Εμμανουήλ Βασιλομανωλάκης Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED)

Slides:

Advertisements

Similar presentations

Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Advertisements

Intrusion Detection/Prevention Systems Charles Poff Bearing Point.

The National Plateforme for Tracking Cyber Attacks :

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

12-1 Last time Security in Networks Threats in Networks.

By Hiranmayi Pai Neeraj Jain

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.

Department Of Computer Engineering

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Introduction to Honeypot, Botnet, and Security Measurement

 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.

HONEYPOT.  Introduction to Honeypot  Honeytoken  Types of Honeypots  Honeypot Implementation  Advantages and Disadvantages  Role of Honeypot in.

FEATURES & FUNCTIONALITY. Page 2 Agenda Main topics Packet Filter Firewall Application Control Other features.

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

Honeypot and Intrusion Detection System

Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.

Honeypots and Honeynets A New Response to Cybercrime Analysis NAAG Seattle 04/14/03.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

KFSensor Vs Honeyd Honeypot System Sunil Gurung

1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:

HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.

HONEYPOT By SIDDARTHA ELETI CLEMSON UNIVERSITY. Introduction Introduced in 1990/1991 by Clifford Stoll’s in his book “The Cuckoo’s Egg” and by Bill Cheswick’s.

Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.

A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.

A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

1 Chapter 9 Intruders. 2 Outline Intruders –Intrusion Techniques –Password Protection –Password Selection Strategies –Intrusion Detection Statistical.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.

Firewalls Fighting Spyware, Viruses, and Malware Ch 5.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

UNDER THE GUIDENCE OF: Mr.M.JAYANTHI RAO,M.Tech HOD OF IT. BY: I.ADITHYA(09511A1212) HONEYPOTS.

CNIT 125: Honeypot and Malware Presentation Alan Wennersten Jeffrey Tom.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

O honeynet Project Lognitive.com Disclaimer This is a technical session that contain non- technical content. Get relaxed so to get ready for some details.

Hack.lu 2007 Christophe Monniez Miguël Blauwbloeme Hillar Leoste

Chapter 9 Intruders.

Working at a Small-to-Medium Business or ISP – Chapter 8

Linux Security Presenter: Dolev Farhi |

Modern Honey Net An Introduction.

Assignment #2 debriefing

Intrusion Detection Systems (IDS)

12/6/2018 Honeypot ICT Infrastructure Sashan

Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department.

Chapter 4: Protecting the Organization

Chapter 9 Intruders.

FORTH’s Honeypots CIPSEC workshop Frankfurt 16/10/2018

Intrusion Detection system

An IoT Honeypot Device for Malware Forensics

Internet Security by Alan S H Lam 2019/4/9.

Presentation transcript:

Εμμανουήλ Βασιλομανωλάκης Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED) Συνεργάτης Εργ. Δικτύων ISLAB, ΙΠΤ, ΔΗΜΟΚΡΙΤΟΣ A short introduction to honeypots

Outline 4/21/2013Telecooperation Group | CASED  Introduction  Classifications  Deployment Architectures  Open source vs. nothing  2 Honeypots  SURFcert IDS & experiences from Demokritos  Future work - ideas

Introduction (1/2) 4/21/2013Telecooperation Group | CASED  Axiom: Attackers are always (at least) one step forward  Attacks are getting overwhelming, targeted and also more sophisticated  Intrusion Detection Systems (IDSs): produce a significant large number of false positive/negative alerts.  More proactive solutions, and more information regarding the attacks are needed.

Introduction 4/21/2013Telecooperation Group | CASED  Definition: “A security resource who's value lies in being probed, attacked or compromised”  Doesn’t have to be a system: Honeytokens  We want to get compromised!  Certainly not a standalone security mechanism.  Why? FUN! No false-positives! Research: Malware analysis/reverse engineering Reducing available attack surface/early warning system

Honeypot Classifications 4/21/2013Telecooperation Group | CASED  Low interaction: simulate network operations (usually at the tcp/ip stack)  [Medium interaction: simulate network operations (with more “sophisticated” ways)]  High interaction: real systems (e.g., VMs)  Other classifications: Purpose: Generic, Malware collectors, SSH, etc. Production – Research (not really useful)

Honeypot Deployment Architectures 4/21/2013Telecooperation Group | CASED

Open Source vs. nothing (really!) 4/21/2013Telecooperation Group | CASED HoneypotTypeOSLanguageGUILicense HoneydGenericLINUXCNGNU NepenthesMalwareLINUXCNGNU DionaeaMalwareLINUXPYTHONNGNU HoneytrapGenericLINUXCNGNU LaBreaGenericLINUXCNGNU Tiny HPGenericLINUXPERLNGNU HoneyBotMalwareWINDOWS-YCLOSED Google Hack HP WEB-PHPYGNU MultipotMalwareWINDOWSVB 6YGNU GlastopfWEB-PYTHONYGNU KojoneySSHLINUXPYTHONNGNU KippoSSHLINUXPYTHONNBSD AmunMalwareLINUXPYTHONNGNU OmnirovaMalwareWINDOWSBorland DelphiYGNU BillyGoatMalware-??CLOSED ArtemisaVOIP-PYTHONNGNU GHOSTUSBWINDOWSCYGNU

Dionaea 4/21/2013Telecooperation Group | CASED  Low Interaction honeypot for collecting malware  Nepenthes successor  Basic protocol simulated: SMB (port 445)  Others: HTTP, HTTPS, FTP, TFTP, MSSQL and SIP (VOIP)  Also supports IPv6 and TLS  Malware files: stored locally or/and sent to 3 rd party entities (CWSandbox, Norman Sandbox, Anubis, VirusTotal)

Kippo (1/2) 4/21/2013Telecooperation Group | CASED  Low interaction SSH honeypot  Features: Presenting a fake (but “functional”) system to the attacker (resembling a Debian 5.0 installation) Attacker can download his tools through wget, and we save them for later inspection (cool!) Session logs are stored in an UML- compatible format for easy replay with original timings (even cooler!)  Easy to install, but hard to get hackers!

SURFcert IDS 4/21/2013Telecooperation Group | CASED  An open source (GPLv2) distributed intrusion detection system based on honeypots  Sensors, act as proxies, forwarding network traffic from the monitored network to the system’s center using OpenVPN  Supported Honeypots: Nepenthes, Dionaea, Argos, Kippo Three parts: Tunnel – honeypot server Web – Logging server Sensors

SURFcert IDS 4/21/2013Telecooperation Group | CASED  Also: Supports p0f for attackers’ OS detection Statistics, nice web-GUI, sensor status, geographical visualizations, and more…

SURFcert Demokritos 4/21/2013Telecooperation Group | CASED  Some stats: attacks on 3 different sensors (1 month) 1500 malware files downloaded Main target: port 445  Successfully detected infected systems, inside our network (mostly with a Conficker Worm variant)  Automatic malware analysis can give us valuable information on Botnets (and their C&C IRC servers)  Possible to find zero-date exploits / new malware (or different variants)

Future Work - Ideas 4/21/2013Telecooperation Group | CASED Features:  Better visualization  Anti-evasion techniques  Cheap & easy mobile sensors: Raspberry Pi  Advertising honeypots Honeypots:  Mobile honeypots (e.g., Android)  SCADA – Industrial Control Systems (ICS) Attacker scans our system Attacker trying to connect to our “ftp” server

Thank You Questions? Telecooperation Group | CASED

Backup slides Telecooperation Group | CASED

Useful Links 4/21/2013Telecooperation Group | CASED  Interesting stuff: – Many honeypot-related theses available detection/proactive-detection-of-security-incidents-II-honeypots - Report from ENISA regarding honeypots detection/proactive-detection-of-security-incidents-II-honeypots - Demo version of SURFcert IDS  Honeypots: – General information on honeypots – Dionaea honeypot – Amun honeypot – Honeypots visualization

SURFcert Demokritos 4/21/2013Telecooperation Group | CASED [outside main firewall] [inside main firewall]