Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wormholes and a Honeyfarm: Automatically Detecting New Worms 1 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms (and other random stuff)

Similar presentations


Presentation on theme: "Wormholes and a Honeyfarm: Automatically Detecting New Worms 1 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms (and other random stuff)"— Presentation transcript:

1 Wormholes and a Honeyfarm: Automatically Detecting New Worms 1 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms (and other random stuff) Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR Silicon Defense

2 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms 2 Problem: Automatically Detecting New Worms Detect a new worm on the Internet before many machines are infected –Use this information to guide defenses –30-60 seconds to detect (and stop) Slammer Honeypots are accurate detectors –Monitor egress to detect worms –k vulnerable honeypots will detect a worm when ~1/k of the vulnerable machines are infected –But impractical Cost: time, not machines Trust: must trust all honeypots!

3 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms 3 Idea: Split the Network Endpoints from the Honeypots Wormholes are traffic tunnels –Routes connections to a remote system –Untrusted endpoints Honeyfarm consists of Virtual Machine honeypots –Create virtual honeypots on demand See honeynet.org –Route internally generated traffic to other images Classify based on what can be infected

4 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms 4 How Wormholes Work Low cost “appliance”: –Plugs into network, obtains address through DHCP –Contacts the Honeyfarm –Reconfigures local network stack fool nmap style detection –Forwards all traffic to/from the Honeyfarm Clear Box: –Deployers have source code Restrictions built into the wormhole code so it doesn't trust the honeyfarm, can't contact the local network! Instead/addition to wormholes, one can... –Route small telescopes to the honeyfarm –Route ALL unused addresses in an institution...

5 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms 5 How a Honeyfarm Works Creates Virtual Machine images to implement Honeypots –Using VMware or similar –Images exist "in potential" until traffic received Niels Provos suggested: Use honeyd as a first pass filter –Completes the illusion that a honeypot exists at every wormhole location Any traffic received from wormhole –Activate and configure a VM image –Forward traffic to VM image Honeypot image generated traffic is monitored and redirected Wormhole IP: aa.bb.cc.dd Honeyfarm VM Image IP: xx.xx.xx.xx VM Image IP: xx.xx.xx.xx VM Image IP: aa.bb.cc.dd VM Image IP: aa.bb.cc.ee

6 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms 6 What Could We Automatically Learn From a Honeyfarm? A new worm is in the Internet –Triggered based on ability to infect VMs What the worm is capable of –Types of vulnerable configurations Including patch level Creates a “Vulnerability Signature” –Some overt, immediate malicious behavior Immediate file erasers etc –Possible attack signatures Works best for tracking: –Human attackers –Scanning worms Slow enough to react effectively Randomness hits wormholes

7 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms 7 What Trust is Needed? Wormhole deployers: –Need to trust wormhole devices, not the honeyfarm operator Honeyfarm operator: –Attackers know of some wormholes, but most are generally unknown Wormhole locations are “open secrets” –Does not trust wormhole deployers Detection is based on infected honeypots, not traffic from a wormhole Dishonest wormholes are filtered out Responding systems receiving an alert: –Either the honeyfarm and operator are honest and uncompromised –OR rely on multiple, independent honeyfarms all raising an alarm "If CERT and DOD-CERT say..."

8 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms 8 Status and Acknowledgements Status: Paper design –Idea, attacks, costs, development time Lots of attacks on the honeyfarm system and possible defenses Plan to build honeyfarm first, attached to a small telescope Wormholes can be built for <$350, no moving parts, 50 Watts power, quantity 1 Acknowledgements: –Honeypot technology: Honeynet project, honeyd, DTK –Feedback from many people: Stefan Savage, David Moore, David Wagner, Niels Provos, etc etc etc.

9 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms 9 Random Slide: 1 Gb (ASAP), 10 Gb (+2-3 years) Need wiring-closet defenses: –As close to the endpoint as possible, need to be reprogrammable –<$1000 for GigE today (build for $500) Optical ideal, +$100 for 1000-base-T –<$2000 for 10GigE in 2-3 years (build for $1000) –New FPGAs with SERDESes, embedded processors, massive parallelism and pipelining FPGA DIMM SX Transceiver 1000-BaseT PHY 1000-BaseT PHY

10 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms 10 Random Slide: Colonel John R. Boyd’s OODA “Loop” Note how orientation shapes observation, shapes decision, shapes action, and in turn is shaped by the feedback and other phenomena coming into our sensing or observing window. Also note how the entire “ loop ” (not just orientation) is an ongoing many-sided implicit cross-referencing process of projection, empathy, correlation, and rejection. From “ The Essence of Winning and Losing, ” John R. Boyd, January 1996. Note how orientation shapes observation, shapes decision, shapes action, and in turn is shaped by the feedback and other phenomena coming into our sensing or observing window. Also note how the entire “ loop ” (not just orientation) is an ongoing many-sided implicit cross-referencing process of projection, empathy, correlation, and rejection. From “ The Essence of Winning and Losing, ” John R. Boyd, January 1996. Feed Forward Observations Decision (Hypothesis) Action (Test) Cultural Traditions Genetic Heritage New Information Previous Experience Analyses & Synthesis Feed Forward Implicit Guidance & Control Unfolding Interaction With Environment Feedback Outside Information Unfolding Circumstances ObserveOrientDecideAct From Defense and the National Interest, http://www.d-n-i.net, copyright 2001 the estate of John Boyd Used with permission

11 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms 11 Ranom Slide: What is the OODA loop? The OODA (Observe, Orient, Decide, Act) cycle was designed as a semi-formal model of adversarial decision making –Really a complex nest of feedback loops –Originally designed to represent strategic and tactical decision-making Implicit shortcuts are critical in human-based systems –Every participant or group has its own OODA loop Attack the opponent’s decision making process –Avoid/confuse/manipulate the opponent’s observation/detection Stealthy worms –Take advantage of errors in orientation/analysis Not yet but will begin to happen! –Move faster than the opponent’s reaction time Why autonomous worms outrace “human-in-the-loop” systems Reactive worm defenses need fully-automated OODA loops The fastest, accurate OODA loop usually wins

12 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms 12 Random Slide: Automated OODA Loops Since both the worms and worm-defense routines are automatic while a fast worm is spreading, the OODA loops are much simpler –No implicit paths, everything is now explicit Orientation and decision making are combined –Communication is also made explicit –The OODA loops are shaped by the designer’s goals, objectives, and skills Observation is often critical for both sides Passive Local Active Automatic Decision Making Actions ObserveOrient/DecideAct Control InformationControl Feedback Interaction with Environment Communication


Download ppt "Wormholes and a Honeyfarm: Automatically Detecting New Worms 1 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms (and other random stuff)"

Similar presentations


Ads by Google