Presentation is loading. Please wait.

Presentation is loading. Please wait.

Investigation and Evaluation of Systems for Generating Automatic Alerts Using Honeynet Data Master’s Thesis Seminar Presentation 9.8.2005 Esko Harjama.

Published byLinda Powers Modified over 8 years ago

Similar presentations

Presentation on theme: "Investigation and Evaluation of Systems for Generating Automatic Alerts Using Honeynet Data Master’s Thesis Seminar Presentation 9.8.2005 Esko Harjama."— Presentation transcript:

1 Investigation and Evaluation of Systems for Generating Automatic Alerts Using Honeynet Data Master’s Thesis Seminar Presentation 9.8.2005 Esko Harjama

2 9.8.2005 2 Contents Background Problem statement & Methodology Introduction Alerting issues Automatic Isolation Function Evaluation Prototyping Results & Conclusions

3 9.8.2005 3 Background Supervisors Prof. Jörg Ott (Netlab), Prof. Guillame Urvoy-Keller (Eurecom) Instructor M.Sc. Idar Kvernevik (F-Secure Oyj) Carried out as a project for F-Secure

4 9.8.2005 4 Problem Statement Honeynets gather information on illicit network traffic and attacks against Honeynet computers These attacks need to be recognized and investigated Since 24/7 system monitoring is not practical, an effective alerting system is required to complement monitoring processes The problem is How to implement alerting Where to deploy it What information and rules should be used to decide when to trigger alerting Is there need to isolate the computer in addition to alerting and in what cases

5 9.8.2005 5 Methodologies used Literature study IDS, Honeypot and alerting background Investigation of existing tools and methods for alerting Evaluation Evaluation of the pre-selected tools based on criteria Prototyping Prototyping the selected solution in the reference environment Analysis of the results

6 9.8.2005 6 Introduction: Intrusion Detection Systems, Honeypots IDS Monitors network traffic and reports on specified behavior IDS process: capture, analysis, classification, report, reaction Example: Snort, a popular open-source IDS based on pattern-matching Honeypot Computers placed in the network to ”lure” attackers Networks of Honeypots form ”Honeynets” Offer information on specific attacks and statistics Example project: Honeynet.org alliance

7 9.8.2005 7 Alerting issues Alert response processes Push/Pull ideology False positives/negatives Alerting approaches Log file vs. database monitoring Information sources Snort alerts, gateway syslog/iptables logs, upstream end-user data, remote Honeynets Alerting tools Snort tools; reporting, configuration, ”alerting” Log-monitoring applications Alerting methods Log, email, SMS, etc

8 9.8.2005 8 Automatic Isolation Function Reasoning Prevents further attacks from the compromised computer against 3rd parties Prevent the attacker from erasing any attack methods and details from the computer Prevent undesired actions inside the Honeynet Conditions for isolation Trend increase in the number of attacks/packets Specific, defined attack behavior Possible points of isolation Gateway Host

9 9.8.2005 9 Reference Honeynet Setup

10 9.8.2005 10 Evaluation results

11 9.8.2005 11 Selected tool: Simple Event Correlator (SEC) Selected because of flexibility in configuration, features suit our needs well, lack of GUI is the only downside. SEC is a perl program for log-monitoring, run from the shell Flexible rule structure based on regular expressions Complemented with PigSentry for new alert and trend increase monitoring Output can be piped also to log, email and SMS

12 9.8.2005 12 Prototyping At the moment, SEC and PigSentry have been running in the reference setup for a couple of weeks, monitoring Snort and Pigsentry logs Alerts on: Snort high priority alerts New alerts and trend increases (Pigsentry) Especially trend increases are useful Special alert conditions can also be added Looks like alerting requires thresholding in all cases, in case of a compromise, alerts quickly escalate and create lots of alerts

13 9.8.2005 13 Results & Conclusions (so far) The selected method works for alerting purposes and is pretty flexible for using all kind of data and different output methods Definition of the monitoring processes and the conditions for triggering alert conditions are problematic External alerting features are useful in the Honeynet setup, but the tuning of the alerting rules is important Isolation function depends also on the definition of thr triggering conditions, needs more investigation. More information on the Honeynet events is needed to better configure the set of rules  test period ongoing

14 9.8.2005 14 Questions ?

Download ppt "Investigation and Evaluation of Systems for Generating Automatic Alerts Using Honeynet Data Master’s Thesis Seminar Presentation 9.8.2005 Esko Harjama."

Similar presentations

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Addressing IPv6 Vulnerabilities on Small Business Networks Bradley HainesVincent Pullano University of Cincinnati College of Education, Criminal Justice,

Addressing IPv6 Vulnerabilities on Small Business Networks Bradley HainesVincent Pullano University of Cincinnati College of Education, Criminal Justice,
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
IDPS (Intrusion Detection & Prevention System )

IDPS (Intrusion Detection & Prevention System )
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
MONITORING TOOLS Open Source Security Tools to monitor your network.

MONITORING TOOLS Open Source Security Tools to monitor your network.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.

Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.
Best Practices – Overview

Best Practices – Overview
Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.

Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.
Next Generation Application Platform (NGAP) Andrew Mitchell WGISS-39 Tsukuba, Japan Monday, May 11, 2015 1.

Next Generation Application Platform (NGAP) Andrew Mitchell WGISS-39 Tsukuba, Japan Monday, May 11,

Similar presentations

Ads by Google