Greg Williams CS691 Summer 2011. Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.

Slides:

Advertisements

Similar presentations

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

Advertisements

CISCO NETWORKING ACADEMY PROGRAM (CNAP)

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Lecture 11 Intrusion Detection (cont)

Department Of Computer Engineering

INTRUSION DETECTION SYSTEM

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Penetration Testing Security Analysis and Advanced Tools: Snort.

Chapter 6: Packet Filtering

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.

DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.

Breno de MedeirosFlorida State University Fall 2005 Network Intrusion Detection Systems Beyond packet filtering.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.

Intrusion Detection Cyber Security Spring Reading material Chapter 25 from Computer Security, Matt Bishop Snort –

7.4 Firewalls Network Security / G.Steffen1. In This Section What is a Firewall? Types of Firewall Comparison of Firewalls Types What Firewall Can-and.

HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman.

Cryptography and Network Security Sixth Edition by William Stallings.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

DoS/DDoS attack and defense

Reading TCP/IP Protocol. Training target: Read the following reading materials and use the reading skills mentioned in the passages above. You may also.

CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

WIRESHARK Lab#3. Computer Network Monitoring  Port Scanning  Keystroke Monitoring  Packet sniffers  takes advantage of “friendly” nature of net. 

Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.

An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.

CompTIA Security+ Study Guide (SY0-401)

Snort – IDS / IPS.

FIREWALL configuration in linux

Domain 4 – Communication and Network Security

Principles of Computer Security

Introduction to Networking

Introduction to Networking

James Logan CS526 Dr. Chow April 29, 2009

CompTIA Security+ Study Guide (SY0-401)

Honeypots and Honeynets

Chapter 14 User Datagram Protocol (UDP)

Intrusion Detection Systems (IDS)

Network hardening Chapter 14.

Presentation transcript:

Greg Williams CS691 Summer 2011

Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work

Introduction  Why I chose this  Universities are targets  Since we have a class B network (2 16 hosts), we are a large target  How can we know our adversaries and improve security

Introduction - Definitions  Intrusion Detection System (IDS)  Intrusion Prevention System (IPS)  Pattern Detection  Longest Common Substring (LCS)  Intrusion Detection Signatures  Honeypot  Honeynet

Preceding Work - Honeypots  Been around since the 1990’s  Used to either hide more valuable resources of a network or to analyze attacks of intruders  High Interaction  Low Interaction  Variety of software  Can be put on a physical system or virtualized

Honeypot/Honeynet

Preceding Work – IDS/IPS  Also have been around since the 1990’s  Bro and Snort are the 2 main open- source IDS/IPS out there today  Signatures  Signatures can include connection type, byte patterns, URI’s, ports, etc.  Very good at stopping specific attacks and code.

IDS/IPS

Honeycomb  System DOES NOT load signatures upon startup  Spots patterns based upon previous traffic (largest common substring)  Builds suffix trees in linear time

Honeycomb in depth

Honeycomb in depth - Honeyd  Honeycomb is built into the Honeyd honeypot 2 ways – via plugin and via event hooks  Honeycomb needs to analyze packets, so it utilizes libpcap that is already built into Honeyd  Honeyd creates traffic so Honeycomb knows that it created the traffic instead of guessing.

Honeycomb - Signature Creation

 If there is any existing connection state for the new packet, that state is updated, otherwise new state is created.  If the packet is outbound, processing stops here.  Honeycomb performs protocol analysis at the network and transport layer.

Honeycomb – Signature Creation  For each stored connection: Honeycomb performs header comparison in order to detect matching IP networks, initial TCP sequence numbers, etc. If the connections have the same destination port, Honeycomb attempts pattern detection on the exchanged messages.  If no useful signature was created in the previous step, processing stops. Otherwise, the signature is used to augment the signature pool as described in Section III-F.  Periodically, the signature pool is logged in a conﬁgurable manner, for example by appending the Bro representation of the signatures to a ﬁle on disk.

Honeycomb – Connection Tracking  Signature creation is based off comparing new data to old data therefore connections and packets must be maintained for a period of time  Handshake and established connections are kept separate as not to fill up the hashtables.

Honeycomb – Connection Tracking

Honeycomb protocol Analysis  After updating connection status, Honeycomb creates a new signature record and fills it with the facts about packets which is updated continuously.  Anomalies are captured instead of corrected  Headers are captured and then compared to previous packets. If there are matches, then a new signature is created.

Honeycomb – Pattern Detection  Horizontal detection – happens every n th message and applies LCS algorithm  Vertical detection – concatenates messages then applies LCS algorithm

Honeycomb – Signatures  Signatures are indefinite and can be built upon if they are improved  Signatures are output in Bro and Snort- like signatures

Honeycomb - Testing

Honeycomb - Performance  During the 24-hour period, we captured 224 KB of trafﬁc, comprising 557 TCP connections, 145 UDP connections and 27 ICMP pings. Figure 6 shows the distribution of the ports requested at the honeypot, in terms of numbers of connections.  Honeycomb created 38 signatures for hosts that just probed common ports. 25 signatures were created containing ﬂow content strings. These are relatively long; on average they contain 136 bytes. These were viruses.

Honeycomb - Performance

Honeycomb – Personal Analysis  No production data other than a home network  Very little results  Didn’t say what hardware was used for processing  Odd that they say plugins are built into Honeyd to lessen impact, however we can see it significantly takes a performance hit  Doesn’t do anything against polymorphic malware

Future of this paper  I haven’t seen any published papers regarding specifically honeycomb since this paper  Project website was updated in 2009 supposedly  Project code says.7 but really says.4 in the source code

Signature generation today  Polygraph (2005) looked at invariant content on network flows and tried to match disjoint content strings  Symantec’s Hancock (2008) – compares known byte sequences of legitimate programs with those of other executables analyzing every 48 th byte sequence  Fireeye (current)

Questions?