Traffic Monitoring : Experience



Similar documents
IDS / IPS. James E. Thiel S.W.A.T.

Network Intrusion Analysis (Hands-on)

Intrusion Detection Systems (IDS)

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

INTRUSION DETECTION SYSTEMS and Network Security

Implementing Secure Converged Wide Area Networks (ISCW)

Firewalls and Intrusion Detection

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Second-generation (GenII) honeypots

Linux Network Security

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Intrusion Detection Systems

Network Based Intrusion Detection Using Honey pot Deception

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Network Security Monitoring

Security Toolsets for ISP Defense

Intrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

DDoS Mitigation Techniques

How To Protect Your Network From Attack From A Hacker On A University Server

Internet Security Firewalls

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

An Overview of the Bro Intrusion Detection System

Chapter 11 Cloud Application Development

Lab Configure IOS Firewall IDS

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Network/Internet Forensic and Intrusion Log Analysis

NETWORK SECURITY (W/LAB) Course Syllabus

CTS2134 Introduction to Networking. Module Network Security

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Name. Description. Rationale

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

EU FP6 LOBSTER. personal view on the future of ero-day Worm Containment. European Infrastructure for accurate network monitoring

8 steps to protect your Cisco router

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Introduction of Intrusion Detection Systems

Chapter 9 Firewalls and Intrusion Prevention Systems

Intrusion Detection Systems

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Taxonomy of Intrusion Detection System

Strategies to Protect Against Distributed Denial of Service (DD

DDoS Overview and Incident Response Guide. July 2014

How To Protect A Network From Attack From A Hacker (Hbss)

Security Event Management. February 7, 2007 (Revision 5)

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

SURVEY OF INTRUSION DETECTION SYSTEM

BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation

Lesson 5: Network perimeter security

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

PROFESSIONAL SECURITY SYSTEMS

Countermeasure for Detection of Honeypot Deployment

Secure Software Programming and Vulnerability Analysis

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

Dynamic Rule Based Traffic Analysis in NIDS

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Network Security Administrator

Securing the system using honeypot in cloud computing environment

Firewalls & Intrusion Detection

How To Prevent DoS and DDoS Attacks using Cyberoam

Cisco IPS Tuning Overview

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Distributed Denial of Service (DDoS)

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

OLD DOMINION UNIVERSITY Router-Switch Best Practices. (last updated : )

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

Web-Based Configuration Manual System Report. Table of Contents

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

The HoneyNet Project Scan Of The Month Scan 27

Configuring Security for FTP Traffic

Distributed Denial of Service Attack Tools

Intrusion Log Sharing University of Wisconsin-Madison

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Network Monitoring and Forensics

RAVEN, Network Security and Health for the Enterprise

Εmerging Ways to Protect your Network

Intrusion Detection Systems

Guide to Computer Forensics and Investigations, Second Edition

USE HONEYPOTS TO KNOW YOUR ENEMIES

Firewalls and System Protection

Securing Cisco Network Devices (SND)

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

New possibilities in latest OfficeScan and OfficeScan plug-in architecture

The principle of Network Security Monitoring[NSM]

Transcription:

Traffic Monitoring : Experience

Objectives Lebah Net To understand who and/or what the threats are To understand attacker operation Originating Host Motives (purpose of access) Tools and Techniques Who (personality) To be able to capture and predict new attacks pattern and trend To be able to produce new attack identifications

How it Works Lebah Net Management Console The Management console is used to view the logs to conduct analysis of activities. Log The Log Server retains the logs for a certain period of time and backed up to external media periodically. Network Intrusion Detection System NIDS listens in promiscuous mode all activities carried out within the network to and from the honeypots. All binaries of the logs are dumped into the Database. Honeypot1 Honeypot2 Honeypot3 The Honeypots consists of hosts setup with certain vulnerabilities introduced. It emulates various platforms and has mechanisms to contain the perpetrator from launching attacks to other external systems.

Architecture

Network Activity Profiling Act of collecting statistics Intrusion as deviations from normal behavior Checking Service running vs Network traffic Look for Activity that has not been seen before Activity level that is greater than normal

Analyzing Data Well known network signatures IDS Snort, Bro Pcap filters Look for behavioral changes Quiet system suddenly scanning Trigger on initiated outbound traffic Examine captured binaries Disassemble

Traffic Characteristics Protocols Ports Success and Failures Peers of communication Traffic Volume

Network Behavior Volume of Traffic Traffic Pattern

Volume of Traffic Most worm uses logistic growth model. Host is brought into the network with scans and attacks. Best measure at router or firewall

Traffic Pattern Change of behavior. Worm will make host acting abnormal. Look for its presence.

Techniques Traffic Analysis Honeypots Black Hole/Sink Hole

Traffic Capture Method Tcpdump SNMP Flow-Based

Correlation Correlation to find connectedness of events within the set. Autocorrelation Events of the same type Crosscorrelation Interaction of 2 different events

Honeypots and Black Hole Monitoring Effectively listen to the network Honeypots functional system Black Hole unused network Common is any activity appear on this domain is in the interest.

Honeypots Technology Low Level High Level Risk Factor Real attack Still need compliment technology on the network analysis

Black Hole Unused IP space Backscatter Advertise route View to the network

Packet Capture and Analysis 2 ways of Black Hole 1. Export flow logs from routing device 2. Passive network monitor

Traffic Analysis Conclusion Works against most worm especially those that uses active target and exponential growth. Required lengthy period of monitoring and understanding Worm that move sufficiently slow will become undetected

After all Which is the best? False positive or False negative

Attacker Tools

Launching Pad - DDOS Jun 19 03:57:26 ips hogwash: [1:1855:2] Packet Dropped-DDOS Stacheldraht agent->handler (skillz) {ICMP} x.y.z.117 - > 151.9.116.99 Jun 19 03:57:31 ips hogwash: [1:1855:2] Packet Dropped-DDOS Stacheldraht agent->handler (skillz) {ICMP} x.y.z.117 - > 151.9.116.99 Jun 19 03:57:36 ips hogwash: [1:1855:2] Packet Dropped-DDOS Stacheldraht agent->handler (skillz) {ICMP} x.y.z.117 - > 140.112.38.9 Jun 19 03:57:41 ips hogwash: [1:1855:2] Packet Dropped-DDOS Stacheldraht agent->handler (skillz) {ICMP} x.y.z.117 - > 140.112.38.9 Jun 19 03:58:37 ips hogwash: [1:1855:2] Packet Dropped-DDOS Stacheldraht agent->handler (skillz) {ICMP} x.y.z.117 - > 151.9.116.99 Jun 19 03:58:42 ips hogwash: [1:1855:2] Packet Dropped-DDOS Stacheldraht agent->handler (skillz) {ICMP} x.y.z.117 - > 151.9.116.99

Measuring Worm

Traffic to 1 Host

Traffic to Multiple Host

Source IP Address Distribution

Early Warning?

Aguri Data Source - http://tracer.csl.sony.co.jp/mawi/aguri-ports-b/2001/

Aguri Data http://tracer.csl.sony.co.jp/mawi/aguri-ports-b/2001/20010301-dst.png

Value of Research Output Research on tools, tactics, and motives of the attacker. Development of: Incident Response Techniques and Procedures Intrusion Analysis Forensic Analysis Threat Analysis Motivation and Profiling Perimeter Defense Tools

In Development Active Responder Active Defense

!"#$!"## $#$ %!"## "& '())'''*** ))'''*** +,-.** /,01.**.**

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information