Introduction to Honeypot, Botnet, and Security Measurement

Slides:

Advertisements

Similar presentations

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

Advertisements

1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2010.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Introduction to Security Computer Networks Computer Networks Term B10.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Web server security Dr Jim Briggs WEBP security1.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

Honeypot and Intrusion Detection System

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Final Introduction ---- Web Security, DDoS, others

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

--Harish Reddy Vemula Distributed Denial of Service.

EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security News Source Courtesy:

1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:

HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.

Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.

A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.

A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.

Introduction to Honeypot, measurement, and vulnerability exploits

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

1 Introduction to Malcode, DoS Attack, Traceback, RFID Security Cliff C. Zou 03/02/06.

4061 Session 26 (4/19). Today Network security Sockets: building a server.

DoS/DDoS attack and defense

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

Role Of Network IDS in Network Perimeter Defense.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Forensic Computing: Tools, Techniques and Investigations Assignment 1 Seminar.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Acknowledgement Some contents on honeypot are from  honeynets.ppt

UNDER THE GUIDENCE OF: Mr.M.JAYANTHI RAO,M.Tech HOD OF IT. BY: I.ADITHYA(09511A1212) HONEYPOTS.

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

Botnets A collection of compromised machines

Instructor Materials Chapter 7 Network Security

Botnets A collection of compromised machines

Internet Worm propagation

12/6/2018 Honeypot ICT Infrastructure Sashan

Wireless Spoofing Attacks on Mobile Devices

Introduction to Internet Worm

Presentation transcript:

Introduction to Honeypot, Botnet, and Security Measurement Cliff C. Zou 02/07/06

What Is a Honeypot? Abstract definition: “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.” (Lance Spitzner) Concrete definition: “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.”

Example of a Simple Honeypot Install vulnerable OS and software on a machine Install monitor or IDS software Connect to the Internet (with global IP) Wait & monitor being scanned, attacked, compromised Finish analysis, clean the machine

Benefit of Deploying Honeypots Risk mitigation: A deployed honeypot may lure an attacker away from the real production systems (“easy target“). IDS-like functionality: Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions. Attack analysis: Find out reasons, and strategies why and how you are attacked.

Benefit of Deploying Honeypots Evidence: Once the attacker is identified all data captured may be used in a legal procedure. Increased knowledge: By knowing how you are attacked you are able to enlarge your ability to respond in an appropriate way and to prevent future attacks. Research: Operating and monitoring a honeypot can reveal most up-to-date techniques/exploits and tools used as well as internal communications of the hackers or infection or spreading techniques of worms or viruses.

Honeypot Classification High-interaction honeypots A full and working OS is provided for being attacked VMware virtual environment Several VMware virtual hosts in one physical machine Low-interaction honeypots Only emulate specific network services No real interaction or OS Honeyd Honeynet/honeyfarm A network of honeypots

Low-Interaction Honeypots Pros: Easy to install (simple program) No risk (no vulnerable software to be attacked) One machine supports hundreds of honeypots Cons: No real interaction to be captured Limited logging/monitor function Easily detectable by attackers

High-Interaction Honeypots Pros: Real OS, capture all attack traffic/actions Can discover unknown attacks/vulnerabilites Cons: Time-consuming to build/maintain Time-consuming to analysis attack Risk of being used as stepping stone High computer resource requirement

Honeynet A network of honeypots High-interaction honeynet A distributed network composing many honeypots “Collapsar: A VM-Based Architecture for Network Attack Detention Center”, Usenix’04 Low-interaction honeynet Emulate a virtual network in one physical machine Example: honeyd Mixed honeynet “Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm”, presented next week Reference: http://www.ccc.de/congress/2004/fahrplan/files/135-honeypot-forensics-slides.ppt

What Is a Botnet? A network of compromised computers controlled by their attacker Users on zombie machines do not know The main source for many attacks now Distributed Denial-of-Service (DDoS) Extortion Email spam, phishing Ad-fraud User information: document, keylogger, …

How to Build a Botnet? Infect machines via: Internet worms, viruses Email virus Backdoor left by previous malware Trojan programs … Bots phone back to receive command

Botnet Architecture Bot controller Usually using IRC server (Internet relay chat) Dozen of controllers for robustness bot controller attacker

Botnet Monitoring Hijack one of the bot controller DNS provider redirects domain name to the monitor Still cannot cut off a botnet (dozen of controller) Can obtain most/all bots IP addresses Let honeypots join in a botnet Can monitor all communications No complete picture of a botnet

Security Measurement Monitor network traffic to understand/track Internet attack activities Monitor incoming traffic to unused IP space TCP connection requests UDP packets Internet Monitored traffic Unused IP space Local network

Refining Monitoring TCP/SYN not enough (IP, port only) Distinguish different attacks Low-interaction honeypots (honeyd) Obtain the first attack payload by replying SYN/ACK “Internet Motion Sensor” presented next week High-interaction honeypots TCP Reset packets Backscatter from spoofed DoS attack victims “Inferring Internet Denial-of-Service Activity”, presented later

Remote fingerprinting Actively probe remote hosts to identify remote hosts’ OS, physical devices, etc OSes service responses are different Hardware responses are different Purposes: Understand Internet computers Remove DHCP issue in monitored data

Data Sharing: Traffic Anonymization Sharing monitored network traffic is important Collaborative attack detection Academic research Privacy and security exposure in data sharing Packet header: IP address, service port exposure Packet content: more serious Data anonymization Change packet header: preserve IP prefix, and … Change packet content