D. Inoue, M. Eto, K. Yoshioka, S. Baba, K. Suzuki, J. Nakazato, K. Ohtaka, K. Nakao
We have been developing the Network Incident analysis Center for Tactical Emergency Response (nicter), whose present focus is on detecting and identifying propagating malwares such as worms, viruses, and bots. The nicter presently monitors darknet, a set of unused IP addresses, to observe macroscopic trends of network threats. Meantime, it keeps capturing and analyzing malware executables in the wild for their microscopic analysis. Finally, these macroscopic and microscopic analysis results are correlated in order to identify the root cause of the detected network threats. This paper describes a brief overview of the nicter, and possible contributions to the worldwide observatory of malicious behavior and attack tools (WOMBAT).
{"title":"nicter: An Incident Analysis System Toward Binding Network Monitoring with Malware Analysis","authors":"D. Inoue, M. Eto, K. Yoshioka, S. Baba, K. Suzuki, J. Nakazato, K. Ohtaka, K. Nakao","doi":"10.1109/WISTDCS.2008.14","DOIUrl":"https://doi.org/10.1109/WISTDCS.2008.14","url":null,"abstract":"We have been developing the Network Incident analysis Center for Tactical Emergency Response (nicter), whose present focus is on detecting and identifying propagating malwares such as worms, viruses, and bots. The nicter presently monitors darknet, a set of unused IP addresses, to observe macroscopic trends of network threats. Meantime, it keeps capturing and analyzing malware executables in the wild for their microscopic analysis. Finally, these macroscopic and microscopic analysis results are correlated in order to identify the root cause of the detected network threats. This paper describes a brief overview of the nicter, and possible contributions to the worldwide observatory of malicious behavior and attack tools (WOMBAT).","PeriodicalId":142886,"journal":{"name":"2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-04-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126486883","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Honeypot is one of the most popular tools to decoy attackers into our network, and to capture lots of information about the activity of malicious attackers. By tracing and analyzing collected traffic data, we can find out unknown malicious codes under an experimental stage before some codes become hazardous to an application. Although many honeypots have been proposed, there is a common problem that they can be detected easily by malicious attackers. This is very important in success or failure of honeypots because if once an attacker notices that he/she is working on a honeypot, we can no longer observe his/her malicious activities. In this paper, we propose two types of honeypot to collect unforeseen exploit codes automatically while maintaining their concealment against malicious attackers; cooperation based active honeypot and self-protection type honeypot. We have evaluated the proposed honeypots which are deployed in Kyoto University, and showed that they have capability to collect some unknown malicious codes.
{"title":"Cooperation of Intelligent Honeypots to Detect Unknown Malicious Codes","authors":"Jungsuk Song, H. Takakura, Y. Okabe","doi":"10.1109/WISTDCS.2008.10","DOIUrl":"https://doi.org/10.1109/WISTDCS.2008.10","url":null,"abstract":"Honeypot is one of the most popular tools to decoy attackers into our network, and to capture lots of information about the activity of malicious attackers. By tracing and analyzing collected traffic data, we can find out unknown malicious codes under an experimental stage before some codes become hazardous to an application. Although many honeypots have been proposed, there is a common problem that they can be detected easily by malicious attackers. This is very important in success or failure of honeypots because if once an attacker notices that he/she is working on a honeypot, we can no longer observe his/her malicious activities. In this paper, we propose two types of honeypot to collect unforeseen exploit codes automatically while maintaining their concealment against malicious attackers; cooperation based active honeypot and self-protection type honeypot. We have evaluated the proposed honeypots which are deployed in Kyoto University, and showed that they have capability to collect some unknown malicious codes.","PeriodicalId":142886,"journal":{"name":"2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-04-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115391579","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Corrado Leita, V. Pham, Olivier Thonnard, E. S. Ramírez, F. Pouget, E. Kirda, M. Dacier
This paper aims at presenting in some depth the Leurre.com project and its data collection infrastructure. Launched in 2003 by the Institut Eurecom, this project is based on a worldwide distributed system of honeypots running in more than 30 different countries. The main objective of the project is to get a more realistic picture of certain classes of threats happening on the Internet, by collecting unbiased quantitative data in a long-term perspective. In the first phase of the project, the data collection infrastructure relied solely on low-interaction sensors based on Honeyd to collect unsolicited traffic on the Internet. Recently, a second phase of the project was started with the deployment of medium-interaction honeypots based on the ScriptGen technology, in order to enrich the network conversations with the attackers. All network traces captured on the platforms are automatically uploaded into a centralized database accessible by the partners via a convenient interface. The collected traffic is also enriched with a set of contextual information (e.g. geographical localization and reverse DNS lookups). This paper presents this complex data collection infrastructure, and offers some insight into the structure of the central data repository. The data access interface has been developed to facilitate the analysis of today's Internet threats, for example by means of data mining tools. Some concrete examples are presented to illustrate the richness and the power of this data access interface. By doing so, we hope to encourage other researchers to share with us their knowledge and data sets, to complement or enhance our ongoing analysis efforts, with the ultimate goal of better understanding Internet threats.
{"title":"The Leurre.com Project: Collecting Internet Threats Information Using a Worldwide Distributed Honeynet","authors":"Corrado Leita, V. Pham, Olivier Thonnard, E. S. Ramírez, F. Pouget, E. Kirda, M. Dacier","doi":"10.1109/WISTDCS.2008.8","DOIUrl":"https://doi.org/10.1109/WISTDCS.2008.8","url":null,"abstract":"This paper aims at presenting in some depth the Leurre.com project and its data collection infrastructure. Launched in 2003 by the Institut Eurecom, this project is based on a worldwide distributed system of honeypots running in more than 30 different countries. The main objective of the project is to get a more realistic picture of certain classes of threats happening on the Internet, by collecting unbiased quantitative data in a long-term perspective. In the first phase of the project, the data collection infrastructure relied solely on low-interaction sensors based on Honeyd to collect unsolicited traffic on the Internet. Recently, a second phase of the project was started with the deployment of medium-interaction honeypots based on the ScriptGen technology, in order to enrich the network conversations with the attackers. All network traces captured on the platforms are automatically uploaded into a centralized database accessible by the partners via a convenient interface. The collected traffic is also enriched with a set of contextual information (e.g. geographical localization and reverse DNS lookups). This paper presents this complex data collection infrastructure, and offers some insight into the structure of the central data repository. The data access interface has been developed to facilitate the analysis of today's Internet threats, for example by means of data mining tools. Some concrete examples are presented to illustrate the richness and the power of this data access interface. By doing so, we hope to encourage other researchers to share with us their knowledge and data sets, to complement or enhance our ongoing analysis efforts, with the ultimate goal of better understanding Internet threats.","PeriodicalId":142886,"journal":{"name":"2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing","volume":"133 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-04-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133112715","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The frequency and sophistication of computer attacks have increased in the last decade as have reports concerning the involvement of organized crime and state sponsored groups in hack attacks. Information security research has improved our understanding of the attack methods used to compromise systems, though there is a need to consider the attitudes, ethics, and social behaviors of computer attackers. Such information can improve our knowledge of the sources of attacks, and increase our capability to profile the individuals responsible for these attacks. This study will explore the attitudinal and behavior differences in the hacker community using two samples of respondents collected from hacker conferences and a university information security course. A new framework for considering computer attackers is also proposed to reflect changes in the general dynamics of hacking and technology.
{"title":"Techcrafters and Makecrafters: A Comparison of Two Populations of Hackers","authors":"T. Holt, M. Kilger","doi":"10.1109/WISTDCS.2008.9","DOIUrl":"https://doi.org/10.1109/WISTDCS.2008.9","url":null,"abstract":"The frequency and sophistication of computer attacks have increased in the last decade as have reports concerning the involvement of organized crime and state sponsored groups in hack attacks. Information security research has improved our understanding of the attack methods used to compromise systems, though there is a need to consider the attitudes, ethics, and social behaviors of computer attackers. Such information can improve our knowledge of the sources of attacks, and increase our capability to profile the individuals responsible for these attacks. This study will explore the attitudinal and behavior differences in the hacker community using two samples of respondents collected from hacker conferences and a university information security course. A new framework for considering computer attackers is also proposed to reflect changes in the general dynamics of hacking and technology.","PeriodicalId":142886,"journal":{"name":"2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-04-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132575610","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We briefly introduce the Honeynet Project, describe the honeynet data collection tools and techniques currently in use by it's members, review the types of data collected and research published, and present some current and proposed infrastructures for capturing and sharing honeypot-derived network attack data.
{"title":"The Honeynet Project: Data Collection Tools, Infrastructure, Archives and Analysis","authors":"David Watson, Jamie Riden","doi":"10.1109/WISTDCS.2008.11","DOIUrl":"https://doi.org/10.1109/WISTDCS.2008.11","url":null,"abstract":"We briefly introduce the Honeynet Project, describe the honeynet data collection tools and techniques currently in use by it's members, review the types of data collected and research published, and present some current and proposed infrastructures for capturing and sharing honeypot-derived network attack data.","PeriodicalId":142886,"journal":{"name":"2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-04-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114956908","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
S. Antonatos, M. Athanatos, G. Kondaxis, J. Velegrakis, N. Hatzibodozis, S. Ioannidis, E. Markatos
Honeypots have been proven to be very useful for accurately detecting attacks, including zero-day threats, at a reasonable cost and with zero false positives. However, there are two pressing problems with existing approaches. The first problem is that timely detection requires deployment of honeypots in a large fraction of the network address space, which many organizations or ISPs cannot afford. The second problem is that attackers are evolving, and it has been shown that it is not difficult for them to identify honeypots and develop blacklists to avoid them when launching a new attack. In response to these problems, we propose a new architecture that enables large-scale deployment at low cost, while making it harder for attackers to maintain accurate blacklists. The Honey@home architecture relies on communities of regular users installing a lightweight honeypot that monitors unused IP addresses and ports. Since it does not require the static allocation of valuable chunks of network address space, and considering the success of other community-based approaches such as seti@home and folding@home, our approach is well-suited for creating a large-scale honeypot infrastructure at low cost. Since participation in the system is dynamic as users come and go, it becomes harder for attackers to maintain accurate blacklists. In this paper we discuss the current design of the Honey@home architecture, a preliminary implementation and describe the design issues that we faced especially with respect to infrastructure robustness, the challenges we have to deal with and the effectiveness of our approach.
{"title":"Honey@home: A New Approach to Large-Scale Threat Monitoring","authors":"S. Antonatos, M. Athanatos, G. Kondaxis, J. Velegrakis, N. Hatzibodozis, S. Ioannidis, E. Markatos","doi":"10.1145/1314389.1314398","DOIUrl":"https://doi.org/10.1145/1314389.1314398","url":null,"abstract":"Honeypots have been proven to be very useful for accurately detecting attacks, including zero-day threats, at a reasonable cost and with zero false positives. However, there are two pressing problems with existing approaches. The first problem is that timely detection requires deployment of honeypots in a large fraction of the network address space, which many organizations or ISPs cannot afford. The second problem is that attackers are evolving, and it has been shown that it is not difficult for them to identify honeypots and develop blacklists to avoid them when launching a new attack. In response to these problems, we propose a new architecture that enables large-scale deployment at low cost, while making it harder for attackers to maintain accurate blacklists. The Honey@home architecture relies on communities of regular users installing a lightweight honeypot that monitors unused IP addresses and ports. Since it does not require the static allocation of valuable chunks of network address space, and considering the success of other community-based approaches such as seti@home and folding@home, our approach is well-suited for creating a large-scale honeypot infrastructure at low cost. Since participation in the system is dynamic as users come and go, it becomes harder for attackers to maintain accurate blacklists. In this paper we discuss the current design of the Honey@home architecture, a preliminary implementation and describe the design issues that we faced especially with respect to infrastructure robustness, the challenges we have to deal with and the effectiveness of our approach.","PeriodicalId":142886,"journal":{"name":"2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing","volume":"80 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-11-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133324148","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: