ebook img

Design, Implementation, and Operation of a Mobile Honeypot PDF

2.6 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Design, Implementation, and Operation of a Mobile Honeypot

Design, Implementation, and Operation of a Mobile Honeypot MatthiasWählisch AndréVorbach ChristianKeil JochenSchönfelder FreieUniversitätBerlin DeutscheTelekomAG DFN-CERT DFN-CERT ThomasC.Schmidt JochenH.Schiller HAWHamburg FreieUniversitätBerlin {m.waehlisch,jochen.schiller}@fu-berlin.de,[email protected] 3 {keil,schoenfelder}@dfn-cert.de,[email protected] 1 0 2 Abstract upuntilnowunsolicitedremoteaccessestomobileshave n not been studied in detail. In this paper, we argue that Mobile nodes, in particular smartphones are one of the a a measurement infrastructure is required which aims to J most relevant devices in the current Internet in terms of quantifyandtoanalysetheamountofremoteattackson 0 quantityandeconomicimpact. Thereisthecommonbe- mobiles. 3 lievethatthosedevicesareofspecialinterestforattack- A common technique to study attack behavior is the ers due to their limited resources and the serious data ] deployment of honeypot. A honeypot is a trap for col- R they store. On the other hand, the mobile regime is a lecting data from unauthorized system access—in this C verylivelynetworkenvironment,whichmissesthe(lim- analysis via IP—initiated by remote parties. However, ited)groundtruthwehaveincommonlyconnectedInter- . theterm“mobilehoneypot”isnotwell-definedandthere s netnodes. Inthispaperweargueforasimplelong-term c isonlyverylimitedworkonthedesignofameasurement [ measurementinfrastructurethatallowsfor(1)theanaly- systemthatallowsforboth,theanalysisofthemobileas sisofunsolicitedtraffictoandfrommobiledevicesand 1 well as non-mobile world. In this paper we extend our (2) fair comparison with wired Internet access. We in- v previouswork[4]andmakethefollowingcorecontribu- 7 troducethedesignandimplementationofamobilehon- tions: 5 eypot,whichisdeployedonstandardhardwareformore 2 than 1.5 years. Two independent groups developed the 1. We introduce the detailed design and implementa- 7 same concept for the system. We also present prelimi- tionconceptsofamobilehoneypot. Theprinciples . 1 narymeasurementresults. of the system have been developed independently 0 by two groups. It has been running for approxi- 3 mately1.5yearsandispartoftheearlywarningsys- 1 1 Introduction temofoneofthelargestISPsinEurope. Thehon- : v eypotsystemabstractsfromunnecessarymobileas- i ScanningInternethoststoinitiateadenialofservice,to pects,whichallowsustodeploythesamesoftware X findanexploit,ortodiscoveranunsecuredremoteaccess baseonstandardPCsthatareconnectedtodifferent r a istypicallythefirststepofanattacktowardsInternetde- typesofInternetaccess. vices. Informertimesthoseattackshavebeenreserved 2. Wereportonpreliminarymeasurementresults.This to traditional server systems [1]. Today, not only desk- includes a summary of our current observations of topsbutalsomobiledevices(e.g.,smartphones)offerin- attack behaviour on smartphones, as well as a sta- tentionallyexternalservices. tisticalanalysisofunsolicitedtraffic[5]. Thetraffic Mobile phones are particularly threaten by attacks. measurement presents data from November 2012, They are almost always connected with the Internet. whichwecomparewithcommonwiredInternetac- Their limited resources do not allow the application of cess and with our results from January 2012 [4]. commonlyusedsecuritymechanisms. Inaddition,many Surprisingly, we do not find a significant amount end users disable security barriers, which have been in- of attacks specific to mobiles, which indicates that troduced by vendors, when they root or jailbreak their adversariesoperatealmostindependentlyoftheac- mobile[2]. Fromthisperspectiveitisreasonablytoas- tuallycapturedhost. sumethatattackersspecificallytargetonmobiledevices. A plethora of research discussed network-based vulner- The vulnerability of smartphones is based on multi- abilityofmobilesandproposedsolutions(e.g.,[3]),but ple aspects. This paper concentrates on remote attacks 1 via the Internet. One might argue that a mobile opera- focus on the attacks on the wireless technology. The torusuallydonotassignpublicIPaddressestomobiles term mobile honeypot is used here referring to honey- andthatNATtechniquesprotectthesystemsagainstma- pots that focus on attacks on mobile devices.1 They licious access. We think the mobile environment needs can either be mobile themselves in running on the mo- an early and continuous analysis as well as appropri- biledeviceinwhichcasetheywouldusuallybelowin- ate tools. There are still operators providing public IP teraction honeypots used for deception and detection of addresses. With an increased deployment of IPv6 the known attacks. This also greatly reduces the possibil- IP address assignment policy will change as several ap- ityofthedeviceitselfbeingcompromised. Ontheother plication scenarios requiring direct access without NAT hand they can be dedicated devices up to high interac- traversal. tionsolutionssetuptoexposeunknownattacks. Mobile Theremainderofthispaperisstructuredasfollows.In honeypotsinthesenseofhoneypotsfocussingonmobile Section 2 we introduce background and discuss related devicesareforexampledevelopedbytheChineseChap- workinthecontextofmobilehoneypots. Wepresentthe ter of the Honeynet Project [10]. They are using proto- design space, implementation, and deployment aspects typedeploymentsofhoneypotsforBluetooth,WiFi,and of the mobile honeypot system in Section 3. Our mea- MMS.TJOConnorandBenSangsterbuilthoneyM[11], surement study is discussed in Section 4. We conclude aframeworkforvirtualizedmobiledeviceclienthoney- withanoutlookinSection5. pots,whichemulatesinparticularwirelesstechnologies. Mullineretal. [12]proposeHoneyDroid,aspecificmo- bile honeyot that exclusively runs on smartphones. We 2 BackgroundandRelatedWork arguethatthoseapproachescomplicatethemeasurement across different types of systems. In addition, they are 2.1 TrappingAttackerswithaHoneypot onlyrequiredifthehardwarecharacteristicsarerelevant forthestudy. Incontrasttoothersecuritymeasuresthatultimatelytry to keep the attacker out of the system, honeypots are meanttobecompromised. Theirvalueliesinluringthe 3 MobileHoneypotSystem attacker into entering a system and collecting informa- tiononhowthisisdone. Our primary goal is the design of a measurement sys- A honeypot is typically classified as low interaction tem that captures traffic characteristics of malicious be- orhighinteractionhoneypotandclientorserverhoney- haviour on mobile devices and allows for comparison pot. A low interaction honeypot primarily collects in- withnon-mobileenvironments. Inadditiontothesesta- formationabouttheattackeranddetectsknownattacks. tistical observations, we are interested in the more de- Thelimitedlevelofinteractionbetweenattackerandtar- tailed procedure of potential attackers (e.g., which soft- getisachievedbynotprovidingfullyfunctionalservices waredotheyinfiltrate). Acommontechniqueistheap- butonlyemulationsthereofwithknownexploits. Onthe plication of a honeypot. In this section, we discuss ap- otherhand,ahighinteractionhoneypot providesafully propriate levels of abstraction to cover the mobile envi- functional system. They are used to reveal current and ronment without losing comparability with non-mobile newattacksthatdonothavetobecateredforwhenset- setups. Themobilehoneypothasbeendesignedandim- tingupthehoneypot. Sincethehigh-interactionhoney- plemented coincidently by two different groups. Both potisafullyfunctionalsystem,ithastobecloselymon- groupsapproachedcompletelyindependentlyatthesame itoredforsuccessfulattackstopreventtheattackerfrom conclusion. using the honeypot to target other systems on the net- work. Server honeypots provide vulnerable services to AttackerModel Inthispaper,weconcentrateonasys- maliciousclients. Theirfocusisinprotocolandservice tem that analyzes malicious access via the Internet on specificvulnerabilities. Aserverhoneypotdoesnotoffer smartphones. Weargueforatypicalattackermodel. The any legitimate services, any connection by a client can attacker tries to compromise the smartphone via unso- betreatedasanattack. Clienthoneypotstaketheroleof licitedremoteconnections[3],orcapturesthemobileus- avulnerableclienttryingtofindmaliciousservers. ingmalwareandinitiatesfurtherdenialofserviceattacks to other mobiles or non-mobile hosts [13], [14]. In any 2.2 WirelessversusMobileHoneypots case,suchremoteattacksareboundtothenetworklayer Physical and virtual honeypots [6] have been studied in 1Notethattheterm“mobilehoneypot”isalsousedtodescribeother detail, however, there is only little work in the field of scenarios. BalachanderKrishnamurthy[9]usesittodescribeprefixes ofdarknetaddressspacethat(1)areadvertisedtoupstreamASes,mak- mobile-relatedhoneypots. Mobilehoneypotshavetobe ingtheinformationmobile,and(2)changeaperiodically,movingthe distinguished from wireless honeypots [7], [8], which darknetintheaddressspace. 2 and moreover do not address specifics of mobile hard- 3.2 Implementation ware,butsolelytargetatthesystemlevel. Theadversary activelytriestofindvulnerablenodesandmayuseaddi- Software To implement the proposed honeypot sys- tionalinformationsuchasIPtopologydataorwebserver tem, we use multiple well-known honeypot tools. The logstodifferentiatemobileandnon-mobilenetworks. mobilehoneypotconsistsofthefollowingdifferentsub- honyepots: Kippo,Glastopf,andDionaea. Kippo is a dedicated SSH honeypot that emulates re- 3.1 Design mote terminal sessions. Login access is secured by a trivial password, which allows an attacker to gain eas- The term “mobile honeypot” is not well-defined. The ily access to the system. The user account is granted general design space is based on the following three administrator privileges. An attacker can execute com- questions: (Q1) Is it necessary that the probe runs on a mon programs, as well as download and install addi- mobiledevice—ifyeswhichdevicetype(notebookver- tional tools. The honeypot records downloaded files in sus smartphones versus ...)? (Q2) Is it necessary that thebackgroundforlateranalysis. Toprotectthehoney- thehoneypotrunsonamobileoperatingsystem(PCem- pot against compromising operations, all infiltrated ac- ulation versus mobile device)? (Q3) To which network tionsareonlyvalidwithinthecurrentattacksessionand is the mobile honeypot connected (DSL network versus theexecutionofnewlyinstalledprogramsisprohibited. UMTSnetworkversus...)? Note,thisdoesnotconflictwithourobjectives,asweare According to the attacker model, there is no need to interestedintheprinciplebehaviouroftheattacker. operate the mobile honeypot on real smartphones. This reducescomplexityinbuildingthehoneypotandsimpli- Glastopf implements a web-based media server pro- fieslong-termoperation. viding an upload form. Uploaded data can be stored in AsunderlyingoperatingsystemwedecidedforLinux. asimulatedsmartphonefilesystem. Thishoneypotemu- This has two advantages: (1) Most of the currently de- latestypicalvulnerabilitiesofawebsystem. ployedsmartphonesusetheAndroidOS.Weconducted DionaeaisusedtoemulateTFTPandFTPservices. fingerprintingtestsusingthewell-knowntoolsNmapand Todetectgenericattacks,weuseHoneytrap. Itlistens Xprobe, which try to guess the operating system. Both on all other transport ports and is particularly useful to toolscannotdistinguishAndroidfromcurrentLinuxver- analyse statistical effects. Worms, for example, do not sions. (2)UsingLinuxenablesustore-useexistinghon- need a protocol compliant negotiation of transmission eypot tools independently of the deployment in mobile parametersbutsenddataviaanexistingTCPconnection ornon-mobilescenarios. Thisallowsustheensurecom- withoutwaitingforcorrespondingreplies. parisonbetweendifferentsystems. An important change is the adjustment of the virtual filesystemthatispresentedtotheattacker. Itshouldre- Network connectivity Several mobile operators pro- flectthedirectorystructureofatypicalAndroidsystem. vide only private IP addresses. Nevertheless, there is a Toincreasetheattractivenessforanadversary,weac- continuous demand for public IP addresses. In partic- count for “rooted” (or “jailbreaked”) devices. A rooted ular with an increased deployment of IPv6, we expect device grants additional system access to the user. It asignificantchange, whichwillenablemobilenodesto allows post installation of additional services such as participateintheInternetwithoutNATtraversal. HTTP or file sharing. A honeypot system that intends In addition, many mobile operators, at least in Ger- tocapturetoolsintroducedbytheattackerneedtoemu- many, prevent the communication between end devices late a rooted smartphone. Note, considering rooted de- per default in NAT domains. For this reason, the de- vices provides the attacker with supplementary features ployed mobile honeypot presented in this paper is con- andthusdoesnotexcludeoff-the-shelfmobiles. nected via the Deutsche Telekom, one of the largest Regardingthethirdquestionwearguethatthemobile telecommunications companies in Europe. They allow probe should connect to a real mobile network. Other- tochooseanalternativeAccessPointName(APN)that wise, an attacker could detect performance differences providespublicIPaddressesandthusintra-domaincom- (e.g., networkdelay)inadvance. Inaddition, aconnec- munication. tionviaarealmobileoperatorensurestheassignmentof Note,theproposedhoneypotsystemcanbeconnected atopologicalcorrectIPaddress. Note,foranattackerit toanyothertypeofnetworkaccess,suchasaDSLhome iseasytoidentifyrelevantIPblocks,eitherbytestingor networkorbusinessInternetaccess.Thisallowsustouse analysingmetadataintheInternetregistries. thesamesystemindifferentnetworkenvironments(i.e., Aswearemainlyinterestedintheanalysisofstatisti- wiredandwirelessinfrastructures),andtomonitorattack caleffectsandnotondedicatedattacks,themobilehon- behaviour from different vantage points in the Internet eypotisprimarilybasedonlow-interactionhoneypots. withoutloosingreproducibility. 3 Requests per Hour [#]20100 N ov D at1e5 [ dNdo mv m ] 29 N ov Requests per Hour [#]12001000 N ov D at1e5 [ dNdo mv m ] 29 N ov Requests per Hour [#]12345000001000000 N ov D at1e5 [ dNdo mv m ] 29 N ov Requests per Hour [#]123450000000000000001000000 N ov D at1e5 [ dNdo mv m ] 29 N ov (a) Mobilenetwork (b) DSLnetwork (c) Darknet (d) Universitynetwork Figure1: Comparingamountofattacksondifferentbetweenmobileandnon-mobilehoneypotprobes,Nov. 2012 3.3 Deployment and executing some common commands, an adversary usually downloads malicious software and tries to inte- We started the deployment of the honeypot systems at gratethehoneypotintoanIRC-botnet. Theattackerini- commonPChardwaremidof2011. Sincethentheyrun tiates commands almost independently of the local sys- continuously and surprisingly well. The mobile honey- tem properties even if this leads to conflicts (e.g., non- pots of both independent groups include one iOS and existingdirectories).Wefrequentlyobservedthatthead- two Android probes. They are connected via an USB versarynavigatesthroughthefilesystemdirectoriesfol- sticktotheUMTSnetwork. Alldataisexportedinafive lowing the common Linux structure. Specific Android minuteintervaltotheearlywarningsystemofoneEuro- processeshavebeenignored. pean’slargesttelecommunicationcompanies.Toprevent To our surprise, we observed very rarely an intruder interference and preserve bandwidth of the UMTS link, thatconductedamobile-specificattack.Forexample,af- logdataistransmittedusingaseparateLANconnection. terestablishinganSSHconnectiontothemobilehoney- Data from or to the log server is excluded from further pot,oneadversarytargetedontheaddressbookaswellas analysis. thestoredphotosoftheemulatedmobilesystem. Those Inadditiontothemeasurementprobesthatuseamo- attacksareusuallyperformedmanuallyandnotbasedon bile Internet access, we deployed the same system at scripts. However, themobilehoneypotdidnotcaptured threenodesconnectedtodifferentnon-mobilenetworks. Android-oriOS-specificmalwareorExploits. Indetail,thenetworkaccessis(1)auniversitynetwork, whichreflectsastableandwell-knownopenaccess; (2) a DSL network, which represents a common home up- 4.2 ComparativeDetailAnalysis link; (3) a darknet, which highlights background noise, Foroursubsequentanalysiswefocusonnetworktraffic becauseitdoesnotannounceanyservice. Thesecharac- and compare effects on the mobile honeypot with non- teristicaccesstypesallowforcomparisonofthemobile mobilesystems. Weconsiderthemeasurementperiodof measurementswithnon-mobileenvironments. November2012. Mostoftheexternalrequestsarerelatedtotheuniver- 4 MeasurementStudy sity network (cf., Table 1). The DSL and UMTS hon- eypots measure on average 21 and 55 attacks per hour, Inthissection, wepresentpreliminarymeasurementre- respectively. Moresurprisingly,thedarknetexperiences sultsofthemobilehoneypotsystem. Wecouldnotfind on average about 83 external requests. Around 90% of substantial disagreements between the different mobile theattacksuseTCP.Theprominentportsare22(SSH), probes. We count any external connect to the honeypot 1433/3306 (MSSQL), and 80 (HTTP). We summarize system as an attack, its source IP address is called the detailsinTable2. attacker. 4.2.1 AttacksperAS 4.1 GeneralObservations To explore the topological location of the attacks, we In general, the number of attacks targeting the mobile map the source IP addresses of the adversaries to their probe do not significantly differ from honeypots con- originautonomoussystem(AS)usingthecommonIPto nectedtotheInternetviatypicalwiredaccess. Itseems ASNlookupserviceprovidedbyTeamCymru. Werank that the attackers scan the Internet without considering eachASseparatelypernetworkaccess. specificnetworktypesbuttrytoexploitasmanydevices Overall, mostoftheattacksareinitiatedfromIPpre- aspossible. fixesthatbelongtothesamesmallsetofASes(cf.,Fig- Theprocedureoftheattackerisalmostidenticaltothe ure 2(a)). The top-5 ASes are primarily based in China wired probes. After gaining successfully a shell login andRussiaanddonotcovermobileoperators.Thedistri- 4 #Attackedportspertransportprotocol #Attackspertransportprotocol UMTS Darknet DSL University UMTS Darknet DSL University TCP 111 133 89 252 14,954 55,378 32,781 22,445,580 UDP 76 71 96 22 637 5,583 8,254 480 Table1: Amountofmaliciousrequestspertransportprotocol,November2012 Rank 1 2 3 4 5 6 7 8 9 10 22 1433 3306 5900 6666 3389 1080 23 5060 80 UMTS SSH MSSQL MSSQL VNC RDP SOCKS Telnet SIP HTTP 22 139 110 25 3306 91 5901 5900 3389 53 Darknet SSH NetBIOS POP3 SMTP MSSQL VNC RDP DNS 51099 22 5900 110 25 3389 143 6666 1433 23 DSL SSH VNC POP3 SMTP RDP IMAP MSSQL Telnet 445 139 80 22 110 3389 5900 3306 143 5902 Univ. MSAD NetBIOS HTTP SSH POP3 RDP VNC MSSQL IMAP Table2: Top-10ofthemostattackedports(singleeventsemphasized),November2012 butionofattacksisenhancedfortheuniversitynetwork. darknetinitiatingalargeportionofrequests. Thisobser- The darknet and the DSL home network follow a simi- vationisalsohighlightedbyouranalysisperattacker. lar shape, in which the mobile network exhibits a more Similartothis,theUMTSnetworkisnotsparedbyat- narroweddistribution. Forallnetworktypes,itisclearly tacksingeneral. InJanuary2012,theUTMSnodessuf- visible that already a small number of ASes have a sig- fered on average on the same amount of requests com- nificantimpactontheattackexperiences. pared to the home network. Interestingly regions and originators of attacks were better pronounced and oper- ate at higher intensity in the beginning of this year. We 4.2.2 AttackersperAS considerthisasanindicatorforthelivelinessofthemo- Inoursecondstatisticalanalysis,wemeasurethenumber bileregime,whichneedsfurtheranalysisinthefuture. of different source IP addresses (i.e., attackers) per AS (cf.,Figure2(b)).Again,wecalculatetherankseparately for each network access type. This analysis allows us 5 ConclusionandOutlook to estimate the amount of different attack sources and to balance the intensity of each attacker. Consequently, Inthispaperwepresentedamobilehoneypotsystemthat themaximalvaluesarethreetotwoordersofmagnitude allowsforadetailedanalysisofmobile-specificattacks. less compared to the number of attacks. Nevertheless, Akeyinsightistheabstractionfromunnecessarymobil- thecharacteristicshapeofthecurvesinFigure2(a)still ity aspects. To study common attacks, the honeypot is exists. neither required to run on a real smartphone, nor on a full-fledged mobile operating system. The mobile hon- eypot is operated on standard PCs running Linux. This 4.2.3 ComparisonwithPreviousMeasurements enables the analysis of malicious traffic across different InourpreviousmeasurementsfromJanuary2012[4]we network environments and bears the advantage of sim- foundsimilarresults. Themostsignificantdifferenceis plifiedlong-termmaintenanceasthesametoolbasiscan theabsolutenumberofattacksonthemobilesystemand bere-used. thedarknet. InNovember2012thedarknetexperienced We deployed our concept on probes connected to a a surprisingly high amount of attacks, indicating that it mobilenetwork, aswellasmonitoringnodesconnected ismoreattractivetoanattackercomparedtotheUMTS todifferenttypesofwiredInternetaccess(i.e.,university andhomenetwork. ThisisingeneralnottrueastheIP network, darknet, DSL home network). So far we did address space of the darknet is officially not related to notfindarelevantratioofremoteattacksthatspecifically anyexternalnetworkservice. Lookingintothisinmore targetonthemobilesystem,neitherfromnon-mobilenor detail reveals that a small set of nodes connected to the mobilenetworks.Fromthisperspectiveweconcludethat 5 1 0 7 1 0 7 ] 1 0 6 [# 1 0 6 S U n iv e rs ity r A 1 0 5 pe 1 0 5 ttacks per AS [#] 111 000 234 D a rk n e t D S L rce IP Addresses 111 000 234 U n ivDe SrsLity A U M T S ou 1 0 1 nt S 1 0 1 D a rk n e t re 1 0 0 iffe 1 0 0 U M T S 1 1 0 1 0 0 1 0 0 0 D 1 1 0 1 0 0 1 0 0 0 A S N R a n k A S N R a n k (a) AttacksperAS (b) AttackersperAS Figure2: Comparisonofrequestsperautonomoussystemseparatelyrankedbynetworkaccess,Nov. 2012 mobiledevicesarecurrentlymorethreatenedwithmali- [5] T.Zsebyandkcclaffy,“Workshopreport:darkspaceand ciousapplications(e.g.,trojanhorse)comparedtoexter- unsolicited traffic analysis (DUST 2012),” SIGCOMM nal,unsolicitedrequestsviatheInternet. CCR,vol.42,no.5,pp.49–53,Sep.2012. Inthefuturewewillstillmaintainourhoneypotsetup. [6] N. Provos and T. Holz, Virtual Honeypots. From Botnet We will concentrate on more subtle correlation analy- TrackingtoIntrusionDetection,2nded. UpperSaddle sis of how specific groups of attackers behave with the River,NJ:Addison–Wesley,2008. aimtoidentifyindividualpatternsofmobilityrelatedag- [7] R. Siles, “HoneySpot: The Wireless Honeypot. Mon- gressions. Wewillalsoanalyseattacksperportinmore itoring the Attacker’s Activities in Wireless Networks. detail, and conduct time series analysis. Due to lim- A design and architectural overview,” The Span- ish Honeynet Project, Research Project, December ited statistics, though, these considerations will require 2007.[Online].Available: http://honeynet.org.es/papers/ amuchlongerrangeofobservation. Estimatingtheerror honeyspot/HoneySpot_20071217.pdf of IP spoofing events on our results is also part of our [8] N.Al-Gharabally, N.El-Sayed, S.Al-Mulla, andI.Ah- futurework. mad,“WirelessHoneypots: SurveyandAssessment,”in Proceedingsofthe2009conferenceonInformationSci- Acknowledgements We would like to thank Marcin ence, Technology and Applications (ISTA ’09). New Nawrocki for taking care of the mobile honeypots York,NY,USA:ACM,2009,pp.45–52. coordinated by the Freie Universität Berlin. Sebas- [9] B. Krishnamurthy, “Mohonk: MObile Honeypots to tian Trapp is gratefully acknowledged for early dis- TraceUnwantedTrafficEarly,”inProc.oftheACMSIG- cussions on this topic. This work is partly sup- COMMNetT. NY,USA:ACM,2004,pp.277–282. portedbytheGermanBMBFwithintheprojectSKIMS [10] honeynet Project, “The Honeynet Project Chinese (http://skims.realmv6.org). Chapter Status Report (Period Apr 2007 to Dec 2008),” 2009.[Online].http://www.honeynet.org/node/336 References [11] T.OConnorandB.Sangster,“honeyM:AFrameworkfor ImplementingVirtualHoneyclientsforMobileDevices,” [1] M.Allman,V.Paxson,andJ.Terrell,“ABriefHistoryof inProc.oftheACMWiSec.ACM,2010,pp.129–138. Scanning,” inProc.oftheACMIMC. NewYork, NY, [12] C. Mulliner, S. Liebergeld, and M. Lange, “Poster: USA:ACM,2007,pp.77–82. HoneyDroid - Creating a Smartphone Honeypot,” 2011, [2] S. Perez, “Behind The Scenes Of The posteratIEEESecurity&Privacy. iPhone 5 Jailbreak,” Techcrunch, 2013. [On- [13] P.Traynor,M.Lin,M.Ongtang,V.Rao,T.Jaeger,P.Mc- line]. Available: http://techcrunch.com/2013/01/21/ Daniel,andT.L.Porta,“OnCellularBotnets:Measuring behind-the-scenes-of-the-iphone-5-jailbreak/ the Impact of Malicious Devices on a Cellular Network [3] C.Guo,H.J.Wang,andW.Zhu,“Smart-PhoneAttacks Core,”inProc.ofACMCCS.ACM,2009,pp.223–234. andDefenses,”inProc.ofHotNets–III. ACM,2004. [14] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wag- [4] M. Wählisch, S. Trapp, C. Keil, J. Schönfelder, T. C. ner,“ASurveyofMobileMalwareintheWild,”inProc. Schmidt, and J. Schiller, “First Insights from a Mobile ofACMCCSWorkshopSPSM. NewYork, NY,USA: Honeypot,”inProc.ofACMSIGCOMM,PosterSession. ACM,2011,pp.3–14. NewYork:ACM,August2012,pp.305–306. 6

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.