| With the development of the computer network, the Internet plays anincreasingly important role in people’s daily life and brings a lot of potential threats.Due to some inevitable defects of the network protocols, the network is subject tomalicious attacks from hackers, such as Deny-of-Service attack, Worm attack,Stepping attack and so on. Honeypot, a effective network security measure so far,which raises intrusion deception technology of proactive defense, destroys attacks andprotects target machines by positively detecting intrusion and drawing the attention ofsuspicious visitors. Because of this, honeypot has been researched on continuouslyand a variety of loopholes has been discovered since it was released. Manyorganizations and individuals have raised some detecting tech nologies, including theone raised in this thesis, which pose severe challenges for the living situation ofhoneypot.The most typical open-source solution, honeyd, is selected as the object of studyin this thesis. The existing detecting means based on protocol deflects, which is notefficient and can be easily avoided, could not promote further improvement oflow-interaction honeypots, and the methods raised in this thesis can improve theaccuracy of detection, according to the features of network traffic. The majorcontributions are three-fold as follows:1) The virtual hosts and the honeypot system established by honeyd, hardlyinteract with other hosts in network, so they are "in isolation", by taking advantage ofthis feature, traffic measurement to hosts of each IP can be implement to recognizevirtual host and honeypot system. The test indicates that this method is simple andfast, and can effectively detect low-interaction honeypot, such as honeyd.2) The low-interaction honeypot shares resource with all the processes in the realmachine, and its network traffic rely on the real host. According to this feature, thevirtual host will cause more delay by a mean of contending for the system resourcewith honeypot’s processes, and then the virtual host can be recognized. The testindicates that this method is of great accuracy and is directly against the defects ofhoneypot which cannot be easily repaired.3) The method of detecting low-interaction honeypot raised in this thesis isformed by integrating the detections based on two features of network traffic. In practical application, the scope of virtual host group could be acknowledged bynetwork traffic analysis and measurement, and then, virtual hosts could be found outprecisely by detecting the change of response delay. Chose a common detectingmethod of Honeyd to compare with the methed raised in this thesis and analyze goodand bad via tests. |
PDF Full Text Request