Article: Honeypot detection in advanced botnet attacks Journal: International Journal of Information and Computer Security (IJICS) 2010 Vol.4 No.1 pp.30 - 51 Abstract: Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security defenders can attract botnet compromises and become spies in exposing botnet membership and botnet attacker behaviours, they are widely used by security defenders in botnet defence. Therefore, attackers constructing and maintaining botnets will be forced to find ways to avoid honeypot traps. In this paper, we present a hardware and software independent honeypot detection methodology based on the following assumption: security professionals deploying honeypots have a liability constraint such that they cannot allow their honeypots to participate in real attacks that could cause damage to others, while attackers do not need to follow this constraint. Attackers could detect honeypots in their botnets by checking whether compromised machines in a botnet can successfully send out unmodified malicious traffic. Based on this basic detection principle, we present honeypot detection techniques to be used in both centralised botnets and Peer-to-Peer (P2P) structured botnets. Experiments show that current standard honeypots and honeynet programs are vulnerable to the proposed honeypot detection techniques. At the end, we discuss some guidelines for defending against general honeypot-aware attacks. Inderscience Publishers - linking academia, business and industry through research

Title: Honeypot detection in advanced botnet attacks

Authors: Ping Wang, Lei Wu, Ryan Cunningham, Cliff C. Zou

Addresses: School of Electrical Engineering and Computer Science, University of Central Florida, Orlando, FL 32816-2362, USA. ' School of Electrical Engineering and Computer Science, University of Central Florida, Orlando, FL 32816-2362, USA. ' School of Electrical Engineering and Computer Science, University of Central Florida, Orlando, FL 32816-2362, USA. ' School of Electrical Engineering and Computer Science, University of Central Florida, Orlando, FL 32816-2362, USA

Abstract: Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security defenders can attract botnet compromises and become spies in exposing botnet membership and botnet attacker behaviours, they are widely used by security defenders in botnet defence. Therefore, attackers constructing and maintaining botnets will be forced to find ways to avoid honeypot traps. In this paper, we present a hardware and software independent honeypot detection methodology based on the following assumption: security professionals deploying honeypots have a liability constraint such that they cannot allow their honeypots to participate in real attacks that could cause damage to others, while attackers do not need to follow this constraint. Attackers could detect honeypots in their botnets by checking whether compromised machines in a botnet can successfully send out unmodified malicious traffic. Based on this basic detection principle, we present honeypot detection techniques to be used in both centralised botnets and Peer-to-Peer (P2P) structured botnets. Experiments show that current standard honeypots and honeynet programs are vulnerable to the proposed honeypot detection techniques. At the end, we discuss some guidelines for defending against general honeypot-aware attacks.

Keywords: liability; honeypots; botnets; peer-to-peer; P2P structured botnets; modelling; honeypot detection; advanced botnet attacks; computer security; honeypot traps.

DOI: 10.1504/IJICS.2010.031858

International Journal of Information and Computer Security, 2010 Vol.4 No.1, pp.30 - 51

Published online: 26 Feb 2010 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: Honeypot detection in advanced botnet attacks

Keep up-to-date