Upload
lee-butler
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Enhancing the Experience in Network Incident Investigations
Dr. Jianming Cai ([email protected]), Ms. Angeliki Parianou ([email protected]), and
Ms. Bo Li ([email protected])
Faculty of Computing London Metropolitan University
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Topics
• Network incident investigation
• Experiment in real world
• The experimental platform
• Platform test
• Forensic evidence collected/analysis
• Summary
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Network Incident Investigation Network Incident Investigation • Network Forensics:
– network-centric for computing
– growing popularity of the Internet at home
– data available outside of the disk-based digital evidence
• Standalone investigation or alongside a computer forensics analysis (to reveal links between digital devices or to reconstruct how a crime was committed).
• Investigators have often to rely on packet filters, firewalls, and intrusion detection systems which were set up to anticipate breaches of security. Data is now more volatile and unpredictable.
• When investigating network intrusion the investigator and the attacker are often of similar skill level, compared with other areas of digital forensics where the investigator often is higher skilled.
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Experiment in Real World Experiment in Real World
• There is therefore an increasing demand for the graduates from Computer Forensics to enhance their experience in network incident investigations.
• Institution’s security policies restrict students from practising Network Forensics in real world.
• The experiment of Network Forensics has often to reply on the case studies extracted from textbooks.
• A platform, which enables students to practise network incident investigation in real-life case studies, is desirable.
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
The Experimental PlatformThe Experimental Platform
• The platform we developed is composed of a low-interaction honeypot and a rule-based IDS.
• The software packages, namely Honeyd and Snort, are employed.
• Based on this platform, students can analyze malicious activities, collect evidence, and launch incident investigations.
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Network Topology of the PlatformNetwork Topology of the Platform
The “Network Forensics” Lab The Institutional Network
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Advantages of the PlatformAdvantages of the Platform• Relatively independent of institution’s network server,
which does not have issues with institution’s network security and admin policies.
• Gathering network forensic information, investigating into real life cases, and collecting the evidence needed for apprehension and prosecution of network intruders.
• The software employed in this platform are freely available for student’s home use, i.e. it is low cost and flexible in practice.
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
The Deployed HoneydThe Deployed Honeyd(withwith eight virtual honeypotseight virtual honeypots))
Cisco IOS 11.3-12.0 (11)195.251.161.181
`
Mydoom – Microsoft XP Professional SP1195.251.161.183
`
Linux Kernel 2.4.20195.251.161.186
`
Linux Kernel 2.4.20195.251.161.182
Microsoft Server 2003 195.251.161.187
Sun Solaris 9 – Relay Server195.151.161.185
`
Microsoft Windows XP Professional SP1195.251.161.180
`
Microsoft Windows XP Professional SP1195.251.161.184
Honeyd Host195.251.161.147
Arpd daemon195.251.161.180 - 195.251.161.187
Router
Arpd: a daemon that listens to ARP (Address Resolution Protocol) requests and answers for IP addresses that are unallocated.
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
The Deployed Honeyd (Cont.)The Deployed Honeyd (Cont.)• The virtual honeypots deployed includes:
– A Linux honeypot with the personality “Linux kernel 2.4.20”
– A Windows honeypot with the personality “Microsoft XP Pro SP1”
– A Router honeypot with the personality of “ Cisco IOS11.3-12.0(11)”
– A Server honeypot with the personality of “ Microsoft Server 2003”
– A Mydoom Vulnerable honeypot with the personality of “Microsoft XP Pro SP1”
– A Mail Relay Server honeypot with the personality of “Sun Solaris 9”
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
The Deployed Honeyd (Cont.)The Deployed Honeyd (Cont.)
• It creates various virtual hosts with different operating systems in order to attract a wider range of suspicious activity.
• In addition a NIDS, namely Snort, is employed to monitor the network traffic for any known attacks and vulnerabilities.
• Malicious network traffic are being monitored, recorded, and analysed.
• The output of the Snort is sent to a Mysql database.• The traffic captured by Snort tool is then presented by
BASE (Basic Analysis and Security Engine) version 1.4.5.
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Platform Test• The implemented Honeyd was put on the
Internet for about one month, which recorded every piece of traffic targeted at those eight virtual honeypots.
• The results of the experiment were recorded in various log files, generated by the Honeyd and the logs of Snort retained in the Mysql database.
• In addition, the web.log was also used to record connection attempts towards these emulated Web services.
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Part of the Test Results
Packet Protocol Types
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Part of the Test Results (Cont.)
Top 10 IP Addresses/Countries Attempted Connections
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Part of the Test Results (Cont.)Part of the Test Results (Cont.)
The List of Packet Destination IP Address
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Part of the Test Results (Cont.)
The List of Packet Destination Ports
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Part of the Test Results (Cont.)
Source Countries of the Relay Virtual Server
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Destination IP address Operating SystemNumber of Connection
Attempts
Number of
Source IP
addresses
1 195.251.161.181 Cisco Router IOS 11.3-12.0 334 (28%) 194
2 195.251.161.185Sun Solaris – Open relay
server213 (17%) 158
3 195.251.161.186 Linux Kernel 2.4.20 187 (15%) 88
4 195.251.161.182 Linux Kernel 2.4.20 158 (13%) 53
5 195.251.161.187Microsoft Windows server
200379 (6.6%) 29
6 195.251.161.184Microsoft Windows XP Pro
SP179 (6.6%) 27
7 195.251.161.180Microsoft Windows XP Pro
SP170 (5.8%) 21
8 195.251.161.183
Microsoft Windows XP Pro
SP1 –
Mydoom vulnerable
69 (5.8%) 25
Destination IPs Attacked and Detected by the Snort
Part of the Test Results (Cont.)
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Top 10 Source IPs Attempted Connection and Detected by the Snort
Number Source IP address Number of Connection Attempts
1 61.128.110.96 110
2 122.225.100.154 104
3 219.150.223.253 93
4 219.149.194.245 45
5 211.143.198.2 35
6 41.238.62.214 16
7 221.130.140.18 16
8 83.219.146.180 14
9 41.130.16.37 14
10 188.17.215.239 14
Part of the Test Results (Cont.)
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Signature
Classification
Total
Sensor
Source
Address
Dest.
Address
First Last
1SQL version overflow
attempt
attempted-
admin
486
(40.8%)1 41 8 26/07/10 25/08/10
2 unclassified450
(37.8%)1 190 8 26/07/10 13/08/10
3 PSNG_TCP_PORTSWEEPattempted-
recon
214
(17.9%)1 208 7 01/08/10 16/08/10
4 SQL ping attempt misc-activity 18 (1.5%) 1 9 8 11/08/10 12/08/10
5 PSNG_TCP_PORTSCANattempted-
recon18 (1.5%) 1 2 5 13/08/10 14/08/10
6
TELNET Solaris login
environment variable
authentication bypass
attempt
attempted-
admin3 (0.2%) 1 3 1 23/8/10 25/08/10
7SQL Worm propagation
attemptMisc-attack 3 (0,2%) 1 3 2 24/8/10 25/8/10
Unique Alerts Generated by the Snort
Part of the Test Results (Cont.)
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
Honeyd
Source IP AddressSource IP DNS Resolution Snort Alert
Number of
Connection
Attempts
1 61.128.110.96CNINFONET Xingjiang province
networkSQL version overflow attempt 110
2 61.176.216.44 CHINA Unicom province network PSNG_TCP_PORTSWEEP 5
3 222.191.251.183 CHINANET province network PSNG_TCP_PORTSWEEP 1
4 122.225.100.154 CHINANET – Zhu Zhenhua SQL version overflow attempt 104
5 219.150.223.253Telecom
CHINANET province networkSQL version overflow attempt 93
6 219.149.194.245 CHINANET PROVINCE NETWORKSQL version overflow attempt -
SQL Worm propagation attempt46
7 211.143.198.2China Mobile Communications
Corporation - fujianSQL version overflow attempt 35
8213.160.136.96
Prosto InternetSQL version overflow attempt - SQL
Worm propagation attempt1
9 93.114.238.38 SC Gliga SRL, SQL version overflow attempt 1
10 201.240.30.46Latin American and Caribbean IP
address Regional Registry, PSNG_TCP_PORTSWEEP 2
Cross-referenced Source IP Addresses by Virtual Honeypots and the Snort
Part of the Test Results (Cont.)
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
SummarySummary
• An increasing demand for the graduates from Computer Forensics to enhance their experience in network incident investigations.
• The platform developed to enable students to practise network incident investigation in real-life case studies.
• Although the evidence collected from the honeypot system may or may not be deemed admissible in court, the platform is intended for students to enhance the skills of Network Forensics.
6th Annual Workshop on the Teaching Computer Forensics 6th Annual Teaching Computer Forensics Workshop
ReferenceReference1. Casey, Eoghan, Digital Evidence and Computer Crime, 2nd Edition. Elsevier. ISBN 0-12-
163104-4, 2004
2. A. Obied, “Honeypots and Spam, Available online at: ahmed.obied.net/research/papers/honeypots_spam.pdf, [Accessed:3/7/2010]
3. J. Kloet, “A Honeypot Based Worm Alerting System”, SANS Institute, 2005, Available online at: http://www.sans.org/reading_room/whitepapers/detection/honeypot-based-worm-alerting-system_1563, [Accessed: 3/6/2010]
4. Lai-Ming Shiue and Shang-Juh Kao. Countermeasure for detection of honeypot deployment. In ICCCE 2008: International Conference on Computer and Communication Engineering, pages 595–599, May 2008.
5. The honeynet project, http://www.honeynet.org, [Accessed: 28/6/2010]
6. HoneyTrap, http://honeytrap.carnivore.it, [Accessed: 29/6/2010]
7. Intrusion Detection, Honeypots and Incident Handling Resources http://www.honeypots.net/honeypots/products, [Accessed: 29/6/2010]
8. L. Spitzner, Honeypots: Tracking Hackers. Pearson Education Inc, 2002
9. Intrusion Detection, Honeypots and Incident Handling Resources, http://www.honeypots.net, [Accessed: 20/7/2010]
10. P. Defibaugh-Chavez, R. Veeraghattam, M. Kannappa, S. Mukkamala, and A. Sung, “Network Based Detection of Virtual Environments and Low Interaction Honeypots,” 2006 IEEE Information Assurance Workshop, West Point, NY: , pp. 283-289.