1 Honeypot, Botnet, Security Measurement, Email Spam Cliff C. Zou CDA6938 02/01/07.

Slides:

Advertisements

Similar presentations

Zhiyun Qian, Z. Morley Mao (University of Michigan)

Advertisements

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2010.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

Introduction 1 Lecture 7 Application Layer (FTP, ) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering.

Spam Sonia Jahid University of Illinois Fall 2007.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Internet Safety CSA September 21, Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.

Introduction to Honeypot, Botnet, and Security Measurement

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

CERN’s Computer Security Challenge

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

Honeypot and Intrusion Detection System

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Final Introduction ---- Web Security, DDoS, others

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:

Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.

A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.

Introduction to Honeypot, measurement, and vulnerability exploits

CSCE 201 Windows XP Firewalls Fall Reading Windows XP help and Support: search on “Firewall” Tony Bradley, CISSP-ISSAP, Windows XP SP2 Firewall,

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.

1 Introduction to Malcode, DoS Attack, Traceback, RFID Security Cliff C. Zou 03/02/06.

Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.

1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.

4061 Session 26 (4/19). Today Network security Sockets: building a server.

26.1 Chapter 26 Remote Logging, Electronic Mail, and File Transfer Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

Role Of Network IDS in Network Perimeter Defense.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Network System Security - Task 2. Russell Johnston.

Top 5 Open Source Firewall Software for Linux User

EN Lecture Notes Spring 2016

Honeypots and Honeynets

Internet Worm propagation

Chapter 4: Protecting the Organization

Wireless Spoofing Attacks on Mobile Devices

Introduction to Internet Worm

Presentation transcript:

1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07

2 What Is a Honeypot? “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.”

3 Example of a Simple Honeypot Install vulnerable OS and software on a machine Install monitor or IDS software Connect to the Internet (with global IP) Wait & monitor being scanned, attacked, compromised Finish analysis, clean the machine

4 Benefit of Deploying Honeypots Risk mitigation:  A deployed honeypot may lure an attacker away from the real production systems (“easy target“). IDS-like functionality:  Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions. Attack analysis:  Binary code analysis of captured attack codes  Spying attacker’s ongoing actions  Find out reasons, and strategies why and how you are attacked.

5 Honeypot Classification High-interaction honeypots  A full and working OS is provided for being attacked  VMware virtual environment  Several VMware virtual hosts in one physical machine Low-interaction honeypots  Only emulate specific network services  No real interaction or OS  Honeyd Honeynet/honeyfarm  A network of honeypots

6 Low-Interaction Honeypots Pros:  Easy to install (simple program)  No risk (no vulnerable software to be attacked)  One machine supports hundreds of honeypots Cons:  No real interaction to be captured  Limited logging/monitor function  Easily detectable by attackers

7 High-Interaction Honeypots Pros:  Real OS, capture all attack traffic/actions  Can discover unknown attacks/vulnerabilities Cons:  Time-consuming to build/maintain/analysis  Risk of being used as stepping stone  Must have a firewall blocking all outgoing traffic  High computer resource requirement

8 Honeynet A network of honeypots High-interaction honeynet  A distributed network composing many honeypots Low-interaction honeynet  Emulate a virtual network in one physical machine  Example: honeyd Mixed honeynet  “Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm”, presented next week Reference: honeypot-forensics-slides.ppthttp:// honeypot-forensics-slides.ppt

9 What Is a Botnet? A network of compromised computers controlled by their attacker  Users on zombie machines do not know  Most home computers with broadband The main source for many attacks now  Distributed Denial-of-Service (DDoS)  Extortion  spam, phishing  Ad-fraud  User information: document, keylogger, …

10 How to Build a Botnet? Infect machines via:  Internet worms, viruses  virus  Backdoor left by previous malware  Trojan programs hidden in free download software, games …… Bots phone back to receive command

11 Botnet Architecture Bot controller  Usually using IRC server (Internet relay chat)  Dozen of controllers for robustness bot controller attacker bot controller

12 Botnet Monitoring Hijack one of the bot controller  DNS provider redirects domain name to the monitor  Still cannot cut off a botnet (dozen of controller)  Can obtain most/all bots IP addresses Let honeypots join in a botnet  Can monitor all communications  No complete picture of a botnet

13 Security Measurement Monitor network traffic to understand/track Internet attack activities Monitor incoming traffic to unused IP space  TCP connection requests  UDP packets Unused IP space Monitored traffic Internet Local network

14 Refining Monitoring TCP/SYN not enough (IP, port only) Distinguish different attacks  Low-interaction honeypots (honeyd)  Obtain the first attack payload by replying SYN/ACK  Used by the “Internet Motion Sensor” in U. Michigan Paper presented next…  High-interaction honeypots

15 Remote fingerprinting Actively probe remote hosts to identify remote hosts’ OS, physical devices, etc  OSes service responses are different  Hardware responses are different Purposes:  Understand Internet computers  Remove DHCP issue in monitored data  Paper presented later

16 Data Sharing: Traffic Anonymization Sharing monitored network traffic is important  Collaborative attack detection  Academic research Privacy and security exposure in data sharing  Packet header: IP address, service port exposure  Packet content: more serious Data anonymization  Change packet header: preserve IP prefix, and …  Change packet content

17 Why So Many Spam? No authentication/authorization in Receive unsolicited by design Sending fake is so easy  Shown in next slide Profit:  Takes a dime to send out millions spam  A few effective spam give back good profit  No penalty in spam (law, out-of-country spam)

18 Sample fake sending Telnet longwood.cs.ucf.edu 25 S: 220 longwood.cs.ucf.edu ESMTP Sendmail /8.13.8; … C: HELO fake.domain S: 250 Hello crepes.fr, pleased to meet you C: MAIL FROM: S: 250 Sender ok C: RCPT TO: S: 250 Recipient ok C: DATA S: 354 Enter mail, end with "." on a line by itself C: subject: who am I? C: Do you like ketchup? C:. S: 250 Message accepted for delivery C: QUIT S: 221 longwood.cs.ucf.edu closing connection

19 Current Major Spam Defense Signature-based filtering  Spamassasin, etc: based on keywords, rules on header… Blacklisting-based filtering  DNS black list, dynamically updated (Spamhaus) Sender authentication  Caller ID (Microsoft)  Sender Policy Framework (SPF)