Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Honeynet System

Published byArnold Alban McCoy Modified over 9 years ago

Similar presentations

Presentation on theme: "Distributed Honeynet System"— Presentation transcript:

1 Distributed Honeynet System
Data Capture and Analysis C-DAC Mohali

2 Overview Honeynet/Honeypot Technology Data Collection Data Control
Honeypot/Honeynet Backgroud Type of Honeypots Deployment of Honeypots Data Collection Data Control Data Analysis

3 Honeypot/Honeynet concepts
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise A highly controlled network where every packet entering or leaving the honeypot system and related system activities are monitored, captured and analyzed. Primary value to most organizations is information”

4 Advantages Fidelity – Information of high value
Reduced false positives Reduced false negatives Simple concept Not resource intensive

5 Attack Detection Techniques
Proactive Techniques Defensive Techniques Honeynets Anomaly-based Signature-based 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 5

6 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS"
How it works Monitor Detect Response 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 6

7 Honeynet Requirements & Standards
Data Control: Contain the attack activity and ensure that the compromised honeypots do not further harm other systems.Out bound control without blackhats detecting control activities. Data Capture: Capture all activity within the Honeynet and the information that enters and leaves the Honeynet, without blackhats knowing they are being watched. Data Collection: captured data is to be Securely forwarded to a centralized data collection point for analysis and archiving. Attacker Luring: Generating interest of attacker to attack the honeynet Static : web server deployment, making it vulnerable Dynamic : IRC, Chat servers,Hackers forums 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 7

8 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS"
Classification By level of interaction High Low Middle? By Implementation Virtual Physical By purpose Production Research 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 8

9 Types of Honeypots Low-interaction High Interaction
Emulates services and operating systems. Easy to deploy, minimal risk Captures limited information High Interaction Provide real operating systems and services, no emulation. Complex to deploy, greater risk. Capture extensive information.

10 Virtual Honeynet

11 What Honeynet Achieves
Diverts attacker’s attention from the real network in a way that the main information resources are not compromised. Captures samples of new viruses and worms for future study Helps to build attacker’s profile in order to identify their preferred attack targets, methods. 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 11

12 What value Honeynet adds
Prevention of attacks through deception and deterrence Detection of attacks By acting as a alarm Response of attacks By collecting data and evidence of an attacker’s activity 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 12

13 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS"
GEN III A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed. Data Capture Data Control Data Analysis 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 13

14 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS"
Honeynet Gen III 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 14

15 Data Capture Mechanism
ETH0 APP LOGS IPTABLES HIDS AISD ARGUS SNORT HFLOW DB HFLOWD POF CONVERT INTO UNIFIED FORMAT SEBEKD WALLEYE ETH2 SYS LOGS GUI WEB INTERFACE ( ) TCPDUMP PCAP DATA ETH1 ( ) SEBEK CLIENT 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" HONEYPOT ( ) 15

16 HONEYWALL HONEYPOT DATA CAPTURE TOOLS IN GEN 3 HONEYNET
Network Level Data Capture System Level Data Capture HONEYWALL HONEYPOT Raw Packet Capture Analyzed Packet Capture System Logs Kernel Level Logs Tcpdump Argus Syslogd Sebek Client-Server P0F Snort DATA CAPTURE TOOLS IN GEN 3 HONEYNET 16

17 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS"
Data Control 4/21/2017 CDAC-Mohali "NETWORK PACKET CAPTURING & ANALYSIS" 17

18 DATA CONTROL PURPOSE: Mitigate risk of COMPROMISED Honeypot being used to harm non- honeynet systems Count outbound connections (Reverse Firewall) IPS (Snort-Inline) Bandwidth Throttling (Reverse Firewall) 18

19 IPTABLES packet handling

20 Data Control ### Set the connection outbound limits for different protocols. SCALE="day" TCPRATE=“20" UDPRATE="20" ICMPRATE="50" OTHERRATE="5“ iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW -m limit --limit ${TCPRATE}/${SCALE} --limit-burst ${TCPRATE} -s ${host} -j tcpHandler -m limit --limit 1/${SCALE} --limit-burst 1 -s ${host} -j LOG --log-prefix "Drop TCP after ${TCPRATE} attempts“ -s ${host} -j DROP

21 Distributed Honeynet System
Distributed sensor Honeynet Configuration/ reconfiguration Central Logging & Alerting Honeypot management & analysis (forensics take time!)

22 Network Diagram of Distributed Honeynet System
Central Database Server Router Honeywall Virtual Switch Honeypot1 Nepenthes Software Bridge Honeypot2 Host machine Network Diagram of Distributed Honeynet System BSNL N/W /28 CONNECT N/W /27 STPI N/W /28 Airtel N/W /29 Large Enterprise Network (STPI) /27 Broadband Providers (BSNL,CONNECT,AIRTEL) /28,/28/29

23 Life Cycle of Distributed HoneyNet System

24 Remote Node Architecture

25

26 Malware Analysis

27 Malware Analysis Module Malware Collection Module Botnet Tracking
2 3 1 Malware Analysis Module Malware Collection Module Botnet Tracking Remote Node of DHS Bot Detection Engine Anti virus Bot hunter Botnet Tracking engine Low-Interaction Honeypot High Interaction Honeynet Sandbox (Bot Execution) Malware collection Data Base Bot Binary database Botnet Tracking database Central server 27

28 The Central Site of DHS

29 Main Functions

30 CONVERT INTO UNIFIED FORMAT
DATA ANALYSIS STEPS HONEYWALL REVERSE FIREWALL RULES (CONTROL OUTBOUND TRAFFIC) ETH0 IPTABLES Collect & Merge ARGUS SNORT HFLOW DB HFLOWD POF CONVERT INTO UNIFIED FORMAT SEBEKD WALLEYE ETH2 ETH1 ( ) TCPDUMP PCAP DATA GUI WEB INTERFACE SEBEK CLIENT HONEYPOT 30

31 Walleye Web Interface “Eye on the Honeywall” is a web based interface for Honeywall Configuration, Administration and Data analysis

32 Honeywall Roo Logical Design

33

34 Walleye Analysis Interface

35 Botnet Detection

36 Introduction Botnet Problem Typical Botnet Life Cycle How Botnet Grows
Challenges for Botnet detection Roadmap to Detection system Botnet Detection Approaches Our Implemented Approach Experiments and results 36 36

37 What Is a Bot/Botnet? Bot
A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent Profit-driven, professionally written, widely propagated Botnet (Bot Army): network of bots controlled by criminals Definition: “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel” Architecture: centralized (e.g., IRC,HTTP), distributed (e.g., P2P) 37

38 Botnets are used for … All DDoS attacks Spam Click fraud
Information theft Phishing attacks Distributing other malware, e.g., spywarePCs are part of a botnet!” 38

39 Typical Botnet Life Cycle
39

40 How the Botnet Grows 40

41 How the Botnet Grows 41

42 How the Botnet Grows 42

43 How the Botnet Grows 43

44 IRC Botnet Life Cycle 44

45 Challenges for Botnet Detection
Bots are stealthy on the infected machines –We focus on a network-based solution Bot infection is usually a multi-faceted and multiphase process – Only looking at one specific aspect likely to fail Bots are dynamically evolving Botnets can have very flexible design of C&C channels –A solution very specific to a botnet instance is not desirable 45

46 Related Work Network Level
G. Gu, J. Zhang, andW. Lee. BotSniffer: Detecting botnet command and control channels in network traffic J. R. Binkley and S. Singh. An algorithm for anomaly- based botnet detection J. Goebel and T. Holz. Rishi: Identify bot contaminated hosts by irc nickname evaluation C. Livadas, R. Walsh, D. Lapsley, and W. Strayer. Using machine learning technliques to identify botnet traffic

47 Related Work Host Level
E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer. Behavior-based spyware detection R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati. A fast automaton-based method for detecting anomalous program behaviors. Hybrid BotMiner: Clustering analysis of network traffic for protocol- and structure independent botnet detection

48 Botnet Detection Approaches
Setting up Honeynets (Honeynet Based Solutions) Network Traffic Monitoring: – Signature Based – Anomaly Based – DNS Based – Mining Based 48

49 Honeynet Based Solution
It enable us to isolate the bot from network and monitor its traffic in more controlled way, instead of waiting to be infected and then monitor the t traffic Bot execution in Honeynet test bed Monitor the traffic generated by bots Open Analysis : Provides connection to Internet More flexible than closed analysis. l 49

50 Our Implemented Approach
Honeynet Based Solution Achievements Approach Implemented Honeynet Based Bot Analysis Architecture Payload Parser Web GUI and report generation 50

51 Flowchart

52 52

53 Features Systematically collect and analyze bot traffic over internet
Provides controlled connection to Internet: rate limit the outbound connections. It uses network-based anomaly detection to identify C & C command sequences 53

54 Principal Mechanism for Botnet Detection
Bot Execution - Bot Execution in Honeynet Based Environment - Collection of Execution traces to extract C & C server information. - Complete payload sent to central server. Payload Parser - Extraction of IRC,HTTP command signatures Botnet Observation - extraction of attack,propagation scan or other attack commands - extraction of specific network patterns,secondary injections attempts Output - List of unique C & C server - Command exchanged between bot client & bot server 54

55 Botname : B14 , MD5 : a4dde6f9e4feb8a539974022cff5f92c
Experimental Result Botname : B14 , MD5 : a4dde6f9e4feb8a cff5f92c Symantec : W32.IRCBot, Microsoft : Backdoor:Win32/Poebot PASS dhzx :ftpelite.mine.nu NICK kcrbhf8wlzo USER XPUSA :o4dfmj2ctyc PING :AE645AF3 PONG AE645AF3 :ftpelite.mine.nu 332 kcrbhf8wlzo #100+ :| .vscan netapi x.x.x | .sbk windows-krb.exe | .sbk crscs.exe | .sbk msdrive32.exe | .sbk woot.exe | .sbk dn.exe | .sbk Zsnkstm.exe | .sbk cndrive32.exe | PRIVMSG #100+ :.4[SC]: Random Port Scan started on 216.x.x.x:445 with a delay of 5 seconds for 9999 minutes using 50 threads.

56 Experimental Results: IRC
56

57 Top IRC Bot Families Captured at Distributed Honeynet System
Bot Family Number of Samples Percentage Rbot 70 6.28% Poebot.gen 32 2.87 Rbot.gen 30 2.69 IRCbot.genK 22 1.99 Poebot.BT 12 1.08 IRCbot 8 0.71 Poebot.BI 6 0.54 IRCbot.genS 4 0.35 Poebot Poebot.T

58 IRC Based Botnet Measurement
In total we could identify 99 IRC-based bot binaries ,a rate of 8.25% of the overall binaries in 12 months

59 Botnet Command and Control Server Distribution
Botnet C&C Server Info

60 Top Source IP and Ports Tejpur University Assam
Sno Source IP count 1 2 3 4 5 6 7 8 9 10 191 91 79 66 60 54 49 48 Sno Ports count 1 2 3 4 5 6 7 8 9 445 135 1434 139 80 25 3306 705 161 2571 111 42 35 12

61 Thank You

Download ppt "Distributed Honeynet System"

Similar presentations

Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Honeynet Introduction Tang Chin Hooi APAN Secretariat.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intrusion Prevention System DYNAMIC HONEYNET by Rosenfeld Asaf advisor Uritzky Max.

Intrusion Prevention System DYNAMIC HONEYNET by Rosenfeld Asaf advisor Uritzky Max.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
Honeypots. Building Honeypots Commercial honeypots-emulating services Specter,Honeyed,Deception Toolkit. Setting up of dedicated firewall (data control.

Honeypots. Building Honeypots Commercial honeypots-emulating services Specter,Honeyed,Deception Toolkit. Setting up of dedicated firewall (data control.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Similar presentations

Ads by Google