Honeynet Data Analysis: A technique for correlating sebek and network data Edward G. Balas Indiana University Advanced Network Management Lab 6/15/2004.

Slides:



Advertisements
Similar presentations
Testing Relational Database
Advertisements

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
Copyright © 2006 Help Desk Systems, Inc. All rights reserved. Overview of Help Desk Systems Inc. (HDSI) HDSI offers a hosted, web based trouble ticket.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
HP Quality Center Overview.
Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 10 Performance Tuning.
Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
Network+ Guide to Networks, Fourth Edition Chapter 10 Netware-Based Networking.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Component and Deployment Diagrams
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Maintaining and Updating Windows Server 2008
Loupe /loop/ noun a magnifying glass used by jewelers to reveal flaws in gems. a logging and error management tool used by.NET teams to reveal flaws in.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
Ch. 31 Q and A IS 333 Spring 2015 Victor Norman. SNMP, MIBs, and ASN.1 SNMP defines the protocol used to send requests and get responses. MIBs are like.
MS Access Advanced Instructor: Vicki Weidler Assistant:
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Linux Operations and Administration
Chapter 17 Networking Dave Bremer Otago Polytechnic, N.Z. ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William Stallings.
MCTS Guide to Microsoft Windows 7
GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al.
User Interface Elements of User Interface Group View.
Honeynets in operational use Gregory Travis Indiana University, Advanced Network Management Lab
Module 7: Fundamentals of Administering Windows Server 2008.
Windows 7 Firewall.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Introduction to HP Availability Manager.
Data Capture in Encrypted Environments with Sebek.
Linux Networking and Security
Using Novell GroupWise ® 6 Monitor Duane Kuehne Software Engineer Novell, Inc. Danita Zanre Senior Consultant NSC Sysop,
An Introduction to Designing and Executing Workflows with Taverna Aleksandra Pawlik materials by: Katy Wolstencroft University of Manchester.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
IPortal Bringing your company and your business partners together through customized WEB-based portal software. SanSueB Software Presents iPortal.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.
Honeynet Data Analysis: A technique for correlating sebek and network data Edward G. Balas Indiana University Advanced Network Management Lab 6/15/2004.
1 Next Generation Kernel Activity Monitoring Edward Balas, Indiana University Michael Davis, Savid Technologies IU Partners in Crime: Camilo Viecco Gregory.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Module 10: Windows Firewall and Caching Fundamentals.
Dialog Design I Basic Concepts of Dialog Design. Dialog Outline Evaluate User Problem Representations, Operations, Memory Aids Generate Dialog Diagram.
Visual Basic for Application - Microsoft Access 2003 Finishing the application.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
Intrusion Detection System
SPI NIGHTLIES Alex Hodgkins. SPI nightlies  Build and test various software projects each night  Provide a nightlies summary page that displays all.
ECHO A System Monitoring and Management Tool Yitao Duan and Dawey Huang.
CHAPTER Windows Server Management. Chapter Objectives Give an overview of the Server Manager Provide details of accessing the Server Manager Explain the.
© 2015 Pittsburgh Supercomputing Center Opening the Black Box Using Web10G to Uncover the Hidden Side of TCP CC PI Meeting Austin, TX September 29, 2015.
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Ch. 31 Q and A IS 333 Spring 2016 Victor Norman. SNMP, MIBs, and ASN.1 SNMP defines the protocol used to send requests and get responses. MIBs are like.
Maintaining and Updating Windows Server 2008 Lesson 8.
OPERATING SYSTEMS (OS) By the end of this lesson you will be able to explain: 1. What an OS is 2. The relationship between the OS & application programs.
Secure Access and Mobility Jason Kunst, Technical Marketing Engineer March 2016 Location Based Services with Mobility Services Engine ISE Location Services.
Fermilab Scientific Computing Division Fermi National Accelerator Laboratory, Batavia, Illinois, USA. Off-the-Shelf Hardware and Software DAQ Performance.
Advanced Troubleshooting with Cisco Prime NAM-3: Use Case
Chapter 2: System Structures
Introduction of Week 3 Assignment Discussion
Backtracking Intrusions
Chapter 8: Monitoring the Network
Training Module Introduction to the TB9100/P25 CG/P25 TAG Customer Service Software (CSS) Describes Release 3.95 for Trunked TB9100 and P25 TAG Release.
Presentation transcript:

Honeynet Data Analysis: A technique for correlating sebek and network data Edward G. Balas Indiana University Advanced Network Management Lab 6/15/2004

2 About the Author Edward G. Balas –Security Researcher at Indiana University’s Advanced Network Management Lab. –Honeynet Project Member Sebek project lead Honeywall User Interface project lead Research Sponsorship This materials based on research sponsored by the Air Force Research Laboratory under agreement number F The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon.

3 Abstract Honeynets contain 2 data sources of interest to this talk. –Packet Captures –Sebek Logs Currently there is no way to –relate a process to a given network flow –identify if a given process is a descendant of another. We describe our efforts to solve this problem by tracking additional system calls in Sebek and how this can lead to new ways of visualizing honeynet data.

Introduction

5 The Problem Packet captures historically represented the fundamental data source for honeynets. To thwart observation, many blackhats began to use session encryption Sebek was developed to circumvent this encryption. This new data source increased amount of data for the analyst. Each data source had its own analysis tools. This created a “needle in the needle stack” problem.

6 Trying to solve the problem Within Sebek, we monitored additional system calls to enable the relation of network data to sebek data. This allowed us to: –map a flow to a process –create directed graph of process execution Combining these capabilities meant we were are able to relate 2 connections that share a common process tree. –useful for identifying an intrusion for which Snort has no signature but where we observed an outbound connection

7 Remainder of the Talk –Related Works –Details on our enhancements to Sebek –How these enhancements improve Data Analysis. –Current status and Future work.

Related work

9 Sebek Sebek Data Capture tool –kernel space tool that monitors sys_read call –covertly exports data to server. –used to monitor keystrokes, recover files, and other related activities even when session encryption used. –

10 Sebek Illustrations top left shows general architecture bottom left provides illustration of how Sebek gains access to sys_read data.

11 CoVirt CoVirt and the BackTracker system –Enhanced UML system allows host to monitor guests system call activity. –“Automatically identifies potential sequences of steps that occured in an intrusion.” – Samuel T. King, Peter M. Chen, "Backtracking Intrusions", Proceedings of the 2003 Symposium on Operating Systems Principles (SOSP), October Award paper. "Backtracking Intrusions"

12 BackTracker output

Enhancements to Sebek

14 sys_socket monitoring To correlate network connections to process / file number we added the ability to monitor the sys_socket call. –in Linux, all socket calls are multiplexed through one generic socket call. –gained access using the same technique as used with sys_read. –this provided a mapping of: src/dst ip endpoints for a connection src/dst ports and protocol state of connection. Related Process, File No, etc.

15 Socket Tracking: TCP pretty straight forward. We have the advantage of knowing the state sys_connect for outbound connections sys_accept for inbound connections

16 Socket Tracking:UDP a bit messy For a given socket each UDP message sent can have different endpoint info depending on the socket calls used. For every call below we need to send a record to the server –sendto –recvfrom –sendmsg –resvmsg Need to watch this as a potential bottleneck

17 Parent PID tracking To record the process inheritance tree we modified the sys_read monitoring such that it also recorded the parent process ID. –Quick and Dirty –Not so robust when a series of forks occur without the process doing any read()s. –next step will be to send dummy records on fork().

18 How our approach differs from BackTracker Exists entirely in kernel space works on a single physical host. Focus on sockets not files, will revisit files in future. Capable of relating network data to process data, which will enable relation of IDS events to a specific process. Full content of sys_read recorded.

19 How our approach is similar to BackTracker Host level process tree recreation is key in building a fault tree in both approaches. Both use syscall monitoring –we do it from within kernel –CoVirt does it outside the kernel we will eventually want to add file system centric capabilities of BackTracker.

20 Attacking Sebek As with BackTracker, there are three types of attacks to be concerned with. 1.attacking the sebek infrastructure directly 2.circumvent monitoring by using system calls not monitored by sebek 3.generate large event graphs to obfuscate activities on a system

21 Attacking Sebek Directly DoS attack on client by doing very large number of small reads –sebek client will drop packets as network becomes saturated on a bps or pps basis. Current Linux Sebek is kernel module based, a number of articles have outlined how to disable the sebek client by rewriting the system call table.

22 Circumventing Monitoring Dorseif, Holz, and Klien outline a technique for avoiding sys_read through the use of mmap. –does not work for pipes or devices but for special built tools would allow intruder to access files, currently. Current client only tracks UDP and TCP sockets, raw sockets are not tracked. –if intruder uses libnet/pcap based applications to communicate we will not be able to track them currently.

23 Creating noise to hide the signal It is possible that an intruder would be able to generate a sufficiently large process / event sequence without causing a DoS. –This would be an attack on the ability of the user interface to adequately render the data for the analyst.

24 References to attack techniques: M. Dornseif, T. Holz, C. Klien, “NoSEBrEak - Attacking Honeypots”, Proceedings of the 2004 IEEE Workshop on Information Assurance and Security. J. Corey, “Advanced Honeypot Identification” Jan 2004,

Data Analysis

26 Three steps in analysis –Collect/Screen Identify raw data of interest –Coalesce Combine data from different data sources, identifying cross data source relations and providing some type of normalized access to the data. –Report Identify central themes, screen out superfluous data.

27 Iteration in Analysis Though I show the screening as happening before coalescing, ideally its more of an act of convergence. 1.screen data 2.coalesce data 3.look for interesting “thread” 4.Goto 1, screen on “thread” properties

28 How it is done today Each data type has its own analysis tool –causing a bit of a stovepipe effect. –each data set goes through the 3 steps in isolation. Switching between data sources requires a wetware context switch. Relations between data manually discovered and expressed to each tool for screening by analyst. No automatic way to track interesting sequences across data sources.

29 Why this is no good Labor intensive –I am lazy Error Prone –I am sloppy Lots of menial work being done by a human –I paid a lot for this computer

30 Who’s putting out the effort? TaskHumanComputer Data ScreeningMedium Data CoalescingHighLow ReportingHighLow

31 Where we want to be We want to shift the Screening and Coalescing burden away from the human and onto the computer. Focus human effort on tasks best suited to the human. Provide an interface that supports the analyst’s workflow. –primary goal is to support cross data source event sequence tracking.

32 Improving Data Analysis The new data coming from sebek allows us to automatically relate network and sebek data. To automate coalescing we developed a backend daemon called Hflow. To demonstrate the impact of these capabilities on reporting, we developed a web based user interface named Walleye.

33 The challenge facing Hflow

34 Hflow Overview Multithreaded flow daemon Automates the process of Data Coalescing. Inputs: –pcap data –Snort IDS events. –Sebek socket records. –p0f OS fingerprints. Outputs: –normalized honeynet network data uploaded into relational database.

35 Hflow Illustration

36 Artistic partial rendition of schema

37 What this gives us. –Automatic identification Type of OS initiating a flow IDS events related to a flow Honeypot processes and File Numbers related to a given flow. –Flow data acts as an index to the pcap data Central theme of an event sequence can be identified without having to examining packet traces. When packet traces needed, flow info helps facilitate retrieval.

38 Potential Attack Vector? Hflow’s in memory flow cache could be the target of resource exhaustion attack. –uses a single stage hash, there is configured limit on size of table, when table exceeds a threshold, Hflow aggressively purges single packet flows. –In future Hflow may use multistage with different hash functions or provide some other adaptive mechanism Wonder how robust Argus or Netflow collectors are to this type of attack?

39 Reporting with Walleye perl based web interface provides unified view –connection oriented flow pairs –IDS events –OS Fingerprints Allows user to jump from network to host data. Visualizes multiple data types together.

40

41

42 Looking closely host x.x.x.31 attacked x.x.x.25 on its https port. x.x.x.31 was a linux host. The attack matched the OpenSSL worm signature and and triggered 2 additional alerts that indicate the attacker gained www and then root access. If we click on Proc View, we jump to a high level view of related process activity.

43

44 What you are seeing Display shows process trees and ids events which are “related” to a sigle IDS event. –Yellow Boxes are root processes –Cyan Boxes are non-root processes –Red Boxes are IDS events –Red Arrow represents direction of flow associated with event Only displaying IDS related flows. Graph automatically generated from DB with graphviz tool from ATT. Notice anything odd about the graph?

45

46 Walleye tracked intrusion across 2 honeypots Both the.25 and.26 honeypots were running the enhanced version of Sebek. We are able to provide a sense of attribution in situations where all stepping stones are running Sebek. Based on fault tree we could then click on a yellow box and then jump into the sebek interface.

47 Old questions made easy I see an outbound connection but didn’t seen an IDS alert, what was the cause? –walleye is able to identify all flows related via common process tree, allowing us to quickly identify potential causes of the intrusion, basically allowing us to climb the process tree. What happened after the intrusion? –This is really good for constraining the amount of sebek data the analyst needs to examine by ignoring data that is unrelated, in this case we simply traverse down the process tree.

48 Features Identify descendant flows or sebek events related to a given event. Identify ancestral flows or sebek events related to a given event Effectively, the combination of the two allow us to filter all data which can not be related to an event of interest.

Wrapping it up

50 Current Status Sebek –socket code in linux client rather stable –parent PID tracking currently missing some data for processes that fork and don’t read(easy to fix) Hflow –few bugs and its not syslog friendly Walleye interface –a few bugs, look and feel not 100% happy with –not yet integrated with conventional analysis tools. –doesn’t provide way to access raw packets

51 Future work –Sebek track fork call so that we always get a view of the process tree look at various anti-anti-sebek options. –Hflow testing, lots of testing. evaluate attack resistance –Walleye get UI to better support workflow provide alerting provide some summary reports clean, debug, document integrate with existing tools where sensible. –Get everything to work on the Honeywall CDROM!

52 Timeline The goal is to have the interface and sebek enhancements released within next 6 months. –Walleye may become the basis for a new Honeynet Data Analysis Interface to be distributed on the Honeywall. –Sebek client enhancements for linux will be available in the August timeframe.

53 Taking this out of the Honeynet context Sebek is a good tool for post intrusion intelligence gathering on an intruder On a production box it generates great amounts of data, making it difficult to use. With previously mentioned enhancements, Sebek may be a more viable tool, due to its improved coalescing and screening. Next major release will also allow you to define what types of activity you want to record or not record.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.