ZHANG Chen,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.02.023

2011-01-01

Abstract:Today's popular Trojans begin to use covert communication technology and bypass the detection of honeypot system.This paper first describes the common Trojan covert communication technologies and the growing popular kernel layer Rootkit covert communication technology,then discusses the current client honeypot detecting methods for malware.Aiming at the deficiency of Honeypot detection mechanisms for network communication,an effective improvement scheme is proposed,By using network traffic detection technology based on the NDIS intermediate driver,the Trojans date packets are acquired.This scheme could effectively detect Rootkit covert communication based on network driver and extract the key communication information for Trojan track and analysis.

CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

Xiaoyan Sun,Yang Wang,Jie Ren,Yuefei Zhu,Shengli Liu

DOI: https://doi.org/10.1109/ICYCS.2008.257

2008-01-01

Abstract:With the improvement of software security, attacks based on RPC vulnerabilities declined, however, attacks based on client application software vulnerabilities have increased. Such client application software includes Web browsers, email client and office. The spread of malware using these software vulnerabilities has become a severe threat to todaypsilas Internet. In allusion to this kind of threat, this paper designed an Internet malware collecting system based on client-side honeypot. This system can not only collect malware but also detect malicious Web site. It uses a unique network crawler based on client-side attack techniques to collect source of URL, and it collects URL and attachments from emails, then it creates software processes to open URL or files, and uses a device-drive monitor to detect malicious behaviors. It gives an alarm and locates the malicious file, and sends the malware coming through the Internet to the collecting server. We introduce the design and implement of this system and give the results.

Hou Xinrui,Cheng Zhen,Zhou Yajin,Li Jinku

2020-01-01

Abstract:The invention discloses a system and method for detecting Ethereum digital currency stealing attacks. The method comprises the steps: deploying an Ethereum honeypot, inducing a network attacker to quickly find a honeypot host, transmitting a detection request, and capturing a malicious request from the attacker; storing the malicious request from the attacker in a database; and analyzing the attack data, associating the malicious request, detecting an attack behavior, identifying an attack method used by an attacker, tracking the attacker, and generating a detection result. According to the method, the malicious request sent by the attacker is attracted and captured, and the attack technique used by the attacker is further recognized, and weak points of an existing system are effectively found, so that the Ethereum system is better protected.

WU Xin,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2006.04.027

2006-01-01

Computer Science

Abstract:Honeypot is a new tool for network defence.The difficulty of designing a Honeypot lies in the success dis- guise and deception.Many Honeypots use scripts to simulate services,and put static deception into practice to protect network.But they could expose themselves easily.This paper designs and implements a low-interaction Honeypot based on the Apache server,named Honeyweb.It has four functions:http protocol detection,dynamic deception, working with other network security devices and log.It can dynamicly response to different http requests.The expri- ment indicates that depolying the Honeyweb will influence hackers' judgement,consume their resources,even stop at- tack.So Honeyweb can reach its purpose of active defence and preventing Web servers from attack.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

SHEN Ming,XUE Zhi,WANG Yi-jun

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.05.043

2011-01-01

Abstract:Honeypot technology is employed to trap attacks,thus to collect the attack information and protect the real host.The core value of the honeypot lies in being detected,attacked and threatened,with this,the people could analyze the attack,know its attack purpose,means and strategies,and finally learn in-depth information protection methods.In the application of honeypot technology,the most important point is the misleading of the attackers.This paper analyzes the identifiable points of the honeypot and virtual machine systems through several specific characteristics of the system hardware and the network.Then it proposes some solutions to the identification with experimental statistics.It is hoped that the information security industry could attach the importance to and promote the development of honeypot technology.

Wei-Feng ZHANG,Rui-Cheng LIU,Lei XU

DOI: https://doi.org/10.13328/j.cnki.jos.005495

2018-01-01

Abstract:Web Trojan is a form of attack that inserts an attacking script into the Web page,and by exploiting the vulnerabilities of browsers and their plug-ins,it causes the victim's system silently download and install malicious programs.Based on dynamic program analysis and machine learning method,this paper proposes a method of detecting Trojans based on dynamic behavior analysis.Firstly,the behaviors of the attack scripts on the landing page,including the dynamic function execution,the dynamic generation function execution,the script insertion,the page insertion and the URL jump,are monitored.Then these behaviors are extracted according to a set of rules.The associated string operation records are also processed as features.Next,for the use of heap malicious operation (the shellcode behavior),a feature indicating the heap risk is proposed.Finally,500 web samples from Alexa and VirusShare are collected as data sets,and a classifier is trained by machine learning method.The experimental results show that compared with the existing methods,the presented method has high accuracy (96.94％) and can effectively prevent interference of code obfuscation (lower false positive rate of 6.1％ and false negative rate of 1.3％).

Liu B. Songsong,Pengbin Feng,Jiahao Cao,Xu He,Tommy Chin,Kun Sun,Qi Li

DOI: https://doi.org/10.1007/978-3-031-09484-2_11

2022-01-01

Abstract:The honeypot technique has proved its value in system protection and attack analysis over the past 20 years. Distributed honeypot solutions emerge to solve the high cost and risk of maintaining a functional honeypot system. In this paper, we uncover that all existing distributed honeypot systems suffer from one type of anti-honeypot technique called network context cross-checking (NC3) which enables attackers to detect network context inconsistencies before and after breaking into a targeted system. We perform a systematic study of NC3 and identify nine types of network context artifacts that may be leveraged by attackers to identify distributed honeypot systems. As a countermeasure, we propose HoneyPortal, a stealthy traffic redirection framework to defend against the NC3 attack. The basic idea is to project a remote honeypot into the protected local network as a believable host machine. We conduct experiments in a real testbed, and the experimental results show that HoneyPortal can effectively defeat NC3 attacks with a low performance overhead.

XU Xu-xu,XUE Zhi,WU Gang

DOI: https://doi.org/10.3969/j.issn.1009-2552.2012.02.041

2012-01-01

Abstract:This paper first introduced the basic conceptions about Trojan Horse and basic technologies of Trojan Horse,and then it introduced the common methods of Trojan Horse detection.And it expounds the current research condition and development trend of Trojan Horse detection.It analyzes and summarizes the behavioral characteristics of their installation,and puts forward an anti-trojan strategy based on behavior analysis.

杨彦,黄皓

DOI: https://doi.org/10.16208/j.issn1000-7024.2008.11.015

2008-01-01

Abstract:Trojan is malicious program which is designed to obtain privilege and steal information; it seriously endangers the internet se- curity and information security. The rules of Trojan's attack actions are researched, a new Trojan horse detection method based on executable static analysis is proposed. The present attack tree model is improved, an extended attack tree model is designed to d escribe the sequences of threatening system calls Trojan commonly used. Matched the set of APIs used in PE file with the original extended attack tree, to predict the attack actions may appear in the implementation of the PE file and estimate whether the PE file is a Trojan.

Xingyuan Yang,Jie Yuan,Hao Yang,Ya Kong,Hao Zhang,Jinyu Zhao

DOI: https://doi.org/10.3390/fi15040127

2023-03-29

Future Internet

Abstract:In this paper, considering the problem that the common defensive means in the current cyber confrontation often fall into disadvantage, honeypot technology is adopted to turn reactive into proactive to deal with the increasingly serious cyberspace security problem. We address the issue of common defensive measures in current cyber confrontations that frequently lead to disadvantages. To tackle the progressively severe cyberspace security problem, we propose the adoption of honeypot technology to shift from a reactive to a proactive approach. This system uses honeypot technology for active defense, tempting attackers into a predetermined sandbox to observe the attacker's behavior and attack methods to better protect equipment and information security. During the research, it was found that due to the singularity of traditional honeypots and the limitations of low-interactivity honeypots, the application of honeypot technology has difficulty in achieving the desired protective effect. Therefore, the system adopts a highly interactive honeypot and a modular design idea to distinguish the honeypot environment from the central node of data processing, so that the honeypot can obtain more sufficient information and the honeypot technology can be used more easily. By managing honeypots at the central node, i.e., adding, deleting, and modifying honeypots and other operations, it is easy to maintain and upgrade the system, while reducing the difficulty of using honeypots. The high-interactivity honeypot technology not only attracts attackers into pre-set sandboxes to observe their behavior and attack methods, but also performs a variety of advanced functions, such as network threat analysis, virtualization, vulnerability perception, tracing reinforcement, and camouflage detection. We have conducted a large number of experimental comparisons and proven that our method has significant advantages compared to traditional honeypot technology and provides detailed data support. Our research provides new ideas and effective methods for network security protection.

Shengli Liu

2007-01-01

Abstract:A traffic-analysis-based honeypot for Windows system is designed and implemented.Based on the library of IDS rules,the network driver of Windows DDK and NDIS middle-ware technology are used to realize filtering and diversion of network flow.This mechanism diverts the unauthorized flow from reaching the real server.In the meantime,it collects a vast amount of “hacking techniques” from the unauthorized flow to continuously adapt the system to the various “hacking techniques”.It improves the efficiency of Honeypot and protects the real servers.

HAO Dong-bai,GUO Lin,HUANG Hao

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.24.040

2007-01-01

Abstract:According to the analysis of Trojan horse attack patterns,implant methods,the security model of windows and limitations of the Trojan horse detection technologies at present,A defense against Trojan horse system based on restricted token is stated in this paper.Combined with constructing the secure work environment,auditing the startup of applications and restraining the malicious action of Trojan horse.The design of process environment control module,service manager module,register monitoring and anomaly diagnose module are focused on.At last,the experiment result validates the feasibility and availability of this system.

Shicong Li,Xiaochun Yun,Yongzheng Zhang,Jun Xiao,Yipeng Wang

DOI: https://doi.org/10.1109/NAS.2012.10

2012-01-01

Abstract:Because of the widespread Trojan, Internet users become more and more vulnerable to the threat of information leakage. Traditional techniques of Trojan detection were classified into two main categories: host-based and network-based. Unfortunately, existing techniques are insufficient and limited, because of the following reasons: (1)only uncover the known Trojan while inefficiently detecting novel samples, (2) should be adjusted in a timely fashion even a trivial change is applied, and (3)become computationally more expensive. In our work, we focus on a network behavior based method to address the limitations of previous network-based approaches. We analyze the profile of network behavior at two levels: (i)flow-level, (ii)IP-level. Our approach present two main advantages: (1)capture more detailed information to describe the network behavior profile, (2)consume lower computational overhead. We proposed a system, Manto, which detects Trojan communication with high accuracy using clustering technique. We implement Manto on real-world traces. The evaluation results exhibit that Manto is suitable for detecting Trojan communication amongst the vast amount of network traffic, with over 91% accuracy and less than 3.2% false positive ratio. We confidently regard our approach as a complementary way to the existing network-based techniques for we could address their main shortcomings.

Cai Hongmin,Wu Naiqi,Teng Shaohua

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.05.076

2012-01-01

Abstract:Networks attack means emerge endlessly along with the growing serious network security problems.As a kind of main malicious code,Trojan horse program brings great troubles to computer users in the areas of infringing personal privacies and remotely monitoring the computers of others,etc.The authors implement a distributed Trojan horse program detection system by applying the deep packet inspection technology to the detection of Trojan horse program,we use regular expression to match the attack mode in detecting the Trojan horse program,therefore have strengthened the security of networks.

Stefan Machmeier

2024-07-17

Abstract:In this age of digitalization, Internet services face more attacks than ever. An attacker's objective is to exploit systems and use them for malicious purposes. Such efforts are rising as vulnerable systems can be discovered and compromised through Internet-wide scanning. One known methodology besides traditional security leverages is to learn from those who attack it. A honeypot helps to collect information about an attacker by pretending to be a vulnerable target. Thus, how honeypots can contribute to a more secure infrastructure makes an interesting topic of research. This thesis will present a honeypot solution to investigate malicious activities in heiCLOUD and show that attacks have increased significantly. To detect attackers in restricted network zones at Heidelberg University, a new concept to discover leaks in the firewall will be created. Furthermore, to consider an attacker's point of view, a method for detecting honeypots at the transport level will be introduced. Lastly, a customized OpenSSH server that works as an intermediary instance will be presented to mitigate these efforts.

Cryptography and Security

Weizhe Zhang,Bin Zhang,Ying Zhou,Hui He,Zeyu Ding

DOI: https://doi.org/10.1109/jiot.2019.2956173

IF: 10.6

2020-05-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) devices are vulnerable against attacks because of their limited network resources and complex operating systems. Thus, a honeypot is a good method of capturing malicious requests and collecting malicious samples but is rarely used on the IoT. Accordingly, this article implements three kinds of honeypots to capture malicious behaviors. First, on the basis of the CVE-2017–17215 vulnerability, we implement a medium-high interaction honeypot that can simulate a specific series of router UPnP services. It has functions, such as service simulation, log recording, malicious sample download, and service self-check. Second, given the limited details available for the simulated UPnP service and to help the honeypot respond to unrecognizable malicious requests, we use the actual IoT device firmware that matches the vulnerability to build a high-interaction honeypot. In addition, we investigate the most exposed SOAP service ports and design corresponding multiport honeypot to improve the capacity of the honeynet, providing a hybrid service from a real device and simulating honeypots. The Docker in the honeynet, which reduces the volume of the honeypot and realizes the rapid deployment of the honeynet, encapsulates all these honeypots. Moreover, the honeynet control center is simultaneously designed to distribute commands and transfer files to each physical node in the honeynet. We implemented the proposed honeynet system and deployed it in practice. We have successfully caught many unknown malicious attacks excluded in the VT, which proved the effectiveness of the proposed framework.

computer science, information systems,telecommunications,engineering, electrical & electronic

P. Barford,Y. Chen,A. Goyal,Z. Li,V. Paxson,V. Yegneswaran

DOI: https://doi.org/10.1007/978-1-4419-0140-8_5

2010-01-01

Abstract:Effective network security administration depends to a great extent on having accurate, concise, high-quality information about malicious activity in one's network. Honeynets can potentially provide such detailed information, but the volume and diversity of this data can prove overwhelming. We explore ways to integrate honeypot data into daily network security monitoring with a goal of sufficiently classifying and summarizing the data to provide ongoing "situational awareness." We present such a system, built using the Bro network intrusion detection system coupled with statistical analysis of numerous honeynet "events", and discuss experiences drawn from many months of operation. In particular, we develop methodologies by which sites receiving such probes can infer-using purely local observation-in format ion about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? One key aspect of this environment is its ability to provide insight into large-scale events. We look at the problem of accurately classifying botnet sweeps and worm outbreaks, which turns out to be difficult to grapple with due to the high dimensionality of such incidents. Using datasets collected during a number of these events, we explore the utility of several analysis methods, finding that when used together they show good potential for contributing towards effective Situational awareness. Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties, such as trend, uniformity, coordination, and darknet-avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that such inferences exhibit promising accuracy.

Wang Chenxu,Jiang Peihe,Yu Mingyan

DOI: https://doi.org/10.3969/j.issn.1003-353x.2012.05.003

2012-01-01

Abstract:The integrated circuit(IC)plays an important role in many fields,but the Hardware Trojan Horse(HTH)can be maliciously implanted into ICs by attackers because of separated IC design and fabrication mode.The existence of HTH threatens the information security.HTH detection begins to attract widely attention and comes into a new research field.Firstly,the concept of HTH,its hazards and its classification were described.Then some important researches on HTH detection approach were summarized.The researchers focus on side channel analysis detection,in which the power finger analysis techniques are the promising method to detect HTH.Finally,the proactive defense mechanisms of HTH were also summed up briefly.