Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.

Slides:

Advertisements

Similar presentations

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Desktop Security: Worms and Viruses Brian Arkills, C&C NDC-Sysmgt.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Introduction to Honeypot, Botnet, and Security Measurement

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

NoAH Spiros Antonatos Distributed Computing Systems Lab (DCS) Institute of Computer Science.

Hacker Zombie Computer Reflectors Target.

Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

Honeypot and Intrusion Detection System

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,

KFSensor Vs Honeyd Honeypot System Sunil Gurung

Processes and OS basics. RHS – SOC 2 OS Basics An Operating System (OS) is essentially an abstraction of a computer As a user or programmer, I do not.

Application of Content Computing in Honeyfarm Introduction Overview of CDN (content delivery network) Overview of honeypot and honeyfarm New redirection.

1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:

HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.

1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.

SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.

A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.

Introduction to Honeypot, measurement, and vulnerability exploits

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.

November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

Security with Honeyd By Ryan Olsen. What is Honeyd? ➲ Open source program design to create honeypot networks. ➲ What is a honeypot? ● Closely monitored.

LOBSTER: Large Scale Monitoring of Broadband Internet Infrastructure Evangelos Markatos The LOBSTER Consortium Institute.

Understand Malware LESSON Security Fundamentals.

1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.

Role Of Network IDS in Network Perimeter Defense.

UNDER THE GUIDENCE OF: Mr.M.JAYANTHI RAO,M.Tech HOD OF IT. BY: I.ADITHYA(09511A1212) HONEYPOTS.

Antivirus Software Troy Behmer. Outline Topics covered: – What is Antivirus software (AVS)? – What are the advantages and disadvantages of AVS? – What.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Networking Week #10 OBJECTIVES Chapter #6 Questions Review Chapter #8.

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

Seguretat en xarxes informàtiques Autor: Lluís Pérez Vidal Curs Xarxes Linux.ICE-UPC Honeypots Honeypots “A un panal de rica miel...”

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Introduction to Windows Server 2008

Instructor Materials Chapter 7 Network Security

Honeypots and Honeynets

Information Security Session October 24, 2005

6. Operating Systems Finger printing & Scanning

Intro to Ethical Hacking

12/6/2018 Honeypot ICT Infrastructure Sashan

Test 3 review FTP & Cybersecurity

Introduction to Internet Worm

Presentation transcript:

presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH

 A little about the project  What are honeypots?  The NoAH approach  Architecture overview  Argos   Conclusions/discussion Spiros Antonatos Terena Networking Conference 2007

 Three years project  April 2005 until March 2008  Funded from the Research Infrastructures Programme of the European Union  4 Work Packages  FORTH is coordinator Spiros Antonatos Terena Networking Conference 2007

 Malware: worms, viruses, keyloggers, spyware…  Malware spreads fast  Faster than we can react  Thousands of hosts can be infected in a few minutes  We need information about the cyberattacks so as to build effective defenses Networking Conference 2007 Spiros Antonatos

 Gather and analyse information about the nature of Internet cyberattacks  Develop an infrastructure to detect and provide early warning of such attacks  Security monitoring based on honeypot technology Spiros Antonatos Terena Networking Conference 2007

 Computer systems that do not run production services  Listen to unused IP addresses  Intentionally made vulnerable  Closely monitored to analyse attacks directed at them  We can identify two types of honeypots: low-interaction and high-interaction Spiros Antonatos Terena Networking Conference 2007

 Low-interaction honeypots emulate services using scripts + Lightweight processes, able to cover large network space - Emulation cannot provide a high level of interaction with attackers  High-interaction honeypots do not perform emulation, they run real services - Heavyweight processes, able to cover small network space + Provide the highest level of interaction with attackers  NoAH uses the advantages of both types Spiros Antonatos Terena Networking Conference 2007

Spiros Antonatos Terena Networking Conference 2007

 Most popular and widely-used low- interaction honeypot  Emulates thousands of IP addresses  Performs network stack emulation  Highly configurable and lightweight  An efficient mechanism to filter out unestablished and uninteresting connections  Port scans, SSH brute-force attacks, etc  Interesting connections are forwarded to high-interaction honeypots Spiros Antonatos Terena Networking Conference 2007

 Emulates entire PC systems  OS agnostic, run on commodity hardware  Based on the Qemu emulator  Key idea: data coming from the network should never be executed  Tracks network data throughout execution  Memory tainting technique  Detect illegal uses of network data  Jump targets, function pointers, instructions, system call arguments  Argos is able to detect all exploit attempts, including 0-days! Spiros Antonatos Terena Networking Conference 2007

Argos emulator Guest OS Applications NIC Forensics Detect attack and log state Host OS Log Correlate data Signature post-processing Terena Networking Conference 2007

Spiros Antonatos Terena Networking Conference 2007

 Honeypots listen to unused IP space of the organization they are hosted to  This space is limiting to provide results fast and accurately  NoAH tries to empower people to participate  Bring NoAH to home users with Spiros Antonatos Terena Networking Conference 2007

 Lightweight tool that runs in the background  Monitors an unused IP address  Usually taken by DHCP  All traffic to that unused address is forwarded to our central honeypots  No configuration, install and run!  Both Windows and Linux platforms Spiros Antonatos Terena Networking Conference 2007

Running at the background Creating a new virtual interface Getting an IP address from DHCP server Spiros Antonatos Terena Networking Conference 2007

Handoff  clients connect to NoAH honeypots  Honeyd acts as front-end to filter out scans  Honeyd hands off connection to Argos  Attacker thinks she communicates with user but in reality Argos is providing the answers Honeyd Forward NoAH core Attacker Attack

 Identity of clients and honeypots must remain hidden  Attackers can flood black space with junk traffic once identity is revealed  TOR is a network that can provide the desired anonymization  Automatic installation of clients must be prevented  Else attacker would massively deploy mockup clients  Registration with CAPTCHA techniques is used Spiros Antonatos Terena Networking Conference 2007

Spiros Antonatos Terena Networking Conference 2007

 We view an organization as a regular user that possesses large unused space  A specialized version of is implemented  No TOR involved, organization is a trusted entity (unlike home users)  Only configuration needed is to declare the unused address space  will forward all traffic to that space (funneling) Networking Conference 2007 Spiros Antonatos

 Deliverables can be found at noah.org/publications/ noah.org/publications/  5 conference papers  Usenix Security 05, SIGOPS 2006, DIMVA ’06, RAID’06  Various articles and presentations  ERCIM news, local press Spiros Antonatos Terena Networking Conference 2007

 NoAH is a distributed architecture based on low- and high-interaction honeypots  Argos is able to detect all exploits, including zero-days  NoAH empowers non-experts to the battlefield of cyberattacks  enables unfamiliar users to effortlessly participate to NoAH Networking Conference 2007 Spiros Antonatos

Spiros Antonatos Terena Networking Conference 2007