Research On Argos Capturing Of Zero-day Attack

Honeypot is a technique which is entrapped to delay attacks and collect information from the attacker. It is different from other network security software in response speed, adaptability and so on. It can capture attacks actively instead of defending passively. We can make use of logs collected by honeypots to analyze attacker's behavior and design new defense scheme in order to cut down damages as quickly as possible. Honeypot has developed from the simple low simulation mode using scripts to the high virtual machine, which can not be easily distinguished from the real one. A virtual honeypot can simulate several operation systems in different infrastructures on the same machine, so it can build sorts of internet environments to make itself seem much real. Argos is the first step to create a framework that will use next generation honeypots to automatically identify sorts of buffer overflows and capture zero-day worms.A zero-day exploit is the one which takes advantage of a security vulnerability on the same day when the vulnerability becomes generally known. The attacking method or attacking behavior is called "zero-day attack".Argos is a full secure system emulator designed for use in honeypots. It is based on Qemu, an open source emulator that uses dynamic translation to achieve a fairly good emulation speed.Argos extends Qemu to enable it to detect remote attempts to compromise the emulated guest operating system. Using dynamic taint analysis it tracks network data throughout execution and detects any attempts to use them in an illegal way. When an attack is detected the memory footprint of the attack is logged.High virtual honeypots should not require that the honeypot's IP address remains unadvertised. On the contrary, it should attempt to publicize its service and even actively generate traffic. In format honeypots this was often impossible, because malevolent and benevolent traffic could not be distinguished. Since Argos is explicitly signaling each possibly successful exploit attempt, we are now able to differentiate malicious from innocuous traffic. Because of its power ability of capturing Zero-day attack, it is necessary to analyze its principle for future work on it.This paper will accomplish work in three aspects.1. Research on the principle of the buffer overflow, conclude the buffer overflow attack and defense methods.2. Research on virtual machine mechanism and Qemu real-time translation technique. 3. Research on Argos's dynamic taint analysis technique. Analyze the reason of capturing zero-day attack. Design a vulnerable server program and a malevolence program aiming at attacking the vulnerable server program in order to test Argos function. Research on the principle of anti-honeypots, and design a program which can detect the real identity of the operation system, in other words the attacker can know the machine whether real or virtual.