Browse > Article
http://dx.doi.org/10.5573/ieie.2014.51.11.127

A Study for Hybrid Honeypot Systems  

Lee, Moon-Goo (Div. of Smart IT, Dept. of Internet Information, Kimpo College)
Publication Information
Journal of the Institute of Electronics and Information Engineers / v.51, no.11, 2014 , pp. 127-133 More about this Journal
Abstract
In order to protect information asset from various malicious code, Honeypot system is implemented. Honeypot system is designed to elicit attacks so that internal system is not attacked or it is designed to collect malicious code information. However, existing honeypot system is designed for the purpose of collecting information, so it is designed to induce inflows of attackers positively by establishing disguised server or disguised client server and by providing disguised contents. In case of establishing disguised server, it should reinstall hardware in a cycle of one year because of frequent disk input and output. In case of establishing disguised client server, it has operating problem such as procuring professional labor force because it has a limit to automize the analysis of acquired information. To solve and supplement operating problem and previous problem of honeypot's hardware, this thesis suggested hybrid honeypot. Suggested hybrid honeypot has honeywall, analyzed server and combined console and it processes by categorizing attacking types into two types. It is designed that disguise (inducement) and false response (emulation) are connected to common switch area to operate high level interaction server, which is type 1 and low level interaction server, which is type 2. This hybrid honeypot operates low level honeypot and high level honeypot. Analysis server converts hacking types into hash value and separates it into correlation analysis algorithm and sends it to honeywall. Integrated monitoring console implements continuous monitoring, so it is expected that not only analyzing information about recent hacking method and attacking tool but also it provides effects of anticipative security response.
Keywords
Malicious code; Honeypot; Honeynet; Honeywall; Drive-by-download; Zero-day-attack; correlation analysis; Integrated monitoring consol; Hash value; Attack tool;
Citations & Related Records
연도 인용수 순위
  • Reference
1 B. Endicott-popovsky, J. Narvaez, C. Seifert, D. A. Frincke, L. R. O'Neil, and C. Aval, "Use of deception to improve client honeypot detection of drive-by-download attacks," Proc. of the 5th Inter-national Conference on Foundations of Augmented Cognition (FAC), 2009.
2 M. Cova, C. Kruegel, G. Vigna, "Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code", IW3C2, Apr. 2010.
3 M. Egele, P. Wurzinger, C. Kruegel and E. Kirda, "Defending browsers against drive-by downloads: Mitigating heap spraying code injection attacks," 2009. Available from http://www.iseclab.org/papers/ driveby.pdf; accessed on 15 May. 2010.
4 KrCERT, "Monthly Report: Internet Incident Trends and Analysis", Mar. 2009.
5 H. Kim, D. Kim, S. Cho, M. Park, M. Park, "An efficient visitation algorithm to improve the detection speed of high-ineraction client honeypots" RACS 2011, Nev. 2-5, 2011.
6 C. Seifert, P. Komisarczuk, and I. Welch, "True Positive Cost Curve: A Cost-Based Evaluation Method for High-Interaction Client Honeypots", SECUREWARE, 2009.
7 Janaka Deepakumara, Howard Heys and R. Venkatesan, "FPGA Implementation of MD5 Hash Algorithm", Canadian Conference on Electrical and Computer Engineering, Vol.2, pp.13-16, May. 2001.
8 Diez J. M., et al., "Hash Algorithm for Cryptographic Protocols: FPGA Implementations", 10th TELFOR' 2002, Nov. 2002.
9 Hayes, A. F., "Statistical methods for communication science", 2005
10 Gravetter, F. J., & Wallnau, L B."Statistics for the behavioral sciences 8th ed.", 2008.