Virtual Honeypots: From Botnet Tracking to Intrusion Detection

Niels Provos, Thorsten Holz

  • 出版商: Addison Wesley
  • 出版日期: 2007-07-01
  • 定價: $2,160
  • 售價: 8.0$1,728
  • 語言: 英文
  • 頁數: 440
  • 裝訂: Paperback
  • ISBN: 0321336321
  • ISBN-13: 9780321336323
  • 相關分類: 資訊安全
  • 立即出貨 (庫存 < 4)

買這商品的人也買了...

相關主題

商品描述

Description

Praise for Virtual Honeypots

"A power-packed resource of technical, insightful information that unveils the world of honeypots in front of the reader’s eyes."

—Lenny Zeltser, Information Security Practice Leader at Gemini Systems

"This is one of the must-read security books of the year."

—Cyrus Peikari, CEO, Airscanner Mobile Security, author, security warrior

"This book clearly ranks as one of the most authoritative in the field of honeypots. It is comprehensive and well written. The authors provide us with an insider’s look at virtual honeypots and even help us in setting up and understanding an otherwise very complex technology."

—Stefan Kelm, Secorvo Security Consulting

"Virtual Honeypots is the best reference for honeypots today. Security experts Niels Provos and Thorsten Holz cover a large breadth of cutting-edge topics, from low-interaction honeypots to botnets and malware. If you want to learn about the latest types of honeypots, how they work, and what they can do for you, this is the resource you need."

—Lance Spitzner, Founder, Honeynet Project

"Whether gathering intelligence for research and defense, quarantining malware outbreaks within the enterprise, or tending hacker ant farms at home for fun, you’ll find many practical techniques in the black art of deception detailed in this book. Honeypot magic revealed!"

—Doug Song, Chief Security Architect, Arbor Networks

"Seeking the safest paths through the unknown sunny islands called honeypots? Trying to avoid greedy pirates catching treasures deeper and deeper beyond your ports? With this book, any reader will definitely get the right map to handle current cyber-threats.

Designed by two famous white hats, Niels Provos and Thorsten Holz, it carefully teaches everything from the concepts to practical real-life examples with virtual honeypots. The main strength of this book relies in how it covers so many uses of honeypots: improving intrusion detection systems, slowing down and following incoming attackers, catching and analyzing 0-days or malwares or botnets, and so on.

Sailing the high seas of our cyber-society or surfing the Net, from students to experts, it’s a must-read for people really aware of computer security, who would like to fight against black-hats flags with advanced modern tools like honeypots."

—Laurent Oudot, Computer Security Expert, CEA

"Provos and Holz have written the book that the bad guys don’t want you to read. This detailed and comprehensive look at honeypots provides step-by-step instructions on tripping up attackers and learning their tricks while lulling them into a false sense of security. Whether you are a practitioner, an educator, or a student, this book has a tremendous amount to offer. The underlying theory of honeypots is covered, but the majority of the text is a ‘how-to’ guide on setting up honeypots, configuring them, and getting the most out of these traps, while keeping actual systems safe. Not since the invention of the firewall has a tool as useful as this provided security specialists with an edge in the never-ending arms race to secure computer systems. Virtual Honeypots is a must-read and belongs on the bookshelf of anyone who is serious about security."

—Aviel D. Rubin, Ph.D., Computer Science Professor and Technical Director of the Information Security Institute at Johns Hopkins University, and President and Founder, Independent Security Evaluators

"An awesome coverage of modern honeypot technologies, both conceptual and practical."

—Anton Chuvakin

"Honeypots have grown from simple geek tools to key components in research and threat monitoring at major entreprises and security vendors. Thorsten and Niels comprehensive coverage of tools and techniques takes you behind the scene with real-world examples of deployment, data acquisition, and analysis."

—Nicolas Fischbach, Senior Manager, Network Engineering Security, COLT Telecom, and Founder of Sécurité.Org

Honeypots have demonstrated immense value in Internet security, but physical honeypot deployment can be prohibitively complex, time-consuming, and expensive. Now, there’s a breakthrough solution. Virtual honeypots share many attributes of traditional honeypots, but you can run thousands of them on a single system-making them easier and cheaper to build, deploy, and maintain.

In this hands-on, highly accessible book, two leading honeypot pioneers systematically introduce virtual honeypot technology. One step at a time, you’ll learn exactly how to implement, configure, use, and maintain virtual honeypots in your own environment, even if you’ve never deployed a honeypot before.

You’ll learn through examples, including Honeyd, the acclaimed virtual honeypot created by coauthor Niels Provos. The authors also present multiple real-world applications for virtual honeypots, including network decoy, worm detection, spam prevention, and network simulation.

After reading this book, you will be able to

  • Compare high-interaction honeypots that provide real systems and services and the low-interaction honeypots that emulate them
  • Install and configure Honeyd to simulate multiple operating systems, services, and network environments
  • Use virtual honeypots to capture worms, bots, and other malware
  • Create high-performance "hybrid" honeypots that draw on technologies from both low- and high-interaction honeypots
  • Implement client honeypots that actively seek out dangerous Internet locations
  • Understand how attackers identify and circumvent honeypots
  • Analyze the botnets your honeypot identifies, and the malware it captures
  • Preview the future evolution of both virtual and physical honeypots 

  

Table of Contents

Preface xiii

Acknowledgments xxi

About the Authors xxiii

Chapter 1 Honeypot and Networking Background 1

1.1 Brief TCP/IP Introduction 1

1.2 Honeypot Background 7

1.3 Tools of the Trade 13

Chapter 2 High-Interaction Honeypots 19

2.1 Advantages and Disadvantages 20

2.2 VMware 22

2.3 User-Mode Linux 41

2.4 Argos 52

2.5 Safeguarding Your Honeypots 62

2.6 Summary 69

Chapter 3 Low-Interaction Honeypots 71

3.1 Advantages and Disadvantages 72

3.2 Deception Toolkit 73

3.3 LaBrea 74

3.4 Tiny Honeypot 81

3.5 GHH—Google Hack Honeypot 87

3.6 PHP.HoP—A Web-Based Deception Framework 94

3.7 Securing Your Low-Interaction Honeypots 98

3.8 Summary 103

Chapter 4 Honeyd—The Basics 105

4.1 Overview 106

4.2 Design Overview 109

4.3 Receiving Network Data 112

4.4 Runtime Flags 114

4.5 Configuration 115

4.6 Experiments with Honeyd 125

4.7 Services 129

4.8 Logging 131

4.9 Summary 134

Chapter 5 Honeyd—Advanced Topics 135

5.1 Advanced Configuration 136

5.2 Emulating Services 139

5.3 Subsystems 142

5.4 Internal Python Services 146

5.5 Dynamic Templates 148

5.6 Routing Topology 150

5.7 Honeydstats 154

5.8 Honeydctl 156

5.9 Honeycomb 158

5.10 Performance 160

5.11 Summary 161

Chapter 6 Collecting Malware with Honeypots 163

6.1 A Primer on Malicious Software 164

6.2 Nepenthes—A Honeypot Solution to Collect Malware 165

6.3 Honeytrap 197

6.4 Other Honeypot Solutions for Learning About Malware 204

6.5 Summary 207

Chapter 7 Hybrid Systems 209

7.1 Collapsar 211

7.2 Potemkin 214

7.3 RolePlayer 220

7.4 Research Summary 224

7.5 Building Your Own Hybrid Honeypot System 224

7.6 Summary 230

Chapter 8 Client Honeypots 231

8.1 Learning More About Client-Side Threats 232

8.2 Low-Interaction Client Honeypots 241

8.3 High-Interaction Client Honeypots 253

8.4 Other Approaches 263

8.5 Summary 272

Chapter 9 Detecting Honeypots 273

9.1 Detecting Low-Interaction Honeypots 274

9.2 Detecting High-Interaction Honeypots 280

9.3 Detecting Rootkits 302

9.4 Summary 305

Chapter 10 Case Studies 307

10.1 Blast-o-Mat: Using Nepenthes to Detect Infected Clients 308

10.2 Search Worms 327

10.3 Red Hat 8.0 Compromise 332

10.4 Windows 2000 Compromise 343

10.5 SUSE 9.1 Compromise 351

10.6 Summary 357

Chapter 11 Tracking Botnets 359

11.1 Bot and Botnet 101 360

11.2 Tracking Botnets 373

11.3 Case Studies 376

11.4 Defending Against Bots 387

11.5 Summary 390

Chapter 12 Analyzing Malware with CWSandbox 391

12.1 CWSandbox Overview 392

12.2 Behavior-Based Malware Analysis 394

12.3 CWSandbox—System Description 401

12.4 Results 405

12.5 Summary 413

Bibliography 415

Index 423

商品描述(中文翻譯)

描述

《虛擬蜜罐》的讚譽

「這是一本充滿技術和深入見解的資源,將蜜罐的世界展現在讀者眼前。」
- Lenny Zeltser,Gemini Systems的資訊安全實踐領導者

「這是今年必讀的安全書籍之一。」
- Cyrus Peikari,Airscanner Mobile Security的CEO,安全戰士的作者

「這本書在蜜罐領域中明顯地排名最高,內容全面且寫得很好。作者們向我們提供了對虛擬蜜罐的內部洞察,甚至幫助我們建立和理解一個本來非常複雜的技術。」
- Stefan Kelm,Secorvo Security Consulting

「《虛擬蜜罐》是當今蜜罐的最佳參考資料。安全專家Niels Provos和Thorsten Holz涵蓋了從低交互蜜罐到僵屍網絡和惡意軟體等尖端主題的廣泛範疇。如果你想了解最新型號的蜜罐,它們的運作方式以及它們對你的作用,這是你需要的資源。」
- Lance Spitzner,Honeynet Project的創始人

「無論是為了研究和防禦而收集情報,還是在企業內部隔離惡意軟體爆發,或者在家中照顧黑客螞蟻農場以供娛樂,你將在這本書中找到許多實用的技巧,這是關於欺騙的黑魔法的詳細說明。蜜罐的魔力揭示了!」
- Doug Song,Arbor Networks的首席安全架構師

「尋找通過未知的陽光島嶼,也就是蜜罐,的最安全路徑?試圖避免貪婪的海盜在你的港口之外越來越深處捕捉寶藏?這本書將給任何讀者提供正確的地圖,以應對當前的網絡威脅。由兩位著名的白帽子Niels Provos和Thorsten Holz設計,它仔細地教授從概念到實際的虛擬蜜罐實例。這本書的主要優勢在於它涵蓋了蜜罐的許多用途:改進入侵檢測系統,減緩和追蹤入侵者,捕捉和分析0天漏洞、惡意軟體或僵屍網絡等等。無論是在我們的網絡社會中航行高海,還是在網絡上冒險,從學生到專家,這是對真正關注電腦安全的人來說必讀的書籍,他們希望用蜜罐等先進現代工具對抗黑帽子的旗幟。」
- Laurent Oudot,CEA的電腦安全專家

「Provos和Holz寫了一本壞人不希望你閱讀的書。這本關於蜜罐的詳細且全面的書籍提供了關於如何絆倒攻擊者並學習他們的技巧,同時讓他們陷入虛假的安全感的逐步指導。無論你是從業者、教育工作者還是學生,這本書都有很多可提供的。它涵蓋了蜜罐的基本理論,但大部分內容是一個關於建立蜜罐、配置它們並充分利用這些陷阱的「如何」指南,同時保持實際系統的安全。自從防火牆的發明以來,沒有像這樣有用的工具為安全專家在永無止境的保護計算機系統的軍備競賽中提供了優勢。《虛擬蜜罐》是一本必讀的書籍,它應該出現在任何認真對待安全的人的書架上。」
- Aviel D. Rubin,約翰霍普金斯大學資訊安全研究所的計算機科學教授和技術總監,獨立安全評估公司的總裁和創始人