Presentation is loading. Please wait.

Presentation is loading. Please wait.

HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG 124862 Supervisor : AP. Dr. Mohamed Othman.

Published byJulie Parks Modified over 9 years ago

Similar presentations

Presentation on theme: "HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG 124862 Supervisor : AP. Dr. Mohamed Othman."— Presentation transcript:

1 HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG 124862 Supervisor : AP. Dr. Mohamed Othman

2 Introduction  Honeycomb is a system for automated generation of signatures for network intrusion detection systems (NIDSs).  Applies protocol analysis and pattern- detection techniques to traffic captured on honeypots.  Honeycomb is good at spotting worms.

3 Problem Statement  Manually creation of Intrusion Detection Signatures is a tedious, inefficiency process.  There are more and more malware variants and self-propagating malware can spread very rapidly.  We need fast, automatic detection.

4 Objective  To extend the open source honeypot honeyd by honeycomb plug-in.  To implement the honeycomb on real environment.  Evaluate honeycomb on controlled environment.  Measure the system performance and quality of signatures.

5 Scope  Re-implements the research for automated generation attack signatures for NIDSs using Honeypots.  Setting up a Honeypots extended system.  Conduct experiments on the system.  Measure system performance.

6 Literature Review  Internet Worms :  Worm Propagation Behavior  Morris Worm  Code Red I  Code Red II  SQL Slammer  Nimda

7 Literature Review  Intrusion Detection System :  Signature Based  Anomaly Detection  Snort  Bro  Related Works :  Sweetbait  PAYL  Autograph

8 Honeycomb Architecture

9 Signature Creation Algorithm

10 Pattern Detection Horizontal detection  Comparing all messages at the same depth.  Messages are passed as input to the LCS algorithm in pairs.

11 Pattern Detection Vertical detection  Concatenating several messages into a string.  Comparing this with a corresponding concatenated string.

12 Signature Lifecycles  Relational operators on signatures:  sig 1 = sig 2 : all elements equal  sig 1  sig 2 : elements differ  sig 1  sig 2 : sig 1 contains subset of sig 2 ’s facts  sig new = sig pool : sig new ignored  sig new  sig pool : sig new added  sig new  sig pool : sig new added  sig pool  sig new : sig new augments sig pool

13 System Framework

14 HoneyComb Network Diagram

15 Experiments  Controlled Environment Experiments :  Evaluate the effectiveness and the quality of the worm signature created by the HoneyComb  Live Traffic Experiments.:  Determine what kind of signatures those generate by HoneyComb in the real traffic environment.

16 Controlled Environment Experiments

17  TCP worm – Code Red II  UDP worm – SQL Slammer  Actual worms packet payload used.  Sent worms packets from compromise host to HoneyComb machine.

18 Controlled Environment Experiments

19  Result :  TCP Worms – Code Red II alert tcp 192.168.1.15/24 any -> 10.2.0.0/16 80 (msg: "Honeycomb Sat Apr 7 13h51m47 2007 "; ) alert tcp 192.168.1.15/24 any -> 10.2.0.0/16 80 (msg: "Honeycomb Sat Apr 7 14h21m47 2007";flags: PA+; flow: established; content: "GET/default.ida?XXXX XX XX (...) 00|CodeRedII|…";)

20 Controlled Environment Experiments  Result :  UDP Worms – SQL Slammer alert udp 192.168.1.15/32 256 -> 10.2.0.0/24 1434 (msg: "Honeycomb Sat Apr 7 14h51m47 2007 "; content: "|04 01 01(...)|Qh.dllhel32hkernQhounthickChGetT f| (…) D6 EB|"; )

21 Controlled Environment Experiments  A comparison of the signature content and the worm payload sent to the honeypots shows that HoneyComb generates a good quality of signatures in controlled environment.  HoneyComb able to detect the TCP and UDP worm efficiency.

22 Live Traffic Experiment

23  Generated Signatures :  18,288 signatures had been generated by HoneyComb.  9,473 signatures were containing flow content strings.  HoneyComb able to generate the Slammer signatures precisely.  No any Code Red II signature created since it reported died in October 2001

24 Live Traffic Experiment  Generated Signatures : alert udp any any -> 10.2.0.0/24 1434 (msg: "Honeycomb Sat Apr 7 14h51m47 2007 "; content: "|04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0|B|EB 0E 01 01 01 01 01 01 01|p|AE|B|01|p|AE|B|90 90 90 90 90 90 90 90|h|DC C9 B0|B|B8 01 01 01 01|1|C9 B1 18|P|E2 FD|5|01 01 01 05|P|89 E5|Qh.dllhel32hkernQhounthickChGetTf|B9|llQh32.dhws2_f|B9|etQhsockf| B9|toQhsend|BE 18 10 AE|B|8D|E|D4|P|FF 16|P|8D|E|E0|P|8D|E|F0|P|FF 16|P|BE 10 10 AE|B|8B 1E 8B 03|=U|8B EC|Qt|05 BE 1C 10 AE|B|FF 16 FF D0|1|C9|QQP|81 F1 03 01 04 9B 81 F1 01 01 01 01|Q|8D|E|CC|P|8B|E|C0|P|FF 16|j|11|j|02|j|02 FF D0|P|8D|E|C4|P|8B|E|C0|P|FF 16 89 C6 09 DB 81 F3|<a|D9 FF 8B|E|B4 8D 0C|@|8D 14 88 C1 E2 04 01 C2 C1 E2 08"; )

25 Live Traffic Experiment  Generated Signatures : alert tcp any any -> 10.2.0.0/24 80,135,8080 (msg: "Honeycomb Thu Apr 19 05h28m19 2007 "; flags: FRAU21!; flow: established; content of signature 908 : "CONNECT smtp.pchome.com.tw:25 HTTP/1.0|0D 0A 0D 0A|HTTP/1.1 400 Bad Request|0D 0A|Server: Microsoft-IIS/5.0|0D 0A|Date: Tue, 17 Apr 2007 03:57:30 GMT|0D 0A|Content- Type: text/html|0D 0A|Content-Length: 87|0D 0A 0D 0A| Error The parameter is incorrect. CONNECT smtp.pchome.com.tw:25 HTTP/1.0|0D 0A 0D|"; )

26 Honeycomb Performance Benchmarking

27 Discussion  HoneyComb v0.7 compiled with Honeyd v1.5b without error, but it provided a strange and useless result when running HoneyComb.  The source code in hc_udp.c and hc_tcp.c had been modified and recompiled to fix this error.

28 Discussion -- Problem  Unable to generate the signatures for the polymorphic worms.  Honeycomb can be fooled by attackers, to generate signatures for legitimate traffic.  Consuming a large amount of memory to perform the packets pattern matching.  Lost the memory when the system restart, thus, the same signatures will be generated.

29 Conclusion  Pattern matching worm detection mechanism of HoneyComb able to produce good quality signatures for worms.  Signatures created by HoneyComb can be converted into a format suitable for both Snort and Bro NIDS.

30 Conclusion  Honeypot offer an offensive approach to intrusion detection and prevention.  HoneyComb suggest that automated signature creation on honeypot is feasible and effectiveness.  This automated signature creation system is a first step towards integrating honeypots more closely into security infrastructure.

31 Future Works  Working to reducing the effort spent per arriving packets by the HoneyComb.  Solve the drawback on unable to generate signature for the polymorphic worms.  Provide a better tool to analyze the signatures created.  Implication IPv6 to existing HoneyComb architecture.

32 Question and Answer

33 Thank You

Download ppt "HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG 124862 Supervisor : AP. Dr. Mohamed Othman."

Similar presentations

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
Greg Williams CS691 Summer 2011. Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
IDPS (Intrusion Detection & Prevention System )

IDPS (Intrusion Detection & Prevention System )
TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.

TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.
Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research)

Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research)
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)
1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004.

1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM

Similar presentations

Ads by Google