Towards attack modelling thanks to honeypot data processing

Similar documents
A Pointillist Approach for Comparing Honeypots. Fabien Pouget, Thorsten Holz

Empirical Analysis and Statistical Modeling of Attack Processes based on Honeypots

Dynamic Honeypot Construction

Advanced Honeypot Architecture for Network Threats Quantification

Securing the system using honeypot in cloud computing environment

HONEYPOT SECURITY. February The Government of the Hong Kong Special Administrative Region

Second-generation (GenII) honeypots

Advanced Honeypot System for Analysing Network Security

Analysis of Attacks on Web Based Applications

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Daniel Meier & Stefan Badertscher

Use of Honeypots to Increase Awareness regarding Network Security

Chapter 6: Fundamental Cloud Security

Lessons learned from the deployment of a high-interaction honeypot

The Leurre.com Project: Collecting Internet Threats Information using a Worldwide Distributed Honeynet

Banking Security using Honeypot

S3 Control and System Call Indirection

On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks

Security Issues with Integrated Smart Buildings

Honeypots & Honeynets Overview. Adli Wahid Security Specialist, APNIC.net adli@apnic.net

Taxonomy of Intrusion Detection System

Volume 2, Issue 3, March 2014 International Journal of Advance Research in Computer Science and Management Studies

Securing Cloud Infrastructures with Elastic Security

IDS / IPS. James E. Thiel S.W.A.T.

A proposal for securing a large-scale high-interaction honeypot

Network Incident Report

2-5 DAEDALUS: Practical Alert System Based on Large-scale Darknet Monitoring for Protecting Live Networks

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Honeypot as the Intruder Detection System

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Honeypots in Network Security

Data Collection and Data Analysis in Honeypots and Honeynets

DESIGN OF NETWORK SECURITY PROJECTS USING HONEYPOTS *

Firewall Firewall August, 2003

Εmerging Ways to Protect your Network

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

How To Prevent Hacker Attacks With Network Behavior Analysis

Countermeasure for Detection of Honeypot Deployment

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Avoiding Cyber-attacks to DMZ and Capturing Forensics from Intruders Using Honeypots

Honeypots / honeynets

Honeyd Detection via Packet Fragmentation

Modelling attack processes on the Internet, based on honeypot collected data. University of Rome La Sapienza Department of engineering

Keywords Intrusion detection system, honeypots, attacker, security. 7 P a g e

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

[Kapse*, 4.(10): October, 2015] ISSN: (I2OR), Publication Impact Factor: 3.785

DISTRIBUTED LOW-INTERACTION HONEYPOT SYSTEM TO DETECT BOTNETS

Use of Honeypot and IP Tracing Mechanism for Prevention of DDOS Attack

Honeypots in the Cloud

HONEYPOTS REVEALED Prepared by:

Chapter 9 Firewalls and Intrusion Prevention Systems

Library Computer and Network Security and Web Services

Network Based Intrusion Detection Using Honey pot Deception

EU FP6 LOBSTER. personal view on the future of ero-day Worm Containment. European Infrastructure for accurate network monitoring

The Leading Provider of Endpoint Security Solutions

An Introduction to Network Vulnerability Testing

E-government security: A honeynet approach

Total Defense Endpoint Premium r12

Deep Security Vulnerability Protection Summary

A Senior Design Project on Network Security

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite

DETECTING AND ANALYZING NETWORK ATTACKS USING VIRTUAL HONEYNET NUR ATIQAH BT. HASAN

Capturing Web Application Threats Using virtual CMS Honeypot. Saharuddin Saat, Nor Adora Endut 1, Abdul Hamid Othman 2

A Whirlwind Introduction to Honeypots

Autonomous Hybrid Honeypot as the Future of Distributed Computer Systems Security

Development of Honeypot System Emulating Functions of Database Server

CS 558 Internet Systems and Technologies

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

5 Tools For Passing a

Getting Ahead of Malware

Uncovering secret connections among attackers by using network theory and custom honeypots

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

How To Manage Your Information Systems At Aerosoft.Com

Getting a Secure Intranet

WHITE PAPER. An Introduction to Network- Vulnerability Testing

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

The Use of Honeynets to Increase Computer Network Security and User Awareness

A Hybrid Honeypot Architecture for Scalable Network Monitoring

ICAWEB423A Ensure dynamic website security

Catching hackers using a virtual honeynet: A case study

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

ICTN Enterprise Database Security Issues and Solutions

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

AC : WORK-IN-PROGRESS: CREATING AN INTRUSION DE- TECTION EXPERIMENTAL ENVIRONMENT USING CLOUD-BASED VIR- TUALIZATION TECHNOLOGY

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

Coimbatore-47, India. Keywords: intrusion detection,honeypots,networksecurity,monitoring

Cisco Advanced Services for Network Security

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

California State University, Chico. Information Security Incident Management Plan

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

Networking for Caribbean Development

CTS2134 Introduction to Networking. Module Network Security

LAN Based Intrusion Detection And Alerts

Hacking Book 1: Attack Phases. Chapter 1: Introduction to Ethical Hacking

Monitoring and Analysis of Internet Traffic Targeting Unused Address Spaces

: SENIOR DESIGN PROJECT: DDOS ATTACK, DETECTION AND DEFENSE SIMULATION

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Transcription:

Towards attack modelling thanks to honeypot data processing Marc Dacier Institut Eurécom Sophia Antipolis, France dacier@eurecom.fr Overview! Introduction! State of Knowledge! Contributions of ReSIST Partners! Conclusions

Threats?! Fact: New vulnerabilities discovered every day, new widespread attacks reported in the media.! Questions:! Are these vulnerabilities actually exploited?! What are the right fault assumptions models that one should use to build intrusion tolerant systems? Dahu: definition source: http://www.vidonne.com/html/dahureignier.html The Dahu is an extremely shy animal living in the Alps of France and Switzerland.[ ] It has adapted to its steep environment by having legs shorter on the uphill side and longer on the downhill side [ ] The Dahu, An endangered Alpine species, Science, 2568, November 1996, pp.112:

Food for thoughts! Dahus are rare, bizarre, stimulating from an intellectual point of view but...! Does it justify the existence of Dahusian research?! What about Dahusian research in security assessment? Overview! Introduction! State of Knowledge! Contributions of ReSIST Partners! Conclusions

The basics! «A Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource» L. Spitzner, Honeypots: tracking hackers, Addislon Wesley, 2002 The basics (ctd.)! Low interaction honeypots:! emulate the existence of a potential target,! At various abstraction levels (network, OS, application)! High interaction honeypots:! Use a real system as a potential target! Must be kept under close scrutiny.

Internet Telescopes! Internet Telescopes observe empty address spaces:! CAIDA Telescope,! IMS,! isink,! Minos,! Team Cymru,! Honeytank,! IUCC/IDC Internet Telescope (Israel),! Etc...! The Honeynet Alliance promotes the use of high interaction honeypots. Problems with current solutions! False positives! It may be difficult to discriminate true attacks from erroneous, yet legitimate behaviours, in data collected in real networks.! Privacy! Data sets may contain private information (eg IP addresses, passwords, etc.). Anonymisation removes semantic and is therefore not always usable.! Liability! Not stopping an ongoing attack may harm third parties. Major issue for high interaction honeypot.

Problems with current solutions (ctd.)! Bias! Things may be different here and there.! Malicious users dislike to be observed and will avoid visiting known observation points (eg.mil, major corporate networks, etc..)! Amount of data! Having access to a large amount of data is good! Having access to a rich amount of data is better.! Having access to a rich amount of complete and comparable data is even better! Summary! What we need is:! an environment to collect unbiased, rich, complete and comparable data about attacks without facing liability or privacy issues.! To do so, we have deployed:! the very same low interaction honeypots in a large number of diverse locations using each time a very limited amount of IP addresses. We collect all packets sent to or from these machines, including payload.

Overview! Introduction! State of Knowledge! Contributions of ReSIST Partners! Conclusions Collaborative approach! Leurré.com framework used as a common umbrella to carry out joint research in this thema.! Some partners bring also on the table the expertise gained with their own proprietary dataset (eg. IBM with its internal Billy Goat project).

50 partners in 30 countries covering the 5 continents In Europe

Experimental Set Up (based on honeyd) Internet R e v e r s e F i r e w a l l V i r t u a l S W I T C H Mach0 Windows 98 Workstation Mach1 Windows NT (ftp + web server) Mach2 Redhat 7.3 (ftp server) Observer (tcpdump) Win-Win Partnership The interested partner provides One old PC (pentiumii, 128M RAM, 233 MHz ), 4 routable IP addresses, The project offers Installation CD Rom Remote logs collection and integrity check. Access to the whole SQL database by means of a secure GUI and a wiki (over https).

D12 - Appendices [Alata et al. 2006] E. Alata, V. Nicomette, M. Kaaniche and M. Dacier, Lessons learned from the deployment of a high-interaction honeypot, Proc. Sixth European Dependable Computing Conference (EDCC-6), Coimbra, Portugal, October 18-20, 2006 [Kaâniche et al. 2006] M. Kaâniche, E. Alata, V. Nicomette, Y.Deswarte, M. Dacier, Empirical analysis and statistical modelling of attack processes based on honeypots, Proc. of WEEDS 2006 - workshop on empirical evaluation of dependability and security, Philadelphia (USA), June 25-28, 2006. [Alata et al. 2006]! High interaction honeypots are not that rapidly detected.! They help in identifying groups of attackers and their strategies.! They are complementary to low interaction ones! Very difficult to use to collect long term datasets.

[Kaâniche et al. 2006]! Propagation graphs open the way to predictive models for some attacks [Kaâniche et al. 2006] Patterns of attacks common to several platforms open the way to predictive models for some platforms ( 20/12/06-31/1/07)

Overview! Introduction! State of Knowledge! Contributions of ReSIST Partners! Conclusions Conclusions! First results demonstrate the usefulness of such datasets with respect to the proposed objectives.! Honeypots with higher degree of interaction would be welcome.! Models must be formalized and validated.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information