6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Enhancing the Experience in Network Incident Investigations.

Slides:



Advertisements
Similar presentations
5 th Annual Workshop on the Teaching Computer Forensics Virtualising Computer Forensics Dr. Jianming Cai Mr. Ayoola Afonja
Advertisements

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention with Snort Dr. Jim Chen, Victor Tsao, Barry Williams, Tokunbo Olojo, John Smet,
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Security and Penetration Testing
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Lecture 11 Intrusion Detection (cont)
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
By: Colby Shifflett Dr. Grossman Computer Science /01/2009.
Computer Security Fundamentals by Chuck Easttom Chapter 9: Computer Security Software.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Intrusion Detection Chapter 12.
BotNet Detection Techniques By Shreyas Sali
COEN 252 Computer Forensics
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.
Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.
What is FORENSICS? Why do we need Network Forensics?
CERN’s Computer Security Challenge
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Honeypot and Intrusion Detection System
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
KFSensor Vs Honeyd Honeypot System Sunil Gurung
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:
HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.
HONEYPOT By SIDDARTHA ELETI CLEMSON UNIVERSITY. Introduction Introduced in 1990/1991 by Clifford Stoll’™s in his book “The Cuckoo’s Egg” and by Bill Cheswick’€™s.
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
Linux Networking and Security
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
Chapter 5: Implementing Intrusion Prevention
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
Security with Honeyd By Ryan Olsen. What is Honeyd? ➲ Open source program design to create honeypot networks. ➲ What is a honeypot? ● Closely monitored.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Role Of Network IDS in Network Perimeter Defense.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Information Security Session October 24, 2005
Security+ Guide to Network Security Fundamentals, Third Edition
Intrusion Detection Systems (IDS)
Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department.
Presentation transcript:

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Enhancing the Experience in Network Incident Investigations Dr. Jianming Cai Ms. Angeliki Parianou and Ms. Bo Li Faculty of Computing London Metropolitan University

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Topics Network incident investigation Experiment in real world The experimental platform Platform test Forensic evidence collected/analysis Summary

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Network Incident Investigation Network Forensics: –network-centric for computing –growing popularity of the Internet at home –data available outside of the disk-based digital evidence Standalone investigation or alongside a computer forensics analysis (to reveal links between digital devices or to reconstruct how a crime was committed). Investigators have often to rely on packet filters, firewalls, and intrusion detection systems which were set up to anticipate breaches of security. Data is now more volatile and unpredictable. When investigating network intrusion the investigator and the attacker are often of similar skill level, compared with other areas of digital forensics where the investigator often is higher skilled.

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Experiment in Real World There is therefore an increasing demand for the graduates from Computer Forensics to enhance their experience in network incident investigations. Institution’s security policies restrict students from practising Network Forensics in real world. The experiment of Network Forensics has often to reply on the case studies extracted from textbooks. A platform, which enables students to practise network incident investigation in real-life case studies, is desirable.

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop The Experimental Platform The platform we developed is composed of a low- interaction honeypot and a rule-based IDS. The software packages, namely Honeyd and Snort, are employed. Based on this platform, students can analyze malicious activities, collect evidence, and launch incident investigations.

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Network Topology of the Platform The “Network Forensics” Lab The Institutional Network

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Advantages of the Platform Relatively independent of institution’s network server, which does not have issues with institution’s network security and admin policies. Gathering network forensic information, investigating into real life cases, and collecting the evidence needed for apprehension and prosecution of network intruders. The software employed in this platform are freely available for student’s home use, i.e. it is low cost and flexible in practice.

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop The Deployed Honeyd with eight virtual honeypots) The Deployed Honeyd (with eight virtual honeypots) Arpd: a daemon that listens to ARP (Address Resolution Protocol) requests and answers for IP addresses that are unallocated.

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop The Deployed Honeyd (Cont.) The virtual honeypots deployed includes: –A Linux honeypot with the personality “Linux kernel ” –A Windows honeypot with the personality “Microsoft XP Pro SP1” –A Router honeypot with the personality of “ Cisco IOS (11)” –A Server honeypot with the personality of “ Microsoft Server 2003” –A Mydoom Vulnerable honeypot with the personality of “Microsoft XP Pro SP1” –A Mail Relay Server honeypot with the personality of “Sun Solaris 9”

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop The Deployed Honeyd (Cont.) It creates various virtual hosts with different operating systems in order to attract a wider range of suspicious activity. In addition a NIDS, namely Snort, is employed to monitor the network traffic for any known attacks and vulnerabilities. Malicious network traffic are being monitored, recorded, and analysed. The output of the Snort is sent to a Mysql database. The traffic captured by Snort tool is then presented by BASE (Basic Analysis and Security Engine) version

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Platform Test The implemented Honeyd was put on the Internet for about one month, which recorded every piece of traffic targeted at those eight virtual honeypots. The results of the experiment were recorded in various log files, generated by the Honeyd and the logs of Snort retained in the Mysql database. In addition, the web.log was also used to record connection attempts towards these emulated Web services.

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Part of the Test Results Packet Protocol Types

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Part of the Test Results (Cont.) Top 10 IP Addresses/Countries Attempted Connections

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Part of the Test Results (Cont.) The List of Packet Destination IP Address

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Part of the Test Results (Cont.) The List of Packet Destination Ports

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Part of the Test Results (Cont.) Source Countries of the Relay Virtual Server

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Destination IP addressOperating System Number of Connection Attempts Number of Source IP addresses Cisco Router IOS (28%) Sun Solaris – Open relay server 213 (17%) Linux Kernel (15%) Linux Kernel (13%) Microsoft Windows server (6.6%) Microsoft Windows XP Pro SP1 79 (6.6%) Microsoft Windows XP Pro SP1 70 (5.8%) Microsoft Windows XP Pro SP1 – Mydoom vulnerable 69 (5.8%)25 Destination IPs Attacked and Detected by the Snort Part of the Test Results (Cont.)

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Top 10 Source IPs Attempted Connection and Detected by the Snort NumberSource IP addressNumber of Connection Attempts Part of the Test Results (Cont.)

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Signature Classification Total Sensor Source Address Dest. Address First Last 1 SQL version overflow attempt attempted- admin 486 (40.8%) /07/1025/08/10 2unclassified 450 (37.8%) /07/1013/08/10 3PSNG_TCP_PORTSWEEP attempted- recon 214 (17.9%) /08/1016/08/10 4SQL ping attemptmisc-activity18 (1.5%)19811/08/1012/08/10 5PSNG_TCP_PORTSCAN attempted- recon 18 (1.5%)12513/08/1014/08/10 6 TELNET Solaris login environment variable authentication bypass attempt attempted- admin 3 (0.2%)13123/8/1025/08/10 7 SQL Worm propagation attempt Misc-attack3 (0,2%)13224/8/1025/8/10 Unique Alerts Generated by the Snort Part of the Test Results (Cont.)

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Honeyd Source IP Address Source IP DNS ResolutionSnort Alert Number of Connection Attempts CNINFONET Xingjiang province network SQL version overflow attempt CHINA Unicom province networkPSNG_TCP_PORTSWEEP CHINANET province networkPSNG_TCP_PORTSWEEP CHINANET – Zhu ZhenhuaSQL version overflow attempt Telecom CHINANET province network SQL version overflow attempt CHINANET PROVINCE NETWORK SQL version overflow attempt - SQL Worm propagation attempt China Mobile Communications Corporation - fujian SQL version overflow attempt Prosto Internet SQL version overflow attempt - SQL Worm propagation attempt SC Gliga SRL,SQL version overflow attempt Latin American and Caribbean IP address Regional Registry, PSNG_TCP_PORTSWEEP2 Cross-referenced Source IP Addresses by Virtual Honeypots and the Snort Part of the Test Results (Cont.)

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Summary An increasing demand for the graduates from Computer Forensics to enhance their experience in network incident investigations. The platform developed to enable students to practise network incident investigation in real-life case studies. Although the evidence collected from the honeypot system may or may not be deemed admissible in court, the platform is intended for students to enhance the skills of Network Forensics.

6 th Annual Workshop on the Teaching Computer Forensics 6 th Annual Teaching Computer Forensics Workshop Reference 1.Casey, Eoghan, Digital Evidence and Computer Crime, 2nd Edition. Elsevier. ISBN , A. Obied, “Honeypots and Spam, Available online at: ahmed.obied.net/research/papers/honeypots_spam.pdf, [Accessed:3/7/2010] 3.J. Kloet, “A Honeypot Based Worm Alerting System”, SANS Institute, 2005, Available online at: worm-alerting-system_1563, [Accessed: 3/6/2010] 4.Lai-Ming Shiue and Shang-Juh Kao. Countermeasure for detection of honeypot deployment. In ICCCE 2008: International Conference on Computer and Communication Engineering, pages 595–599, May The honeynet project, [Accessed: 28/6/2010] 6.HoneyTrap, [Accessed: 29/6/2010] 7.Intrusion Detection, Honeypots and Incident Handling Resources [Accessed: 29/6/2010] 8.L. Spitzner, Honeypots: Tracking Hackers. Pearson Education Inc, Intrusion Detection, Honeypots and Incident Handling Resources, [Accessed: 20/7/2010] 10.P. Defibaugh-Chavez, R. Veeraghattam, M. Kannappa, S. Mukkamala, and A. Sung, “Network Based Detection of Virtual Environments and Low Interaction Honeypots,” 2006 IEEE Information Assurance Workshop, West Point, NY:, pp

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.