TY - GEN
T1 - Tales from the crypt
T2 - 3rd European Conference on Computer Network Defense, EC2ND 2007
AU - Valkering, Michael
AU - Slowinska, Asia
AU - Bos, Herbert
PY - 2009/12/1
Y1 - 2009/12/1
N2 - Paradoxically, encryption makes it hard to detect, fingerprint and stop exploits. We describe Hassle, a honeypot capable of detecting and fingerprinting monomorphic and polymorphic attacks on encrypted channels. It uses dynamic taint analysis in an emulator to detect attacks, and it tags each tainted byte in memory with a pointer to its origin in the corresponding network trace. Upon detecting an attack, we correlate tainted memory blocks with the network trace to generate various types of signature. As correlation with encrypted data is difficult, we retaint data on encrypted connections, making tags point to decrypted data instead.
AB - Paradoxically, encryption makes it hard to detect, fingerprint and stop exploits. We describe Hassle, a honeypot capable of detecting and fingerprinting monomorphic and polymorphic attacks on encrypted channels. It uses dynamic taint analysis in an emulator to detect attacks, and it tags each tainted byte in memory with a pointer to its origin in the corresponding network trace. Upon detecting an attack, we correlate tainted memory blocks with the network trace to generate various types of signature. As correlation with encrypted data is difficult, we retaint data on encrypted connections, making tags point to decrypted data instead.
UR - http://www.scopus.com/inward/record.url?scp=84884996884&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84884996884&partnerID=8YFLogxK
U2 - 10.1007/978-0-387-85555-4_1
DO - 10.1007/978-0-387-85555-4_1
M3 - Conference contribution
AN - SCOPUS:84884996884
SN - 9780387855547
VL - 30 LNEE
T3 - Lecture Notes in Electrical Engineering
SP - 1
EP - 20
BT - Proceedings of the 3rd European Conference on Computer Network Defense
Y2 - 4 October 2007 through 5 October 2007
ER -
