Um mecanismo para Coleta Automatizada de Evidências Digitais em Honeypots de Alta Interatividade
Abstract
Honeypots are computational resources whose value resides in being probed, attacked or compromised by invaders. This makes it possible to obtain information about their methods, tools and motivations. In high-interaction honeypots, this is done, among other ways, by collecting digital evidence. This collection is traditionally done manually and statically, demanding time and not always generating good results. In this paper, we describe an automatic, dynamic and transparent mechanism based on system call interception for collecting digital evidence on honeypots, filling in the flaws found in the traditional methodologies.
References
Bovet, D. P. and Cesati, M. (2002). Understanding the Linux Kernel. O'Reilly, Sebastopol, CA, USA, 2. edition.
Cheswick, W. R. (1992). An evening with berferd in which a cracker is lured, endured and studied. In Proceedings of the Winter 1992 USENIX Conference.
dos Reis, M. A. (2003). Forense computacional e sua aplicação em segurança imunológica. Master's thesis, Intituto de Computação - UNICAMP. Campinas, SP.
Equipe Honeynet.BR (2002), Honeynet.BR: Desenvolvimento e Implantação de um Sistema para Avaliação de Atividades Hostis na Internet Brasileira. In Anais do IV Simpósio sobre Segurança em Informatica (SSI' 2002), São José dos Campos, SP.
Jain, K. and Sekar, R. (2000). User-level infrastructure for system call interposition: A platform for intrusion detection and confinement. In Proceedings of Network and Distributed System Security (NDSS 2000), San Diego, CA, USA.
Provos, N. (2002). Improving host security with system call policies. Technical Report 02-3, University of Michigan.
Provos, N. 2003). Honeyd: A virtual honeypot daemon, In 10th DFN-CERT Workshop, Hamburg, Germany.
Silberschatz, A., Galvin, P. B., and Gagne, G. (2002). Operating System Concepts. John Wiley & Sons, New York, NW, USA, 6. ed edition.
Spitzner, L, (2000). Learning the tools and the tactics of the enemy with honeynets. In Proceedings of the 12th Annual Computer Security Incident Handling Conference, Chicago, IL, USA.
Spitzner, L. (2002). Honeypots: Tracking Hackers. Addison-Wesley, Boston, MA, USA.
Spitener L. (2003a), Honeypots: Definitions and values. Disponível em World Wide Web (Janeiro de 2004): <http://www.tracking-hackers/papers/honeypots.html>.
Spitzner, L. (2003b). Honeytokens: The other honeypot. Disponível em World Wide Web (Janeiro de 2004): <http://www.securityfocus.com/infocus/1713>
Steding-Jessen. K., Hoepers. C., and Montes, A. (2003). Mecanismos para Contenção de Tráfego Malicioso de Saída em Honeyneis. In Anais do V Simpósio sobre Segurança em Informática (SSI'2003), São José dos Campos, SP.
Stoll, C. (1991). The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. Pan Books.
Tanenbaum. A. 8. (2003). Computer Networks. Prentice Hall, Upper Saddle River, NJ, USA, 4. edition.
The Honeynet Project (2001). Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Communit, Addison-Wesley, Indianapolis. IN, USA.
The Honeynet Project (2003a). Know your enemy: Genii honeynes. Disponível em World Wide Web (Janeiro de 2004): <http://project.honeynet.org/papers/gen2/>.
The Honeynet Project (2003b). Know your enemy: Sebek. Disponível em World Wide Web (Janeiro de 2004): <http://www.honeynet.org/papers/sebek.pdf>.
Cheswick, W. R. (1992). An evening with berferd in which a cracker is lured, endured and studied. In Proceedings of the Winter 1992 USENIX Conference.
dos Reis, M. A. (2003). Forense computacional e sua aplicação em segurança imunológica. Master's thesis, Intituto de Computação - UNICAMP. Campinas, SP.
Equipe Honeynet.BR (2002), Honeynet.BR: Desenvolvimento e Implantação de um Sistema para Avaliação de Atividades Hostis na Internet Brasileira. In Anais do IV Simpósio sobre Segurança em Informatica (SSI' 2002), São José dos Campos, SP.
Jain, K. and Sekar, R. (2000). User-level infrastructure for system call interposition: A platform for intrusion detection and confinement. In Proceedings of Network and Distributed System Security (NDSS 2000), San Diego, CA, USA.
Provos, N. (2002). Improving host security with system call policies. Technical Report 02-3, University of Michigan.
Provos, N. 2003). Honeyd: A virtual honeypot daemon, In 10th DFN-CERT Workshop, Hamburg, Germany.
Silberschatz, A., Galvin, P. B., and Gagne, G. (2002). Operating System Concepts. John Wiley & Sons, New York, NW, USA, 6. ed edition.
Spitzner, L, (2000). Learning the tools and the tactics of the enemy with honeynets. In Proceedings of the 12th Annual Computer Security Incident Handling Conference, Chicago, IL, USA.
Spitzner, L. (2002). Honeypots: Tracking Hackers. Addison-Wesley, Boston, MA, USA.
Spitener L. (2003a), Honeypots: Definitions and values. Disponível em World Wide Web (Janeiro de 2004): <http://www.tracking-hackers/papers/honeypots.html>.
Spitzner, L. (2003b). Honeytokens: The other honeypot. Disponível em World Wide Web (Janeiro de 2004): <http://www.securityfocus.com/infocus/1713>
Steding-Jessen. K., Hoepers. C., and Montes, A. (2003). Mecanismos para Contenção de Tráfego Malicioso de Saída em Honeyneis. In Anais do V Simpósio sobre Segurança em Informática (SSI'2003), São José dos Campos, SP.
Stoll, C. (1991). The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. Pan Books.
Tanenbaum. A. 8. (2003). Computer Networks. Prentice Hall, Upper Saddle River, NJ, USA, 4. edition.
The Honeynet Project (2001). Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Communit, Addison-Wesley, Indianapolis. IN, USA.
The Honeynet Project (2003a). Know your enemy: Genii honeynes. Disponível em World Wide Web (Janeiro de 2004): <http://project.honeynet.org/papers/gen2/>.
The Honeynet Project (2003b). Know your enemy: Sebek. Disponível em World Wide Web (Janeiro de 2004): <http://www.honeynet.org/papers/sebek.pdf>.
Published
2004-05-10
How to Cite
CARBONE, Martim d’Orey Posser de Andrade; GEUS, Paulo Lício de.
Um mecanismo para Coleta Automatizada de Evidências Digitais em Honeypots de Alta Interatividade. In: BRAZILIAN SYMPOSIUM ON INFORMATION AND COMPUTATIONAL SYSTEMS SECURITY (SBSEG), 4. , 2004, Gramado.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2004
.
p. 188-199.
DOI: https://doi.org/10.5753/sbseg.2004.21237.
