Local Worm Detection using Honeypots Justin Miller Jan 25, 2007

Slides:



Advertisements
Similar presentations
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Advertisements

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
Lecture 11 Intrusion Detection (cont)
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Introduction to Honeypot, Botnet, and Security Measurement
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Speaker : Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Honeypot and Intrusion Detection System
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
Linux Networking and Security
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.
1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.
1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.
HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.
ID NO : 1070 S. VARALAKSHMI Sethu Institute Of Tech IV year -ECE department CEC Batch : AUG 2012.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Chapter 9 Intruders.
IDS Intrusion Detection Systems
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Monitoring Network Bias
Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Department of Computer Science Northwestern University.
Chap 10 Malicious Software.
Intrusion Detection Systems (IDS)
Modeling Botnet Propagation Using Time Zones
12/6/2018 Honeypot ICT Infrastructure Sashan
Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department.
Chapter 9 Intruders.
Mapping Internet Sensors With Probe Response Attacks
Chap 10 Malicious Software.
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
Introduction to Internet Worm
HoneyStat: Local Worm Detection Using Honeypots
Presentation transcript:

Local Worm Detection using Honeypots Justin Miller Jan 25, 2007 Don’t become a stat… Use HoneyStat! Local Worm Detection using Honeypots Justin Miller Jan 25, 2007

Original Paper HoneyStat: Local Worm Detection Using Honeypots By: D.Dagon, X.Qin, G.Gu, W.Lee, J.Grizzard, J.Levine, H.Owen Georgia Institute of Technology

Background Worm detection systems Detection in local networks HoneyStat nodes Data collection Improvements in HoneyStat

Worm Detection Relied on artifacts incidental to worm infection Measure incoming scan rates Filter results for small networks Increase data collection Global monitoring centers Doesn’t help local networks

Worm Detection Proposition: use honeypots to improve accuracy of alerts (local intrusion detection) Honeypot – computer system set up as a trap for attackers

Honeypot Network decoy Distracts attackers Gather early warnings about new attacks Facilitate in-depth analysis of adversary’s strategy

Honeypot Use Gather info about how human attackers operate Labor-intensive log (1:40) 1 week per hour of data log Virtual honeypots Used to prevent OS fingerprinting

Honeypot Use Detect/disable worms (honeyd) Not ready for early warning IDS Know attack pattern Catch zero day worms – already know system vulnerability

Worm Detection Worm propagation proposals Early detection proposals Model to study worm spreading Early detection proposals Statistical models analyze repeated outgoing connections Worm info collected at routers

Objective Early worm detection challenges Focus on local networks Large space to monitor Coordinated responses Focus on local networks Detection using local honeypots Lower false positive rate of worms

Infection Cycles 3 actions result from infection Memory events Network events Disk events Describe worm installation on compromised system

Memory Events Begins with probe for victim Provides port Victim shell listens on port 4,444 Honeypot acknowledges incoming packets Infection begins corrupting process

Network Events Blaster shell remains open for only one connection Instructs victim to download “egg” program Honeypot initiates TCP or UDP traffic

Disk Events Occur after Blaster “egg” is downloaded Disk writes – become active after system reboot Not all worms have disk writes

Data Capture Most worms follow similar cycle Traditional worm detection Usually at start or end of cycle Activity in middle of cycle can be tracked Intrusion detection based on scan rates has high rate of noise

HoneyStat Node Minimal honeypot created in an emulator Covers large address space Honeypots remain idle until HoneyStat event occurs

HoneyStat Data Data recorded includes: OS/patch level of host Type of event Trace file of all prior network activity

HoneyStat Events Events forwarded to analysis node Usually central server Places alert events in queue Perform statistical analysis

Data Analysis Check if event corresponds to an active honeypot Update previous event to include new event Reset honeypot if event involved Network Events (DL an egg or initiating outgoing scans)

Data Analysis Analysis node examines basic properties of the event HoneyStat event is correlated with other observed events Search for worm pattern Objective: Zero-day worms Statistical analysis identifies worm behavior

Logistic Regression Analyzes port correlation Non-linear transformation of linear regression model Honeypot event is dichotomous Awake (1) or asleep (0)

Logistic Regression Model is binary expectation of the honeypot state j: counter for honeypot events i: counter for each individual port traffic for a specific honeypot

Logistic Regression Measures inverse of time between honeypot events Resolve equation after each event Identify candidate ports that explain why honeypots become active Also finds traffic patterns Traffic measured for last 5 minutes

Logistic Analysis Estimate βi,j coefficients (MLE) Find coefficients that minimize prediction error Find which variables significantly affect honeypot activity Single variable = ALERT!

Practical Aspects Properly identify worm outbreaks Low false positive rate Sample data from 6 honeypots active during Blaster worm

Worm Detection

Worm Detection

Worm Detection Logit Analysis of Multiple HoneyStat Events

Worm Detection Scans on ports 135, 139, 445 Require: 10 sample events No test can focus on 135 alone Leads to pattern for 1 worm Require: 10 sample events Not sure of effective sample size

Benefits Accurate data stream Events result from successful attack Reduces amount of data to process Detects zero day worms Detects ports worm enter/exit Finds presence and also explains worm activity

False Positives Identify wrong network traffic Worm present, HoneyStat identifies wrong source Repeated human breakins could be identified as a worm Disregard manual breakins These are more dangerous than robotic worms

Sample Data Tested HoneyStat on the Internet Injected a worm attack at Georgia Tech Log from 2002-2004 Random sample of 250+ synthetic honeypot events 0 false positives

HoneyStat as IDS Low false positive rate Good for local IDS Effectively detects worms using random scan techniques Will attack honeypots

HoneyStat as IDS What about non-random worms? Ω = entire IPv4 space (232) T = # of potential victims N = total vulnerable machines nt = # of victims at time t s = scan rate

HoneyStat as IDS ki+1 = sniT/Ω P = 1 – (1 - 1/T)ki+1 # scans entering space T at time (i+1) P = 1 – (1 - 1/T)ki+1 Probability of host being hit

HoneyStat as IDS Worm propagation equation: ni+1 = ni + [N - ni](1 – (1 - 1/T)sniT/Ω) T and Ω are big, reducing to: ni+1 = sni/Ω Same as previous models

HoneyStat as IDS

HoneyStat as IDS Machines can be multihomed Local early worm detection Each searches 100’s of IP addresses Local early worm detection D = 211 α = 0.25 First victim found after 0.19% of vulnerable hosts are infected

Contributions Statistical techniques used in worm detection Previously applied time series-based statistical analysis Logistic regression detects worm outbreaks

Weakness Honeypot evasion Attackers have worms detect and avoid honeypot traps Attackers make observations about victim’s machine Effective sample size unknown

Improvements Reduce traffic length (logistic) measured < 5 minutes Studies recent network events Improve quality of data Avoid linear identification of multiple worms Best Subsets logistic regression Study effective sample size

Conclusion Further research for local IDS Logistic regression detects worm outbreaks Honeypots create accurate alert 3 classes: memory, disk, network events Logit analysis eliminates noise Extensive data traces identifies worm activity

Questions ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.