Research On Techniques Of Virtual High Interaction Honeypot System In Windows Operating System

Honeypots are an exciting new technology with enormous potential for the security community. Unlike firewalls or Intrusion Detection Systems, honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. As traditionally firewalls and Intusion Detection Systems can not do anything about many network attacks, the honeypot technology, depending upon its unique ideas, stands out fastly from the security community. At present, the honeypot technology is only on its starting stage. After studying many recognition technologies, this dissertation found that nowadays honeypot recognition technology is very limited. It can not provide enough support for operating system's update, especially in the Windows system. This dissertation, which is based upon the study of vitual high-interaction honeypot system under the Windows system, puts forword and improves the Sebek data SnagIt software recognition method, has made a integrated software test platform---Honeypot Detection.In the first place, this dissertation have made a honeynet based upon VMware theoretical environment, outlined the related four mathods to test the VMware-based Windows operating system's vitual environment. The honeynet has established a researching and testing environment for the study of honeypot recognition method and the ultimate integrated software testing platform.In the next place, based upon the study of Sebek data's transmission characteristics, this dissertation have developed a Sebek data recognition method by extracting its network device drivers-invocation characteristic, which we call IATHD.By studying the anti-detecting characteristic of Sebek, we hava also improve the current sebek testing method and created the SSDTHD, which integrations the System Service Descriptor Table method and the Windows Registration Form testing mathod.At last, this dissertation have realizationed the VMware testing mathod and the Sebek testing method under one software platform, which is made up of driver devices and interfaces. The platform can rapidly and correctly tell whether the target machine is runing under VMware or installs Sebek software, and reach a conclusion about the vitual high-interaction honeypot.