Shellcode Detection in IPv6 Networks with HoneydV6

Sven Schindler, Oliver Eggert, Bettina Schnor, Thomas Scheffler

2014

Abstract

More and more networks and services are reachable via IPv6 and the interest for security monitoring of these IPv6 networks is increasing. Honeypots are valuable tools to monitor and analyse network attacks. HoneydV6 is a low-interaction honeypot which is well suited to deal with the large IPv6 address space, since it is capable of simulating a large number of virtual hosts on a single machine. This paper presents an extension for HoneydV6 which allows the detection, extraction and analyses of shellcode contained in IPv6 network attacks. The shellcode detection is based on the open source library libemu and combined with the online malware analysis tool Anubis. We compared the shellcode detection rate of HoneydV6 and Dionaea. While HoneydV6 is able to detect about 25 % of the malicious samples, the Dionaea honeypot detects only about 6 %.

References

  1. Baecher, P. and Koetter, M. (nd). libemu - x86 Shellcode Emulation. Available from: http://libemu.carnivore.it/.
  2. Beale, J., Baker, A. R., Esler, J., and Northcutt, S. (2007). Snort: IDS and IPS toolkit. Jay Beale's open source security series. Syngress.
  3. Fratantonio, Y., Kruegel, C., and Vigna, G. (2011). Shellzer: A tool for the dynamic analysis of malicious shellcode. In Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection, RAID'11, pages 61-80, Berlin, Heidelberg. Springer-Verlag.
  4. Polychronakis, M., Anagnostakis, K. G., and Markatos, E. P. (2006). Network level polymorphic shellcode detection using emulation. In Proceedings of the Third International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA'06, pages 54-73, Berlin, Heidelberg. Springer-Verlag.
  5. Schindler, S., Schnor, B., Kiertscher, S., Scheffler, T., and Zack, E. (2013). HoneydV6: A low-interaction IPv6 honeypot. In Proc. of the 10th International Conference on Security and Cryptography (SECRYPT 2013), Reykjavik, Iceland.
  6. Spitzner, L. (2002). Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA.
  7. Ször, P. and Ferrie, P. (2001). Hunting for metamorphic. In In Virus Bulletin Conference, pages 123-144.
Download


Paper Citation


in Harvard Style

Schindler S., Eggert O., Schnor B. and Scheffler T. (2014). Shellcode Detection in IPv6 Networks with HoneydV6 . In Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014) ISBN 978-989-758-045-1, pages 198-205. DOI: 10.5220/0005016801980205


in Bibtex Style

@conference{secrypt14,
author={Sven Schindler and Oliver Eggert and Bettina Schnor and Thomas Scheffler},
title={Shellcode Detection in IPv6 Networks with HoneydV6},
booktitle={Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014)},
year={2014},
pages={198-205},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005016801980205},
isbn={978-989-758-045-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014)
TI - Shellcode Detection in IPv6 Networks with HoneydV6
SN - 978-989-758-045-1
AU - Schindler S.
AU - Eggert O.
AU - Schnor B.
AU - Scheffler T.
PY - 2014
SP - 198
EP - 205
DO - 10.5220/0005016801980205