Presentation is loading. Please wait.

Presentation is loading. Please wait.

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004"— Presentation transcript:

1 Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004 http://project.honeynet.org/misc/project.html

2 Overview Motivation What are Honeypots? –Gen I and Gen II The GeorgiaTech Honeynet System –Hardware/Software –IDS –Logging and review Some detected Exploitations –Worm exploits –Sage of the Warez Exploit Words of Wisdom Conclusions

3 Why Honeynets ? An additional layer of security

4 Motivation Security a serious problem Methods for detection/protection/defense: –Firewall: The Traffic cop –IDS: detection and alert These have shortcomings: –Internal threats –Virus laden programs –False Positives and False negatives Honeynet: An additional layer –Not a panacea

5 Security: A serious Problem Firewall IDS A Traffic Cop Problems: Internal Threats Virus Laden Programs Detection and Alert Problems: False Positives False Negatives

6 The Security Problem FirewallIDS HoneyNets An additional layer of security

7 Captures all inbound/outbound data Standard production systems Intended to be compromised Data Capture –Stealth capturing –Storage location – away from the honeynet Data control –Protect the network from honeynets

8 Two types Gen IGen II Good for simpler attacks Unsophisticated targets Limited Data Control Sophisticated Data Control : Stealth Fire-walling Gen I chosen

9

10 GATech Honeynet System Huge network 4 TB data processing/day CONFIG Sub-standard systems Open Source Software Simple Firewall Data Control

11 IDS Invisible SNORT Monitor Promiscuous mode Two SNORT Sessions Session 1 Signature AnalysisMonitoring Session 2 Packet CaptureDATA CAPTURE

12

13 Data Analysis One hour daily ! Requires human resources Forensic Analysis SNORTDATA CAPTURE All packet logs stored Ethereal used

14 Detected Exploitations 16 compromises detected Worm attacksHacker Attacks

15 Honey Net traffic is Suspicious Heuristic for worm detection: Frequent port scans Specific OS-vulnerability monitoring possible Captured traffic helps signature development DETECTING WORM EXPLOITS

16 SAGA of the WAREZ Hacker Helped locate a compromised host Honeynet IIS Exploit  Warez Server + Backdoor Very difficult to detect otherwise !

17 Words of Wisdom Start small Good relationships help Focus on Internal attacks Don’t advertise Be prepared to spend time

18 Conclusion Helped locate compromised systems Can boost IDS research –Data capture Distributed Honey nets ?

19 Discussion The usefulness of the extra layer ? Dynamic HoneyNets Comparison with IDS: are these a replacement or complementary ? HONEY NET IDS

20

Download ppt "Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004"

Similar presentations

Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Honeynet Introduction Tang Chin Hooi APAN Secretariat.
Intrusion Detection/Prevention Systems Charles Poff Bearing Point.

Intrusion Detection/Prevention Systems Charles Poff Bearing Point.
F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
12-1 Last time Security in Networks Threats in Networks.

12-1 Last time Security in Networks Threats in Networks.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.

PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.

Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

Similar presentations

Ads by Google