Sensor in the dark: Building untraceable large-scale honeypots using virtualization technologies

Akihiro Shimoda, Tatsuya Mori, Shigeki Goto

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    2 Citations (Scopus)

    Abstract

    A Honeypot is a system that aims to detect and analyze malicious attacks attempted on a network in an interactive manner. Because the primary objective of a honeypot is to detect enemies without being known to them, it is important to hide its existence. However, as several studies have reported, exploiting the unique characteristics of hosts working on a consecutive IP addresses range easily reveals the existence of honeypots. In fact, there exist some anti-honeypot tools that intelligently probe IP address space to locate Internet security sensors including honeypots. In order to tackle this problem, we propose a system called DarkPots, that consists of a large number of virtualized honeypots using unused and nonconsecutive IP addresses in a production network. DarkPots enables us to deploy a large number of honeypots within an active IP space used for a production network; thus detection is difficult using existing probing techniques. In addition, by virtually classifying the unused IP addresses into several groups, DarkPots enables us to perform several monitoring schemes simultaneously. This function is meaningful because we can adopt more than one monitoring schemes and compare their results in an operating network. We design and implement a prototype of DarkPots and empirically evaluate its effectiveness and feasibility by concurrently performing three independent monitoring schemes in a high-speed campus network. The system successfully emulated 7,680 of virtualized honeypots on a backbone link that carries 500 Mbps - 1 Gbps of traffic without affecting legitimate traffic. Our key findings suggest: (1) active and interactive monitoring schemes provide more in-depth insights of malicious attacks, compared to passive monitoring approach in a quantitative way, and (2) randomly distributed allocation of IP addresses has an advantage over the concentrated allocation in that it can collect more information from malwares. These features are crucial in monitoring the security threats.

    Original languageEnglish
    Title of host publicationProceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010
    Pages22-30
    Number of pages9
    DOIs
    Publication statusPublished - 2010
    Event2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010 - Seoul
    Duration: 2010 Jul 192010 Jul 23

    Other

    Other2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010
    CitySeoul
    Period10/7/1910/7/23

    Fingerprint

    Monitoring
    Sensors
    HIgh speed networks
    Virtualization
    Internet

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Computer Science Applications

    Cite this

    Shimoda, A., Mori, T., & Goto, S. (2010). Sensor in the dark: Building untraceable large-scale honeypots using virtualization technologies. In Proceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010 (pp. 22-30). [5598179] https://doi.org/10.1109/SAINT.2010.42

    Sensor in the dark : Building untraceable large-scale honeypots using virtualization technologies. / Shimoda, Akihiro; Mori, Tatsuya; Goto, Shigeki.

    Proceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010. 2010. p. 22-30 5598179.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Shimoda, A, Mori, T & Goto, S 2010, Sensor in the dark: Building untraceable large-scale honeypots using virtualization technologies. in Proceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010., 5598179, pp. 22-30, 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010, Seoul, 10/7/19. https://doi.org/10.1109/SAINT.2010.42
    Shimoda A, Mori T, Goto S. Sensor in the dark: Building untraceable large-scale honeypots using virtualization technologies. In Proceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010. 2010. p. 22-30. 5598179 https://doi.org/10.1109/SAINT.2010.42
    Shimoda, Akihiro ; Mori, Tatsuya ; Goto, Shigeki. / Sensor in the dark : Building untraceable large-scale honeypots using virtualization technologies. Proceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010. 2010. pp. 22-30
    @inproceedings{85b869af03e34afda78980449d9e3d6e,
    title = "Sensor in the dark: Building untraceable large-scale honeypots using virtualization technologies",
    abstract = "A Honeypot is a system that aims to detect and analyze malicious attacks attempted on a network in an interactive manner. Because the primary objective of a honeypot is to detect enemies without being known to them, it is important to hide its existence. However, as several studies have reported, exploiting the unique characteristics of hosts working on a consecutive IP addresses range easily reveals the existence of honeypots. In fact, there exist some anti-honeypot tools that intelligently probe IP address space to locate Internet security sensors including honeypots. In order to tackle this problem, we propose a system called DarkPots, that consists of a large number of virtualized honeypots using unused and nonconsecutive IP addresses in a production network. DarkPots enables us to deploy a large number of honeypots within an active IP space used for a production network; thus detection is difficult using existing probing techniques. In addition, by virtually classifying the unused IP addresses into several groups, DarkPots enables us to perform several monitoring schemes simultaneously. This function is meaningful because we can adopt more than one monitoring schemes and compare their results in an operating network. We design and implement a prototype of DarkPots and empirically evaluate its effectiveness and feasibility by concurrently performing three independent monitoring schemes in a high-speed campus network. The system successfully emulated 7,680 of virtualized honeypots on a backbone link that carries 500 Mbps - 1 Gbps of traffic without affecting legitimate traffic. Our key findings suggest: (1) active and interactive monitoring schemes provide more in-depth insights of malicious attacks, compared to passive monitoring approach in a quantitative way, and (2) randomly distributed allocation of IP addresses has an advantage over the concentrated allocation in that it can collect more information from malwares. These features are crucial in monitoring the security threats.",
    author = "Akihiro Shimoda and Tatsuya Mori and Shigeki Goto",
    year = "2010",
    doi = "10.1109/SAINT.2010.42",
    language = "English",
    isbn = "9780769541075",
    pages = "22--30",
    booktitle = "Proceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010",

    }

    TY - GEN

    T1 - Sensor in the dark

    T2 - Building untraceable large-scale honeypots using virtualization technologies

    AU - Shimoda, Akihiro

    AU - Mori, Tatsuya

    AU - Goto, Shigeki

    PY - 2010

    Y1 - 2010

    N2 - A Honeypot is a system that aims to detect and analyze malicious attacks attempted on a network in an interactive manner. Because the primary objective of a honeypot is to detect enemies without being known to them, it is important to hide its existence. However, as several studies have reported, exploiting the unique characteristics of hosts working on a consecutive IP addresses range easily reveals the existence of honeypots. In fact, there exist some anti-honeypot tools that intelligently probe IP address space to locate Internet security sensors including honeypots. In order to tackle this problem, we propose a system called DarkPots, that consists of a large number of virtualized honeypots using unused and nonconsecutive IP addresses in a production network. DarkPots enables us to deploy a large number of honeypots within an active IP space used for a production network; thus detection is difficult using existing probing techniques. In addition, by virtually classifying the unused IP addresses into several groups, DarkPots enables us to perform several monitoring schemes simultaneously. This function is meaningful because we can adopt more than one monitoring schemes and compare their results in an operating network. We design and implement a prototype of DarkPots and empirically evaluate its effectiveness and feasibility by concurrently performing three independent monitoring schemes in a high-speed campus network. The system successfully emulated 7,680 of virtualized honeypots on a backbone link that carries 500 Mbps - 1 Gbps of traffic without affecting legitimate traffic. Our key findings suggest: (1) active and interactive monitoring schemes provide more in-depth insights of malicious attacks, compared to passive monitoring approach in a quantitative way, and (2) randomly distributed allocation of IP addresses has an advantage over the concentrated allocation in that it can collect more information from malwares. These features are crucial in monitoring the security threats.

    AB - A Honeypot is a system that aims to detect and analyze malicious attacks attempted on a network in an interactive manner. Because the primary objective of a honeypot is to detect enemies without being known to them, it is important to hide its existence. However, as several studies have reported, exploiting the unique characteristics of hosts working on a consecutive IP addresses range easily reveals the existence of honeypots. In fact, there exist some anti-honeypot tools that intelligently probe IP address space to locate Internet security sensors including honeypots. In order to tackle this problem, we propose a system called DarkPots, that consists of a large number of virtualized honeypots using unused and nonconsecutive IP addresses in a production network. DarkPots enables us to deploy a large number of honeypots within an active IP space used for a production network; thus detection is difficult using existing probing techniques. In addition, by virtually classifying the unused IP addresses into several groups, DarkPots enables us to perform several monitoring schemes simultaneously. This function is meaningful because we can adopt more than one monitoring schemes and compare their results in an operating network. We design and implement a prototype of DarkPots and empirically evaluate its effectiveness and feasibility by concurrently performing three independent monitoring schemes in a high-speed campus network. The system successfully emulated 7,680 of virtualized honeypots on a backbone link that carries 500 Mbps - 1 Gbps of traffic without affecting legitimate traffic. Our key findings suggest: (1) active and interactive monitoring schemes provide more in-depth insights of malicious attacks, compared to passive monitoring approach in a quantitative way, and (2) randomly distributed allocation of IP addresses has an advantage over the concentrated allocation in that it can collect more information from malwares. These features are crucial in monitoring the security threats.

    UR - http://www.scopus.com/inward/record.url?scp=78649274066&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=78649274066&partnerID=8YFLogxK

    U2 - 10.1109/SAINT.2010.42

    DO - 10.1109/SAINT.2010.42

    M3 - Conference contribution

    AN - SCOPUS:78649274066

    SN - 9780769541075

    SP - 22

    EP - 30

    BT - Proceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010

    ER -