RE: search for master of science project topic

["Stejerean, Cosmin" <cosmin () cti depaul edu>]

What you mentioned sounds a lot like a bait and switch honeypot. I believe
the idea is to migrate both the process in question and the connection to
the honeypot so if a vulnerable server is exploited with a buffer overflow
attack the process will be migrated to the honeypot and any connection from
the attack will be redirected to the honeypot. This would be a step further
than regular network based bait and switch honeypot because the HIDS would
be able to detect when a process makes unusual system calls etc, as well as
transfer the process image and everything else to the honeypot.

The difficulty is in carefully migrating the process over and deciding what
can or cannot be migrated.

Cosmin

-----Original Message-----
From: Packet Man [mailto:packetman () altsec info] 
Sent: Friday, October 14, 2005 12:20 PM
To: gangadhar npk
Cc: Zack.Payton () MWAA com; dewadedw () yahoo com; honeypots () securityfocus com
Subject: Re: search for master of science project topic

gangadhar npk wrote:

> It seems to be a very interesting thought. Correct me if I am wrong in
understanding this - 
> the basic premise is that, once the 'monitor' identifies a process that is
not conforming to the usual practice (say via anamoly detection), it
silently transfers the process image to a honeypot - without disruption of
anysort and the process runs within the honeypot (a VM, in all probability).
> May be initially one can only take care of the socket connections, and then
move to the part of file handles, memmaps and others.
> Was this attempted before - I don't know, hence the question.
>
> Thanks
> Gangadhar
> -----Original Message-----
> From: "Payton, Zack" <Zack.Payton () MWAA com>
> To: <dewadedw () yahoo com>, <honeypots () securityfocus com>
> Date: Tue, 11 Oct 2005 11:09:17 -0400
> Subject: RE: search for master of science project topic
>
> Sure,  What about writing a paper about the best way to monitor
> processes on a production box and processes transfer and tcp redirect to
> honeypot in event of anomaly.
> Zack
>  
I think that's an intruiging idea.

It melds intrusion protection with a honeypot, one that
would require re-engineering a honeypot.

Zack, if I get you right, the following would occur:

1.  IDS detects suspicious/malicious traffic
2.  The connection state would be transferred to the honeypot
3.  The connection route would be redirected to the honeypot
4.  The honeypot would spoof the original host and start gathering
     data

I'm not sure of the usefulness/feasibility though.

It would surely require a HIDS client on the target that (A)
works with the IDS and honeypot to effect a transfer of
connection and state data, and (B) responds to IPS/IDS
warnings to not go through with data transfer.

Now, as a vast improvement to typical firewall and IPS
behavior, I think it's a cool idea to have an IDS/IPS effect
a transfer of a connection from the actual targeted host
to a honeypot, instead of simply dropping the traffic.

Such a system would expand the scope of honeypot data
collection to actively taking over connections or attempted
connections from other systems, rather than sitting there
passively waiting for traffic only on its delegated network
address space.

In addition, I think it would be interesting to try this
technique with takeover of an encrypted connection.

It's worth exploring, discussing.

My .02 cents worth.

-- 
Excellence in InfoSec and Linux
http://www.altsec.info

Attachment: smime.p7s
Description: