance Workshop, 2006 IEEE June). Network based detection of virtual environments and low interaction honeypots, 283–289.
8. Ferrie, P., (2006). Attacks on more virtual machine emulators. Symantec Advanced Threat Research. https://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf (https://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf)
9. Fu, X., Yu, W., Cheng, D., Tan, X., Streff, K. and Graham, S. 2006. “On recognizing virtual honeypots and countermeasures”. In Dependable, Autonomic and Secure Computing, 2nd IEEE International Symposium on 211–218.
10. Holzal, T. and Oudot, L. 2004. “Defeating honeypots: Network issues (part 1 and 2)”. In SecurityFocus InFocus
11. Holz, T. and Raynal, F. June 2005. “Detecting honeypots and other suspicious environments”. In Information Assurance Workshop, 2005. IAW ’05. Proceedings from the Sixth Annual IEEE SMC June, 29–36.
12. Li, Z., Liao, Q. and Striegel, A. 2008. “Botnet economics: Uncertainty matters”. In Proc. The 7th Workshop on the Economics of Information Security, WEIS
13. Mokube, I. and Adams, M. 2007. “Honeypots: Concepts, approaches, and challenges”. In Proc. The 45th Annual Southeast Regional Conference, SIGAPP: ACM Special Interest Group on Applied Computing. ACM 321–326.
14. Mukkamala, S., Yendrapalli, K., Basnet, R., Shankarapani, M.K. and Sung, A.H. June 2007. “Detection of virtual environments and low interaction honeypots”. In Information Assurance and Security Workshop, 2007. IAW ’07. IEEE SMC June, 92–98.
15. Otrok, H., Zhu, B., Yahyaoui, H. and Bhattacharya, P. 2009. An intrusion detection game theoretical model. Information Security Journal: A Global Perspective, 18(5): 199–212.
16. Provos, N. 2004. “A virtual honeypot framework”. In Proceedings of the 13th conference on USENIX Security Symposium, SSYM’04 Vol. 13, 1–1. Berkeley, CA
17. Radmin. Advanced port scanner 1.3 (free). http://www.radmin.com/products/previousversions/portscanner.php (http://www.radmin.com/products/previousversions/portscanner.php)
18. Ramneek, P. August 2003. Bots and botnet—an overview, August, SANS Institute InfoSec Reading Room.
19. Rowe, N.C., Duong, B.T. and Custy, E.J. June 2006. “Fake honeypots: A defensive tactic for cyberspace”. In Information Assurance Workshop, 2006 IEEE June, 223–230.
20. Shafer, G. 1976. A mathematical theory of evidence, Princeton, NJ: Princeton University Press.
21. Tenebro, G. 2012. W32.waledac, threat analysis, Symantec Research.
22. Wagener, G., State, R., Dulaunoy, A. and Engel, T. 2009. “Self adaptive high interaction honeypots driven by game theory”. In SSS 741–755.
23. Wikipedia. (2011). Storm botnet. http://en.wikipedia.org/wiki/Storm_botnet (http://en.wikipedia.org/wiki/Storm_botnet)
24. Wikipedia. (2012). Port scanner http://en.wikipedia.org/wiki/Port_scanner (http://en.wikipedia.org/wiki/Port_scanner)
25. Zhang, B. and Srihari, S.N. 2002. Class-wise multi-classifier combination based on dempster-shafer theory. Control, Automation, Robotics and Vision, 2002. ICARCV 2002. 7th International Conference on, 2 December: 698–703.
26. Zou, C. and Changchun and Cunningham, R. 2006. “Honeypot-aware advanced botnet construction and maintenance”. In DSN 199–208.
Repository Staff Only: item control page