Control
Centre
Global
Control Centre
IDS
Sensor
Ethernet
Intranet Hosts
Honeypot
IPS
Sensor
Internet
Router
Switch
Hub
Ethernet
Fig. 1. SweetBait overview
it was shown in NoSEBrEaK that high-interaction honeypot can often be fairly
easily discovered as such by intruders [11].
SweetBait currently uses low-interaction honeypots, mainly because of the
low maintenance requirements, and security considerations. The honeypot is able
to simulate multiple hosts, which allows us to populate unused IP address space
easily and maximise the amount of captured traffic. Our choice is also justified by
the fact random IP scanning worms rarely interact with a host before attacking
it. While we have focused on low interaction, there is nothing in the architecture
that precludes connecting high-interaction honeypots.
Even though we consider all traffic received by the honeypot suspect, in
practice a small amount of non-worm related, or even legitimate traffic is also
captured. Broadcast messages, or attempts to scan the network are both exam-
ples of traffic that may be ignored. To tackle this we introduce the notion of a
whitelist: a list consisting of patterns that are considered benevolent, or inappli-
cable for generating NID signatures. A filter placed at the honeypot rejects all
traffic matching a whitelisted pattern. The filter can be largely auto-generated
by training the system on a network when it is unconnected to the larger In-
ternet. We will show that as a result of this simple step the number of false
positives drops dramatically.
Consequently, the sensors process the remainder of incoming data, scanning
for repeated byte sequences in an attempt to identify worm propagation and
generate a signature. For the scanning process to be effective it is necessary to
utilise stream reconstruction for sequenced, connection based protocols such as
TCP, since the underlying IP layer may deliver packets out of order impeding
our capability to identify patterns spanning multiple packets.
剩余17页未读,继续阅读
qq_44253987
- 粉丝: 0
- 资源: 1
我的内容管理
展开
最新资源
- C语言快速排序算法的实现与应用
- KityFormula 编辑器压缩包功能解析
- 离线搭建Kubernetes 1.17.0集群教程与资源包分享
- Java毕业设计教学平台完整教程与源码
- 综合数据集汇总:浏览记录与市场研究分析
- STM32智能家居控制系统:创新设计与无线通讯
- 深入浅出C++20标准:四大新特性解析
- Real-ESRGAN: 开源项目提升图像超分辨率技术
- 植物大战僵尸杂交版v2.0.88:新元素新挑战
- 掌握数据分析核心模型,预测未来不是梦
- Android平台蓝牙HC-06/08模块数据交互技巧
- Python源码分享:计算100至200之间的所有素数
- 免费视频修复利器:Digital Video Repair
- Chrome浏览器新版本Adblock Plus插件发布
- GifSplitter:Linux下GIF转BMP的核心工具
- Vue.js开发教程:全面学习资源指南
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
