Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Honeynets for Internet Situational Awareness Vinod Yegneswaran, Paul Barford Vern Paxson University of Wisconsin, Madison ICSI, LBNL Hotnets 2005.

Similar presentations

Presentation on theme: "Using Honeynets for Internet Situational Awareness Vinod Yegneswaran, Paul Barford Vern Paxson University of Wisconsin, Madison ICSI, LBNL Hotnets 2005."— Presentation transcript:

1 Using Honeynets for Internet Situational Awareness Vinod Yegneswaran, Paul Barford Vern Paxson University of Wisconsin, Madison ICSI, LBNL Hotnets 2005

2 2 Motivation oCurrrent tasks for security analysts oAbuse monitoring oAudit and forensic analysis oNIDS/Firewall/ACL configuration oVulnerability testing oPolicy maintenance oLiaison activities oNetwork management oEnd host management

3 3 NIDS: State of the art oPinpoint descriptions of low-level activities oSource A launched CVE-XXX against Dest B oLarge volume of alerts oToo many false alarms oVulnerable to flooding attacks / IP spoofing oContinual manual update of signatures oLack of longitudinal baseline oLack of breadth for root-cause inference

4 4 Our vision oNetwork Situational Awareness (NetSA) oDegree of consistency between ones perception of their situation and reality -- US Navy oan accurate set of information about ones environment scaled to specific level of interest -- NCOIC oElevate quality and timeliness of alerts

5 5 Our approach oDeveloping NetSA building blocks toward oAutomated incident discovery oRobust classification oReal-time event notification oForensic analysis capabilities oHoneynet situational awareness oRich source of information of large-scale malicious activity oAccurate attribution of events such as botnets, worms and misconfiguration

6 6 System structure oTunnel filter: one source -> one dest oVolume vs diversity oActive responders oNetBIOS/SMB, DCE/RPC, MS-SQL, HTTP, Dameware, MyDoom oBro Radiation-analy oCondensed protocol-aware summaries oSix-hour batches stored in MySQL backend oAdaptation oAuto-update of previously-unseen activities oSituational-analy oOrganized reports highlighting most unusual and significant events

7 7 Radiation-analy summarization oLeverage Bros protocol knowledge and attack semantics oDistill activity into high-level abstractions oQuickly validate against past history to check for previous instances oTypes of summaries oConnection profiles oSource Profiles oInfer connection-profile associations oSession Profiles oHard to summarize due to high degree of variability

8 8 Radiation-analy vs MD5 signatures

9 9 NetSA report example oFour components oNew and interesting events oHigh beta events oVery high beta events oTop 10 profiles oFor profile (p), interval (i): oBeta (p, i) = Num_sources(p, i) / Avg (num_sources(p)) across all intervals

10 10 NetSA report example oNew and interesting events No. Sources; Porttag 1 445-tcp CREATE_FILE: ``samr''; CREATE_FILE: ``webhost.exe''; CREATE_FILE: ``atsvc' oHigh beta events Beta dest_port No.sources(avg) tag 12.6 1025-tcp 494 (39.2) [exploit] (RPC request (2904 bytes)) 11.5 135-tcp 416 (36.3) [exploit] (RPC request (1448 bytes))

11 11 NetSA report example oVery high beta events (beta > 10) TAG: 1025/tcp/[exploit] (RPC request (2904 bytes)) Hour 0..5 srcs: 97, 93, 79, 74, 68, 94, src-overlaps: 0, 8, 13, 10, 8, 10, /8s: 25, 26, 19, 21, 16, 19, dsts: 103, 97, 80, 71, 76, 96, dst-overlaps: 0, 14, 12, 8, 8, 8, oTop 10 profiles Port No. Sources Tag 135-tcp 591 RPC bind: afa8bd80-7d8a-11c9-bef4-08002b10298 len=72; RPC request (24 bytes) 1025-tcp 494 [exploit] (RPC request (2904 bytes)) 135-tcp 416 [exploit] (RPC request (1448 bytes)) …

12 12 Analysis dataset oCollected from 6 months of operation on 1,280 address LBL honeynet oOperational for over a year now… oHighlights from situational-analy summaries o 4 instances of misconfiguration (3 P2P, 1 NAT box) o11 suspected botnet sweeps oNumber of sources per incident 30 – 26,000 oMS-SQL, DCE/RPC, Several NetBIOS/SMB exploits oSlammer re-emergence (350 sources) oHistorical worm data (5) oCR I, CR – reemergence, CR II, Nimda, Witty o5,500 – 155,000 sources

13 13 Situational awareness in-depth oToolkit for large-scale forensic analysis of anomalous events o9 offline statistical analyses (Worms/Botnets/Misconfig); oSource arrivals oTemporal source counts, arrival window, source interarrivals oDestination / source network coverage oDest net footprint, first-dest pref, source-net dispersion oPer-source macro-analysis o Scanning profile, target scope, lifetime oBased on hypothesized behavior

14 14 SA in-depth large scale events MisconfigBotnetWorm Source Arrivals: Temp. Src Counts Arrival Window Interarrival Sharp onset Narrow Exponential Gradual Narrow Exponential Sharp onset Wide Super-exp Coverage: Dest Footprint First-Dest Pref Src-net Dispersion Hotspot Low-medium Binomial Variable Low-medium Binomial High Src Macro-analysis: Per-source profile Target scope Source lifetimes Hotspot IPv4 Short Variable <= /8 Short Variable IPv4 Persistent

15 15 Temporal Source Counts Codered I Edonkey misconfig Wkssvc botnet

16 16 First Destination-IP preference NimdaWkssvc botnet oConsiders ordering and preference

17 17 Per-source scanning profile (100 random sources) Source ID vs dest IP Phase plot of dest IP MS-SQL botnet incident

18 18 Inferring target scope oHow broadly was a given event scoped? oWas our network specifically targeted? oAssumption: sources are not just sequentially scanning the honeynet oIDEA 1: Estimate global packet rate from change of IPID oOften cannot look at all packet pairs due to honeynet size (multiple wrap-arounds) oIDEA 2: Look at IPID spacing between retransmitted SYNs from passive traces oFor UDP look at packets arriving less than 3 secs apart oTarget scope = Honeynet size * (global rate / local rate)

19 19 Inferring target scope: Example Wkssvc (1280 addresses) multiplier ~ 10^4 13 M addresses Witty UW (8K addresses) multiplier ~ 5* 10^5 4 B addresses

20 20 Summary oObjective: Internet situational awareness oAccurate timely summaries of honeynet data oBro NetSA (radiation-analy / situation-analy) oMySQL backend oSituational in-depth statistical analyses oProvide different yet valuable perspectives on individual events oToward real time classification of events oFuture work oRefinement and extension of in-depth SA analyses oDistributed NetSA

21 21 Other arrival characteristics oArrival window oExpectation: botnets should see sharp spike in arrivals oOften not true – botnets dont have to push commands, instead zombies could poll and pull ophatbot zombies wake up every 1000 seconds to check for new commands oSource interarrivals oBots poll independently, implies their arrivals will appear to be poisson with exponential interarrivals oWorm interarrival rate should increase during the initial stages of the outbreak

22 22 Other arrival characteristics

23 23 Honeynet footprint Nimda Wkssvc botnet

Download ppt "Using Honeynets for Internet Situational Awareness Vinod Yegneswaran, Paul Barford Vern Paxson University of Wisconsin, Madison ICSI, LBNL Hotnets 2005."

Similar presentations

Ads by Google