| Abstract |
Security is increasingly regarded as an essential function for maintaining a reliable, available, and trustworthy network infrastructure. Viruses, worms, trojans, spyware and other types of malicious programs are discouraging the effective use of the Internet and crippling the network infrastructure. The exponential increase of attack volume and the evolution of attacking methods urge the need for efficient and accurate defense mechanisms. While research and development has produced a multitude of security products, including firewalls, antivirus systems and intrusion detection systems, demand for better security is growing far beyond what current systems can offer.
Besides traditional network attacks, like worms and DoS attacks, new attack methods have appeared over the last few years. As the attack surface of remote exploits has been reduced due to advances in defenses and operating systems, new propagation methods are invented. Attackers, in their effort to adapt to security response, proactively explore and mitigate new threats. The World Wide Web is an excellent platform for launching attacks due to the vast number of users and plethora of technologies and architectures available for exploitation. This thesis discusses a new class of attacks that misuses the World Wide Web to create botnet-like infrastructures, which we call puppetnets. Puppetnets rely on websites that coerce web browsers to (unknowingly) participate in malicious activities. Such activities include distributed denial-of-service, worm propagation and reconnaissance probing, and can be engineered to be carried out in stealth, without any observable impact on an otherwise innocent-looking website. In this thesis we experimentally assess the threat from puppetnets. We discuss the building blocks for engineering puppetnet attacks and attempt to quantify how puppetnets would perform.
In an effort to defends against known and unknown attacks, this thesis presents the NoAH infrastructure, a Network Of Affined Honeypots geographically distributed around the world. Honeypots act like traps; their purpose is to lure attackers by monitoring unused portions of the IP address space or immitating the behavior of real users. Honeypots have been shown to be very useful for accurately detecting attacks, including zero-day threats, at a reasonable cost and without false positives, unlike intrusion and anomaly detection systems. The NoAH architecture is extensible enough to allow the detection of both known and unseen attacks. The NoAH infrastructure is not a centralized farm of honeypots. On the contrary, it is a distributed set of honeyfarms that collaborate. Deployed honeyfarms either forward traffic to a centralized set of honeypots, called the NoAH core, or provide attack statistics for analysis and correlation purposes. Services like automated signature generation for zero-day attacks and display of statistics also run inside the core. An approach to validate the signatures generated by the NoAH components is also proposed. Our approach, called Sigval, is able to test signatures against large volumes of benign traffic in the order of few seconds. Finally, the pilot deployment and operation of the NoAH infrastructure are also presented in this thesis.
The deployment of honeypots requires both administrative expertise and dedicated resources that many organizations cannot afford. Furthermore, the effectiveness of honeypots heavily depends on the unused IP address space they cover. Unused IP address space can be found in almost every organization, institution and public body due to underutilized or even totally empty subnets. In response to these problems, this thesis proposes Honey@home, a new architecture that enables large-scale deployment at low-cost. The Honey@home architecture relies on communities of regular users installing a virtual honeypot that monitors unused addresses. The Honey@home tool is a lightweight daemon that automatically claims one or more unused IP addresses or ports and forwards the traffic directed to them to the NoAH core for further processing. The answers from the NoAH core are forwarded back to the attacker, thus providing the illusion to her that she communicates with a real service. The Honey@home approach is an excellent way to both extend the reachability and coverage of the NoAH infrastructure as well as to enable users unfamiliar with security technologies help in combating the cyber-crime.
|
Defending against known and unknown attacks using a network of affined honeypots
