| With the birth of Internet, we have stepped into information age. Enjoying the convenience it brings , people face up to much more network attacks and network security receives more and more threat. Tracing it to its cause, we found that currently feasible and practical security technology is based on known attack signature, e.g. Firewall, Antivirus Software, Intrusion Detection System (IDS), etc , which is at wit's end when confronting with unknown system holes and corresponding attacks. As a brand-new security technology, honeypot provides fresh air to network security which is got into difficulties.Honeypot is a resource, whose value lies in being attacked or compromised, so as to collecting valuable information about hackers. Thus we could analyze these information deeply to study hackers' attacking method and find out system hole. With the aid of the thought of the honeypot, this paper brings forward a honeypot system for unknown attacks on application layer. This system has the following characteristic:1) It is for unknown attacks on application layer. Because of the level system structure of the network, influenced by its performance, attacks detection on application layer is difficult for currently using security technology such as Firewall, IDS, but conversely it is the most value of this paper.2) It uses a medium interaction honeypot. This kind of honeypot has good comprehensive performance, which is that it could collect abundant invasion information, but at the same time keep itself being well protected.3) Design and realize a multifunctional log system, which is based on "Man in the Middle" attacks. In additional to logging, the log system has functions such as network link transmitting and cutting off, which could protect honeypot effectively.4) It adopts an unknown attacks' detection technology based on single system-call. From the theory, misuse detection could detect unknown attacks. But because there is difficulty in setting up user's normal outline model, it is not feasible in being practiced. From the evidence of experiment, intrusion detection technology based on single system-call, which is brought birth by Niels Provos, could better resolve this problem.5) Bring birth a hybrid system-call interception and detection measure. In tradition, system-call interception and detection has two basic approaches: based on kernel and based on user space. This paper adopts a hybrid approach, which on one hand could overcome drastic complexity incrementto operation system brought by the kernel approach, but on the other hand could have advantage with strong portability brought by the user space approach.The prototype of this honeypot system has been built and been tested through using simulation attacks in the network environment. The test result indicates that the honeypot system could detect and mark unknown attacks successfully.
|
PDF Full Text Request