Presentation is loading. Please wait.

Presentation is loading. Please wait.

Local Worm Detection using Honeypots Justin Miller Jan 25, 2007

Published byEstella Harmon Modified over 5 years ago

Similar presentations

Presentation on theme: "Local Worm Detection using Honeypots Justin Miller Jan 25, 2007"— Presentation transcript:

1 Local Worm Detection using Honeypots Justin Miller Jan 25, 2007
Don’t become a stat… Use HoneyStat! Local Worm Detection using Honeypots Justin Miller Jan 25, 2007

2 Original Paper HoneyStat: Local Worm Detection Using Honeypots
By: D.Dagon, X.Qin, G.Gu, W.Lee, J.Grizzard, J.Levine, H.Owen Georgia Institute of Technology

3 Background Worm detection systems Detection in local networks
HoneyStat nodes Data collection Improvements in HoneyStat

4 Worm Detection Relied on artifacts incidental to worm infection
Measure incoming scan rates Filter results for small networks Increase data collection Global monitoring centers Doesn’t help local networks

5 Worm Detection Proposition: use honeypots to improve accuracy of alerts (local intrusion detection) Honeypot – computer system set up as a trap for attackers

6 Honeypot Network decoy Distracts attackers
Gather early warnings about new attacks Facilitate in-depth analysis of adversary’s strategy

7 Honeypot Use Gather info about how human attackers operate
Labor-intensive log (1:40) 1 week per hour of data log Virtual honeypots Used to prevent OS fingerprinting

8 Honeypot Use Detect/disable worms (honeyd)
Not ready for early warning IDS Know attack pattern Catch zero day worms – already know system vulnerability

9 Worm Detection Worm propagation proposals Early detection proposals
Model to study worm spreading Early detection proposals Statistical models analyze repeated outgoing connections Worm info collected at routers

10 Objective Early worm detection challenges Focus on local networks
Large space to monitor Coordinated responses Focus on local networks Detection using local honeypots Lower false positive rate of worms

11 Infection Cycles 3 actions result from infection
Memory events Network events Disk events Describe worm installation on compromised system

12 Memory Events Begins with probe for victim Provides port
Victim shell listens on port 4,444 Honeypot acknowledges incoming packets Infection begins corrupting process

13 Network Events Blaster shell remains open for only one connection
Instructs victim to download “egg” program Honeypot initiates TCP or UDP traffic

14 Disk Events Occur after Blaster “egg” is downloaded
Disk writes – become active after system reboot Not all worms have disk writes

15 Data Capture Most worms follow similar cycle
Traditional worm detection Usually at start or end of cycle Activity in middle of cycle can be tracked Intrusion detection based on scan rates has high rate of noise

16 HoneyStat Node Minimal honeypot created in an emulator
Covers large address space Honeypots remain idle until HoneyStat event occurs

17 HoneyStat Data Data recorded includes: OS/patch level of host
Type of event Trace file of all prior network activity

18 HoneyStat Events Events forwarded to analysis node
Usually central server Places alert events in queue Perform statistical analysis

19 Data Analysis Check if event corresponds to an active honeypot
Update previous event to include new event Reset honeypot if event involved Network Events (DL an egg or initiating outgoing scans)

20 Data Analysis Analysis node examines basic properties of the event
HoneyStat event is correlated with other observed events Search for worm pattern Objective: Zero-day worms Statistical analysis identifies worm behavior

21 Logistic Regression Analyzes port correlation
Non-linear transformation of linear regression model Honeypot event is dichotomous Awake (1) or asleep (0)

22 Logistic Regression Model is binary expectation of the honeypot state
j: counter for honeypot events i: counter for each individual port traffic for a specific honeypot

23 Logistic Regression Measures inverse of time between honeypot events
Resolve equation after each event Identify candidate ports that explain why honeypots become active Also finds traffic patterns Traffic measured for last 5 minutes

24 Logistic Analysis Estimate βi,j coefficients (MLE)
Find coefficients that minimize prediction error Find which variables significantly affect honeypot activity Single variable = ALERT!

25 Practical Aspects Properly identify worm outbreaks
Low false positive rate Sample data from 6 honeypots active during Blaster worm

26 Worm Detection

27 Worm Detection

28 Worm Detection Logit Analysis of Multiple HoneyStat Events

29 Worm Detection Scans on ports 135, 139, 445 Require: 10 sample events
No test can focus on 135 alone Leads to pattern for 1 worm Require: 10 sample events Not sure of effective sample size

30 Benefits Accurate data stream Events result from successful attack
Reduces amount of data to process Detects zero day worms Detects ports worm enter/exit Finds presence and also explains worm activity

31 False Positives Identify wrong network traffic
Worm present, HoneyStat identifies wrong source Repeated human breakins could be identified as a worm Disregard manual breakins These are more dangerous than robotic worms

32 Sample Data Tested HoneyStat on the Internet
Injected a worm attack at Georgia Tech Log from Random sample of 250+ synthetic honeypot events 0 false positives

33 HoneyStat as IDS Low false positive rate
Good for local IDS Effectively detects worms using random scan techniques Will attack honeypots

34 HoneyStat as IDS What about non-random worms?
Ω = entire IPv4 space (232) T = # of potential victims N = total vulnerable machines nt = # of victims at time t s = scan rate

35 HoneyStat as IDS ki+1 = sniT/Ω P = 1 – (1 - 1/T)ki+1
# scans entering space T at time (i+1) P = 1 – (1 - 1/T)ki+1 Probability of host being hit

36 HoneyStat as IDS Worm propagation equation:
ni+1 = ni + [N - ni](1 – (1 - 1/T)sniT/Ω) T and Ω are big, reducing to: ni+1 = sni/Ω Same as previous models

37 HoneyStat as IDS

38 HoneyStat as IDS Machines can be multihomed Local early worm detection
Each searches 100’s of IP addresses Local early worm detection D = 211 α = 0.25 First victim found after 0.19% of vulnerable hosts are infected

39 Contributions Statistical techniques used in worm detection
Previously applied time series-based statistical analysis Logistic regression detects worm outbreaks

40 Weakness Honeypot evasion
Attackers have worms detect and avoid honeypot traps Attackers make observations about victim’s machine Effective sample size unknown

41 Improvements Reduce traffic length (logistic) measured < 5 minutes
Studies recent network events Improve quality of data Avoid linear identification of multiple worms Best Subsets logistic regression Study effective sample size

42 Conclusion Further research for local IDS
Logistic regression detects worm outbreaks Honeypots create accurate alert 3 classes: memory, disk, network events Logit analysis eliminates noise Extensive data traces identifies worm activity

43 Questions ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

Download ppt "Local Worm Detection using Honeypots Justin Miller Jan 25, 2007"

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.

Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Similar presentations

Ads by Google