Upload
arnold-alban-mccoy
View
306
Download
10
Tags:
Embed Size (px)
Citation preview
Data Capture and AnalysisC-DAC Mohali
Overview Honeynet/Honeypot Technology
◦ Honeypot/Honeynet Backgroud◦ Type of Honeypots◦ Deployment of Honeypots
Data Collection Data Control Data Analysis
Honeypot/Honeynet concepts
◦ A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource
◦ Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise
◦ A highly controlled network where every packet entering or leaving the honeypot system and related system activities are monitored, captured and analyzed.
◦ Primary value to most organizations is information”
Advantages Fidelity – Information of high value Reduced false positives Reduced false negatives Simple concept Not resource intensive
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
Attack Detection Techniques
Detection Techniques
Proactive Techniques Defensive Techniques
Anomaly-based Signature-basedHoneynets
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
HoneyPot A
Gateway
Attackers
Attack Data
How it works
MonitorDetect
Response
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
Honeynet Requirements & Standards Data Control: Contain the attack activity and ensure
that the compromised honeypots do not further harm other systems.Out bound control without blackhats detecting control activities.
Data Capture: Capture all activity within the Honeynet and the information that enters and leaves the Honeynet, without blackhats knowing they are being watched.
Data Collection: captured data is to be Securely forwarded to a centralized data collection point for analysis and archiving.
Attacker Luring: Generating interest of attacker to attack the honeynet
Static : web server deployment, making it vulnerable
Dynamic : IRC, Chat servers,Hackers forums
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
Classification
By level of interaction High Low Middle?
By Implementation Virtual Physical
By purpose Production Research
Types of Honeypots Low-interaction
◦ Emulates services and operating systems.◦ Easy to deploy, minimal risk◦ Captures limited information
High Interaction◦ Provide real operating systems and services, no
emulation.◦ Complex to deploy, greater risk.◦ Capture extensive information.
Virtual Honeynet
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
What Honeynet Achieves Diverts attacker’s attention from the real
network in a way that the main information resources are not compromised.
Captures samples of new viruses and worms for future study
Helps to build attacker’s profile in order to identify their preferred attack targets, methods.
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
What value Honeynet adds
Prevention of attacks through deception and deterrence
Detection of attacks By acting as a alarm
Response of attacks By collecting data and evidence of an
attacker’s activity
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed.
Data CaptureData ControlData Analysis
GEN III
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
Honeynet Gen III
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
IPTABLES
ARGUS
SNORT
POF
SEBEKD
TCPDUMP
HFLOWDHFLOW
DB
WALLEYE
PCAP DATA
ETH0
SEBEK CLIENT
HONEYPOT
ETH1(0.0.0.0)
ETH2
GUIWEB INTERFACE
(192.168.2.2)
CONVERT INTO UNIFIED FORMAT
(203.100.79.122)
Data Capture Mechanism
SYS LOGSSYS LOGS
AISDAISD
HIDS HIDS
APP LOGS APP LOGS
HONEYPOTHONEYWALL
Raw Packet Capture
Analyzed PacketCapture
System LogsKernel Level
Logs
Tcpdump
P0F
Snort
Argus Syslogd Sebek Client-Server
Network Level Data Capture System Level Data Capture
DATA CAPTURE TOOLS IN GEN 3 HONEYNET
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
Data Control
Internet
Honeywall
Honeypot
Honeypot
No Restrictions
Connections Limited Packet Scrubbed
PURPOSE:Mitigate risk of COMPROMISED Honeypot being used to harm non-honeynet systems
Count outbound connections (Reverse Firewall)IPS (Snort-Inline)Bandwidth Throttling (Reverse Firewall)
DATA CONTROL
IPTABLES packet handling
IPTABLES FIREWALL
OUTPUTCHAIN
INPUTCHAIN
FORWARDCHAIN
Data Control### Set the connection outbound limits for different protocols.
SCALE="day"TCPRATE=“20"UDPRATE="20"ICMPRATE="50"OTHERRATE="5“
iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW -m limit --limit ${TCPRATE}/${SCALE} --limit-burst ${TCPRATE} -s ${host} -j tcpHandler
iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW -m limit --limit 1/${SCALE} --limit-burst 1 -s ${host} -j LOG --log-prefix "Drop TCP after ${TCPRATE} attempts“
iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW -s ${host} -j DROP
Distributed Honeynet System Distributed sensor Honeynet
◦ Configuration/reconfiguration
◦ Central Logging & Alerting◦ Honeypot management & analysis (forensics take
time!)
Central Database Server
Router
Router
Router
HoneywallHoneywall
Virtual Switch
Honeypot1
Nepenthes
Software BridgeHoneypot1 Honeypot2
Software Bridge
Nepenthes
Software Bridge
Honeywall
Software Bridge
Host machine
Honeywall
NepenthesHost machine
In t e r n e t
Honeypot1 Honeypot2
Virtual Switch
Honeypot1 Honeypot2
Host machineVirtual Switch
Host machine
Honeypot2
Network Diagram of Distributed Honeynet System
Virtual Switch
Nepenthes
BSNL N/W /28 CONNECT N/W /27
STPI N/W /28Airtel N/W /29
Router
Router
Large Enterprise Network (STPI) /27 Broadband Providers (BSNL,CONNECT,AIRTEL) /28,/28/29
Life Cycle of Distributed HoneyNet System
Remote Node Architecture
Malware Analysis
Malware Collection Module
Malware Analysis Module Botnet Tracking
Low-Interaction Honeypot
High Interaction Honeynet
Remote Node of DHS
Sandbox (Bot
Execution)
Bot Detection
Engine
1 2 3
Malware collection Data Base
Antivirus
Bot hunter
Bot Binary databaseBotnet Tracking
database
Central server
Botnet Tracking engine
IPTABLES
ARGUS
SNORT
POF
SEBEKD
TCPDUMP
HFLOWDHFLOW
DB
WALLEYE
PCAP DATA
ETH0
SEBEK CLIENT
HONEYPOT
ETH1(0.0.0.0)
REVERSE FIREWALL RULES(CONTROL OUTBOUND TRAFFIC)
ETH2
GUIWEB INTERFACE
CONVERT INTO UNIFIED FORMAT
HONEYWALL
DATA ANALYSIS STEPS
Collect & Merge
Walleye Web Interface “Eye on the Honeywall” is a web based
interface for Honeywall Configuration, Administration and Data analysis
Honeywall Roo Logical Design
Walleye Analysis Interface
Botnet Detection
Introduction
Botnet Problem Typical Botnet Life Cycle How Botnet Grows Challenges for Botnet detection Roadmap to Detection system Botnet Detection Approaches Our Implemented Approach Experiments and results
What Is a Bot/Botnet? Bot
A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent
Profit-driven, professionally written, widely propagated
Botnet (Bot Army): network of bots controlled by criminals Definition: “A coordinated group of malware
instances that are controlled by a botmaster via some C&C channel”
Architecture: centralized (e.g., IRC,HTTP), distributed (e.g., P2P)
Botnets are used for …
All DDoS attacks Spam Click fraud Information theft Phishing attacks Distributing other malware, e.g., spywarePCs
are part of a botnet!”
Typical Botnet Life Cycle
How the Botnet Grows
How the Botnet Grows
How the Botnet Grows
How the Botnet Grows
IRC Botnet Life Cycle
Challenges for Botnet Detection
Bots are stealthy on the infected machines –We focus on a network-based solution Bot infection is usually a multi-faceted and
multiphase process – Only looking at one specific aspect likely to fail Bots are dynamically evolving Botnets can have very flexible design of C&C channels –A solution very specific to a botnet instance is not desirable
Related Work
Network Level ◦ G. Gu, J. Zhang, andW. Lee. BotSniffer: Detecting
botnet command and control channels in network traffic
◦ J. R. Binkley and S. Singh. An algorithm for anomaly-based botnet detection
◦ J. Goebel and T. Holz. Rishi: Identify bot contaminated hosts by irc nickname evaluation
◦ C. Livadas, R. Walsh, D. Lapsley, and W. Strayer. Using machine learning technliques to identify botnet traffic
Related Work
Host Level◦ E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R.
Kemmerer. Behavior-based spyware detection◦ R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati. A
fast automaton-based method for detecting anomalous program behaviors.
Hybrid ◦ BotMiner: Clustering analysis of network traffic for
protocol- and structure independent botnet detection
Botnet Detection Approaches
Setting up Honeynets (Honeynet Based Solutions) Network Traffic Monitoring:
– Signature Based
– Anomaly Based
– DNS Based
– Mining Based
Honeynet Based Solution
It enable us to isolate the bot from network and monitor its traffic in more controlled way, instead of waiting to be infected and then monitor the t traffic
– Bot execution in Honeynet test bed
– Monitor the traffic generated by bots Open Analysis :
– Provides connection to Internet
– More flexible than closed analysis. l
Our Implemented Approach
• Honeynet Based Solution– Achievements
• Approach Implemented• Honeynet Based Bot Analysis
Architecture• Payload Parser • Web GUI and report generation
Flowchart
Features
Systematically collect and analyze bot traffic over internet Provides controlled connection to Internet: rate limit the outbound connections. It uses network-based anomaly detection to identify C & C command sequences
Principal Mechanism for Botnet Detection
Bot Execution
- Bot Execution in Honeynet Based Environment
- Collection of Execution traces to extract C & C server information.
- Complete payload sent to central server. Payload Parser
- Extraction of IRC,HTTP command signatures Botnet Observation
- extraction of attack,propagation scan or other attack
commands
- extraction of specific network patterns,secondary
injections attempts Output
- List of unique C & C server
- Command exchanged between bot client & bot server
Experimental Result
Botname : B14 , MD5 : a4dde6f9e4feb8a539974022cff5f92c
Symantec : W32.IRCBot, Microsoft : Backdoor:Win32/Poebot
PASS 146751dhzx
:ftpelite.mine.nu
NICK kcrbhf8wlzo
USER XPUSA6059014236 0 0 :o4dfmj2ctyc
:ftpelite.mine.nu
PING :AE645AF3
PONG AE645AF3
:ftpelite.mine.nu 332 kcrbhf8wlzo #100+ :| .vscan netapi 50 5 9999 216.x.x.x | .sbk windows-krb.exe | .sbk crscs.exe | .sbk msdrive32.exe | .sbk woot.exe | .sbk dn.exe | .sbk Zsnkstm.exe | .sbk cndrive32.exe |
PRIVMSG #100+ :.4[SC]: Random Port Scan started on 216.x.x.x:445 with a delay of 5 seconds for 9999 minutes using 50 threads.
Experimental Results: IRC
Bot Family Number of Samples Percentage
Rbot 70 6.28%
Poebot.gen 32 2.87
Rbot.gen 30 2.69
IRCbot.genK 22 1.99
Poebot.BT 12 1.08
IRCbot 8 0.71
Poebot.BI 6 0.54
IRCbot.genS 4 0.35
Poebot 4 0.35
Poebot.T 4 0.35
In total we could identify 99 IRC-based bot binaries ,a rate of 8.25% of the overall binaries in 12 months
Botnet C&C Server Info
Sno Source IP count123456789
10
122.160.115.76122.160.76.92122.160.42.85122.160.1.248
122.160.74.18061.142.12.86
122.160.136.220122.160.154.222
122.161.16.82122.160.75.115
191917966605449484848
Sno Ports count123456789
445135
14341398025
3306705161
2571139111423512761