Virtual Honeypots: From Botnet Tracking to Intrusion Detection

Kobo ebook | July 16, 2007

byNiels Provos, Thorsten Holz

not yet rated|write a review

Honeypots have demonstrated immense value in Internet security, but physical honeypot deployment can be prohibitively complex, time-consuming, and expensive. Now, there’s a breakthrough solution. Virtual honeypots share many attributes of traditional honeypots, but you can run thousands of them on a single system-making them easier and cheaper to build, deploy, and maintain.

 

In this hands-on, highly accessible book, two leading honeypot pioneers systematically introduce virtual honeypot technology. One step at a time, you’ll learn exactly how to implement, configure, use, and maintain virtual honeypots in your own environment, even if you’ve never deployed a honeypot before.

You’ll learn through examples, including Honeyd, the acclaimed virtual honeypot created by coauthor Niels Provos. The authors also present multiple real-world applications for virtual honeypots, including network decoy, worm detection, spam prevention, and network simulation.

After reading this book, you will be able to

  • Compare high-interaction honeypots that provide real systems and services and the low-interaction honeypots that emulate them
  • Install and configure Honeyd to simulate multiple operating systems, services, and network environments
  • Use virtual honeypots to capture worms, bots, and other malware
  • Create high-performance "hybrid" honeypots that draw on technologies from both low- and high-interaction honeypots
  • Implement client honeypots that actively seek out dangerous Internet locations
  • Understand how attackers identify and circumvent honeypots
  • Analyze the botnets your honeypot identifies, and the malware it captures
  • Preview the future evolution of both virtual and physical honeypots

Pricing and Purchase Info

$48.49 online
$62.98 list price (save 23%)
Available for download
Not available in stores

From the Publisher

Honeypots have demonstrated immense value in Internet security, but physical honeypot deployment can be prohibitively complex, time-consuming, and expensive. Now, there’s a breakthrough solution. Virtual honeypots share many attributes of traditional honeypots, but you can run thousands of them on a single system-making them easier and...

From the Jacket

Praise for Virtual Honeypots "A power-packed resource of technical, insightful information that unveils the world of honeypots in front of the reader’s eyes." —Lenny Zeltser, Information Security Practice Leader at Gemini Systems "This is one of the must-read security books of the year." —Cyrus Peikari, CEO, Airscan...

Niels Provos received a Ph.D. from the University of Michigan in 2003, where he studied experimental and theoretical aspects of computer and network security. He is one of the OpenSSH creators and known for his security work on OpenBSD. He developed Honeyd, a popular open source honeypot platform; SpyBye, a client honeypot that helps ...

other books by Niels Provos

Virtual Honeypots: From Botnet Tracking To Intrusion Detection
Virtual Honeypots: From Botnet Tracking To Intrusion De...

Paperback|Jul 16 2007

$60.51 online$67.99list price(save 11%)
Format:Kobo ebookPublished:July 16, 2007Publisher:Pearson EducationLanguage:English

The following ISBNs are associated with this title:

ISBN - 10:0132702053

ISBN - 13:9780132702058

Customer Reviews of Virtual Honeypots: From Botnet Tracking to Intrusion Detection

Reviews

Extra Content

Table of Contents

Preface xiii

Acknowledgments xxi

About the Authors xxiii

Chapter 1 Honeypot and Networking Background 1

1.1 Brief TCP/IP Introduction 1

1.2 Honeypot Background 7

1.3 Tools of the Trade 13

Chapter 2 High-Interaction Honeypots 19

2.1 Advantages and Disadvantages 20

2.2 VMware 22

2.3 User-Mode Linux 41

2.4 Argos 52

2.5 Safeguarding Your Honeypots 62

2.6 Summary 69

Chapter 3 Low-Interaction Honeypots 71

3.1 Advantages and Disadvantages 72

3.2 Deception Toolkit 73

3.3 LaBrea 74

3.4 Tiny Honeypot 81

3.5 GHH—Google Hack Honeypot 87

3.6 PHP.HoP—A Web-Based Deception Framework 94

3.7 Securing Your Low-Interaction Honeypots 98

3.8 Summary 103

Chapter 4 Honeyd—The Basics 105

4.1 Overview 106

4.2 Design Overview 109

4.3 Receiving Network Data 112

4.4 Runtime Flags 114

4.5 Configuration 115

4.6 Experiments with Honeyd 125

4.7 Services 129

4.8 Logging 131

4.9 Summary 134

Chapter 5 Honeyd—Advanced Topics 135

5.1 Advanced Configuration 136

5.2 Emulating Services 139

5.3 Subsystems 142

5.4 Internal Python Services 146

5.5 Dynamic Templates 148

5.6 Routing Topology 150

5.7 Honeydstats 154

5.8 Honeydctl 156

5.9 Honeycomb 158

5.10 Performance 160

5.11 Summary 161

Chapter 6 Collecting Malware with Honeypots 163

6.1 A Primer on Malicious Software 164

6.2 Nepenthes—A Honeypot Solution to Collect Malware 165

6.3 Honeytrap 197

6.4 Other Honeypot Solutions for Learning About Malware 204

6.5 Summary 207

Chapter 7 Hybrid Systems 209

7.1 Collapsar 211

7.2 Potemkin 214

7.3 RolePlayer 220

7.4 Research Summary 224

7.5 Building Your Own Hybrid Honeypot System 224

7.6 Summary 230

Chapter 8 Client Honeypots 231

8.1 Learning More About Client-Side Threats 232

8.2 Low-Interaction Client Honeypots 241

8.3 High-Interaction Client Honeypots 253

8.4 Other Approaches 263

8.5 Summary 272

Chapter 9 Detecting Honeypots 273

9.1 Detecting Low-Interaction Honeypots 274

9.2 Detecting High-Interaction Honeypots 280

9.3 Detecting Rootkits 302

9.4 Summary 305

Chapter 10 Case Studies 307

10.1 Blast-o-Mat: Using Nepenthes to Detect Infected Clients 308

10.2 Search Worms 327

10.3 Red Hat 8.0 Compromise 332

10.4 Windows 2000 Compromise 343

10.5 SUSE 9.1 Compromise 351

10.6 Summary 357

Chapter 11 Tracking Botnets 359

11.1 Bot and Botnet 101 360

11.2 Tracking Botnets 373

11.3 Case Studies 376

11.4 Defending Against Bots 387

11.5 Summary 390

Chapter 12 Analyzing Malware with CWSandbox 391

12.1 CWSandbox Overview 392

12.2 Behavior-Based Malware Analysis 394

12.3 CWSandbox—System Description 401

12.4 Results 405

12.5 Summary 413

Bibliography 415

Index 423