Sciweavers

DASC
2006
IEEE

On Recognizing Virtual Honeypots and Countermeasures

14 years 6 months ago
On Recognizing Virtual Honeypots and Countermeasures
— Honeypots are decoys designed to trap, delay, and gather information about attackers. We can use honeypot logs to analyze attackers’ behaviors and design new defenses. A virtual honeypot can emulate multiple honeypots on one physical machine and provide great flexibility in representing one or more networks of machines. But when attackers recognize a honeypot, it becomes useless. In this paper, we address issues related to detecting and “camouflaging” virtual honeypots, in particular Honeyd, which can emulate any size of network on physical machines. We find that an attacker may remotely fingerprint Honeyd by measuring the latency of the network links emulated by Honeyd. We analyze the threat from this fingerprint attack based on the Neyman-Pearson decision theory and find that this class of attack can achieve a high detection rate and low false alarm rate. In order to counter this fingerprint attack, we make virtual honeypots behave like their surrounding networks and...
Xinwen Fu, Wei Yu, Dan Cheng, Xuejun Tan, Kevin St
Added 10 Jun 2010
Updated 10 Jun 2010
Type Conference
Year 2006
Where DASC
Authors Xinwen Fu, Wei Yu, Dan Cheng, Xuejun Tan, Kevin Streff, Steve Graham
Comments (0)