Development of Hybrid Honeynet for Malware Analysis
Arbatov, Evgeniy (2010)
Metropolia Ammattikorkeakoulu
2010
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2010052010040
https://urn.fi/URN:NBN:fi:amk-2010052010040
Tiivistelmä
The goal this project was to develop a system that would be capable of supplying application layer context of one host for the network layer traces collected by a second independent host. The aim of the resulted system, based on the principle of decoys, would be to analyze potentially malicious traffic without a threat to production services.
The practical part of this work involved building a scalable setup to verify the feasibility of the chosen methods. The study concentrated primarily on the Linux Slapper worm and used a sample of the worm’s exploit code to develop a mechanism for attracting a worm and creating a signature suitable for the worm identification by an IDS system. The key outcomes of the project included establishing the honeynet environment for inspecting malicious traffic flows and examining the worm functionality. The work also reflected on the body of knowledge presently available by studying the different solutions in the field of malware analysis.
The developed system has no production value, but provides an outlook into functioning and interfaces between various technologies that usually operate independently. Further study could include examination of low-level components and assumptions made by software developers and malware authors. Additional work on formalizing the properties and modelling worm interaction could also assist in improving the understanding of malicious code.
The practical part of this work involved building a scalable setup to verify the feasibility of the chosen methods. The study concentrated primarily on the Linux Slapper worm and used a sample of the worm’s exploit code to develop a mechanism for attracting a worm and creating a signature suitable for the worm identification by an IDS system. The key outcomes of the project included establishing the honeynet environment for inspecting malicious traffic flows and examining the worm functionality. The work also reflected on the body of knowledge presently available by studying the different solutions in the field of malware analysis.
The developed system has no production value, but provides an outlook into functioning and interfaces between various technologies that usually operate independently. Further study could include examination of low-level components and assumptions made by software developers and malware authors. Additional work on formalizing the properties and modelling worm interaction could also assist in improving the understanding of malicious code.