HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman

Introduction  Honeycomb is a system for automated generation of signatures for network intrusion detection systems (NIDSs).  Applies protocol analysis and pattern- detection techniques to traffic captured on honeypots.  Honeycomb is good at spotting worms.

Problem Statement  Manually creation of Intrusion Detection Signatures is a tedious, inefficiency process.  There are more and more malware variants and self-propagating malware can spread very rapidly.  We need fast, automatic detection.

Objective  To extend the open source honeypot honeyd by honeycomb plug-in.  To implement the honeycomb on real environment.  Evaluate honeycomb on controlled environment.  Measure the system performance and quality of signatures.

Scope  Re-implements the research for automated generation attack signatures for NIDSs using Honeypots.  Setting up a Honeypots extended system.  Conduct experiments on the system.  Measure system performance.

Literature Review  Internet Worms :  Worm Propagation Behavior  Morris Worm  Code Red I  Code Red II  SQL Slammer  Nimda

Literature Review  Intrusion Detection System :  Signature Based  Anomaly Detection  Snort  Bro  Related Works :  Sweetbait  PAYL  Autograph

Honeycomb Architecture

Signature Creation Algorithm

Pattern Detection Horizontal detection  Comparing all messages at the same depth.  Messages are passed as input to the LCS algorithm in pairs.

Pattern Detection Vertical detection  Concatenating several messages into a string.  Comparing this with a corresponding concatenated string.

Signature Lifecycles  Relational operators on signatures:  sig 1 = sig 2 : all elements equal  sig 1  sig 2 : elements differ  sig 1  sig 2 : sig 1 contains subset of sig 2 ’s facts  sig new = sig pool : sig new ignored  sig new  sig pool : sig new added  sig new  sig pool : sig new added  sig pool  sig new : sig new augments sig pool

System Framework

HoneyComb Network Diagram

Experiments  Controlled Environment Experiments :  Evaluate the effectiveness and the quality of the worm signature created by the HoneyComb  Live Traffic Experiments.:  Determine what kind of signatures those generate by HoneyComb in the real traffic environment.

Controlled Environment Experiments

 TCP worm – Code Red II  UDP worm – SQL Slammer  Actual worms packet payload used.  Sent worms packets from compromise host to HoneyComb machine.

Controlled Environment Experiments

 Result :  TCP Worms – Code Red II alert tcp /24 any -> /16 80 (msg: "Honeycomb Sat Apr 7 13h51m "; ) alert tcp /24 any -> /16 80 (msg: "Honeycomb Sat Apr 7 14h21m ";flags: PA+; flow: established; content: "GET/default.ida?XXXX XX XX (...) 00|CodeRedII|…";)

Controlled Environment Experiments  Result :  UDP Worms – SQL Slammer alert udp / > / (msg: "Honeycomb Sat Apr 7 14h51m "; content: "| (...)|Qh.dllhel32hkernQhounthickChGetT f| (…) D6 EB|"; )

Controlled Environment Experiments  A comparison of the signature content and the worm payload sent to the honeypots shows that HoneyComb generates a good quality of signatures in controlled environment.  HoneyComb able to detect the TCP and UDP worm efficiency.

Live Traffic Experiment

 Generated Signatures :  18,288 signatures had been generated by HoneyComb.  9,473 signatures were containing flow content strings.  HoneyComb able to generate the Slammer signatures precisely.  No any Code Red II signature created since it reported died in October 2001

Live Traffic Experiment  Generated Signatures : alert udp any any -> / (msg: "Honeycomb Sat Apr 7 14h51m "; content: "| DC C9 B0|B|EB 0E |p|AE|B|01|p|AE|B| |h|DC C9 B0|B|B |1|C9 B1 18|P|E2 FD|5| |P|89 E5|Qh.dllhel32hkernQhounthickChGetTf|B9|llQh32.dhws2_f|B9|etQhsockf| B9|toQhsend|BE AE|B|8D|E|D4|P|FF 16|P|8D|E|E0|P|8D|E|F0|P|FF 16|P|BE AE|B|8B 1E 8B 03|=U|8B EC|Qt|05 BE 1C 10 AE|B|FF 16 FF D0|1|C9|QQP|81 F B 81 F |Q|8D|E|CC|P|8B|E|C0|P|FF 16|j|11|j|02|j|02 FF D0|P|8D|E|C4|P|8B|E|C0|P|FF C6 09 DB 81 F3|<a|D9 FF 8B|E|B4 8D C1 E C2 C1 E2 08"; )

Live Traffic Experiment  Generated Signatures : alert tcp any any -> /24 80,135,8080 (msg: "Honeycomb Thu Apr 19 05h28m "; flags: FRAU21!; flow: established; content of signature 908 : "CONNECT smtp.pchome.com.tw:25 HTTP/1.0|0D 0A 0D 0A|HTTP/ Bad Request|0D 0A|Server: Microsoft-IIS/5.0|0D 0A|Date: Tue, 17 Apr :57:30 GMT|0D 0A|Content- Type: text/html|0D 0A|Content-Length: 87|0D 0A 0D 0A| Error The parameter is incorrect. CONNECT smtp.pchome.com.tw:25 HTTP/1.0|0D 0A 0D|"; )

Honeycomb Performance Benchmarking

Discussion  HoneyComb v0.7 compiled with Honeyd v1.5b without error, but it provided a strange and useless result when running HoneyComb.  The source code in hc_udp.c and hc_tcp.c had been modified and recompiled to fix this error.

Discussion -- Problem  Unable to generate the signatures for the polymorphic worms.  Honeycomb can be fooled by attackers, to generate signatures for legitimate traffic.  Consuming a large amount of memory to perform the packets pattern matching.  Lost the memory when the system restart, thus, the same signatures will be generated.

Conclusion  Pattern matching worm detection mechanism of HoneyComb able to produce good quality signatures for worms.  Signatures created by HoneyComb can be converted into a format suitable for both Snort and Bro NIDS.

Conclusion  Honeypot offer an offensive approach to intrusion detection and prevention.  HoneyComb suggest that automated signature creation on honeypot is feasible and effectiveness.  This automated signature creation system is a first step towards integrating honeypots more closely into security infrastructure.

Future Works  Working to reducing the effort spent per arriving packets by the HoneyComb.  Solve the drawback on unable to generate signature for the polymorphic worms.  Provide a better tool to analyze the signatures created.  Implication IPv6 to existing HoneyComb architecture.

Question and Answer

Thank You