This Network is Infected: HosTaGe - a Low-Interaction Honeypot for Mobile Devices Emmanouil Vasilomanolakis*, Shankar Karuppayah*x, Mathias Fischer*, Max Mühlhäuser* *Telecooperation Group, xNational Advanced IPv6 Center (NAv6), Technische Universität Darmstadt - CASED Universiti Sains Malaysia (USM), fi[email protected] Penang, Malaysia ABSTRACT Keywords In recent years, the number of sophisticated cyber attacks Mobile Honeypot; Malware; Security; Android has increased rapidly. At the same time, people tend to utilize unknown, in terms of trustworthiness, wireless net- works in their daily life. They connect to these networks, 1. INTRODUCTION e.g., airports, without knowledge of whether they are safe or Recent security reports indicate an increase in sophisti- infected with actively propagating malware. In traditional cated cyber attacks [13]. With the advancements in mo- networks, malicious behavior can be detected via Intrusion bile devices (smartphones, tablets, etc.) as well as the in- Detection Systems (IDSs). However, IDSs cannot be applied creased number of available wireless networks many chal- easily to mobile environments and to resource constrained lenges arise from the security perspective. People tend to devices. Another common defense mechanism is honeypots, utilize unknown, in terms of trustworthiness, wireless net- i.e., systems that pretend to be an attractive target to at- works in their daily life. They connect to these networks, tract malware and attackers. As a honeypot has no pro- e.g., airports and coffee shops offering Internet access, with- ductive use, each attempt to access it can be interpreted out knowledge of whether they are safe or infected with ac- as an attack. Hence, they can provide an early indication tively propagating malware. on malicious network environments. Since low interaction From conventional networks, additional defenses like IDSs honeypots do not demand high CPU or memory require- [4] and dynamic firewalls are known for the detection of ments, they are suitable to resource constrained devices like malicious behavior. However, these defenses cannot be ap- smartphones or tablets. plied easily to resource constrained mobile devices. More- In this paper we present the idea of Honeypot-To-Go. over, IDSs as purely passive monitoring components may We envision portable honeypots on mobile devices that aim not alone be sufficient in protecting against cyber attacks. on the fast detection of malicious networks and thus boost Honeypots are special systems whose value lies in being the security awareness of users. Moreover, to demonstrate probed, attacked or compromised [12]. Honeypots provide the feasibility of this proposal we present our prototype a more active line-of-defense compared to passive intrusion HosTaGe, a low-interaction honeypot implemented for the detection. Furthermore, they are also able to provide addi- Android OS. We present some initial results regarding the tional knowledge regarding recent malware techniques and performance of this application as well as its ability to de- trends. Honeypots can be classified with respect to the tect attacks in a realistic environment. To the best of our level of interaction that is offered to the attacker. A low- knowledge, HosTaGe is the first implementation of a generic interaction honeypot simulates network operations, usually low-interaction honeypot for mobile devices. at the TCP/IP stack, while high-interaction honeypots are real systems that are vulnerable and need to be carefully safeguarded to avoid that they are compromised. In this paper we focus on low-interaction honeypots since they re- quire low resources and thus are suitable for mobile devices. Categories and Subject Descriptors Popular low-interaction honeypots in conventional networks D.4.6 [Operating Systems]: [Security and Protection - In- are for example Nepenthes [3] and Dionaea1. However, we vasive software]; C.2.0 [Computer-Communication Net- still lack honeypots that are tailored specifically for deploy- works]: General: Security and Protection ment in mobile environments. For this reason, we propose the idea of Honeypot-To-Go: lightweight, low-interaction, portable, and generic honey- Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not pots for mobile devices that aim on the detection of ma- made or distributed for profit or commercial advantage and that copies bear licious, wireless network environments. As most malware this notice and the full citation on the first page. Copyrights for components propagate over the network via specific protocols, a low- of this work owned by others than ACM must be honored. Abstracting with interaction honeypot located at a mobile device can check credit is permitted. To copy otherwise, or republish, to post on servers or to wireless networks for actively propagating malware. We en- redistribute to lists, requires prior specific permission and/or a fee. Request vision such honeypots running on all kinds of mobile devices, permissions from [email protected]. SPSM13 November 08 2013, Berlin, Germany e.g., smartphones and tablets, to provide a quick assessment Copyright 2013 ACM 978-1-4503-2491-5/13/11 ...$15.00 1 http://dx.doi.org/10.1145/2516760.2516763. http://dionaea.carnivore.it 43 on the potential security state of a network. In addition, a • Resource Utilization: Resources such as power, mem- honeypot-to-go may serve as a tool to increase the security ory and network bandwidth are usually scarce at mo- awareness among users and allow them to check publicly bile devices. Hence, special care needs to be taken to available wireless networks for signs of malicious activity avoid unnecessary computational overhead. before actually using them. Moreover, such honeypots can also assist network administrators analyzing the health of • Extendability and Interoperability: A mobile honey- their networks on-the-go. pot should be easily extendable by new protocols, for The contribution of this paper is twofold. First, we intro- vulnerability emulation, to the existing system. Addi- duce the concept of Honeypot-To-Go, i.e., portable honey- tionally, the honeypot should be able to submit statis- pots running on mobile devices to detect malware spreading tics to third-party entities, e.g., to security incident via wireless networks. Second, we introduce our prototype, monitors or servers. HosTaGe2, which stands for Honeypot-To-Go, and that is a low-interaction honeypot for the Android OS. HosTaGe has 3. RELATED WORK been specifically designed with usability in mind to increase Honeypots have been studied extensively over the recent the security awareness of users when connecting to wireless years [12]. The low-interaction class especially exhibits a networks. variety of proposals and implementations, e.g., [3, 10, 11, 9, The remainder of this paper is organized as follows: In 6]. As mentioned before, low-interaction honeypots emulate Section 2 we present generic requirements for low-interaction only network operations and therefore require low resources honeypots for mobile devices. Based upon the requirements, for their deployment. Section 3 summarizes the related work in this area. Section Early work that considered honeypots and mobile devices 4 presents the architecture and the features of HosTaGe, focused only on Bluetooth communications [5, 17]. The re- our mobile honeypot. In Section 5 we provide a detailed cent advances on mobile devices, their interconnectivity as discussion of our prototype (with respect to the requirements well as their popularity created a whole new ecosystem for from Section 2) and present some initial evaluation results. honeypot researchers. Moreover, we discuss current limitations and future work. Existing work in this direction [8, 15, 7, 14] focuses on the Finally, Section 6 concludes the paper. detection of mobile-specific malware. Specifically, Mulliner et al. were the first to discuss the idea of a honeypot for 2. REQUIREMENTS FOR A MOBILE smartphones, by providing initial ideas, challenges and an HONEYPOT architecture for their proposed system [8]. Moreover, in [15, 14] Wahlisch et al. provided insights from the deployment In the following, we describe basic requirements for a mo- of a honeypot on a mobile network. However, their honey- bile low-interaction honeypot. pot is not specifically crafted for mobile devices, but rather • Visibility: In order to attract malware and malicious existing Linux-based desktop honeypots deployed in mobile users, honeypots must emulate vulnerable services at networks. Furthermore, in [7] the idea of nomadic honey- the respective ports. This requires the honeypot to pots has been introduced. The authors focus on mobile- listen for incoming connections at those ports. How- specific attacks and also require their system to collect a ever, it is not always possible to constantly listen to large amount of personal information. all ports due to limitations of mobile devices such as In addition, most honeypot proposals are strictly focused resources and also security policies of mobile Operat- on implementing novel detection methods. Hence, user- ing Systems (OSs). However, for those ports that are friendly solutions are not the primary focus and usually tar- being listened, the honeypot application must respond get only security professionals as the main users. However, according to the protocol specification in order to avoid the idea and the benefits of creating user-friendly
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages6 Page
-
File Size-