1 / 43

Use HoneyStat!

Use HoneyStat!. Don’t become a stat…. Local Worm Detection using Honeypots Justin Miller Jan 25, 2007. Original Paper. HoneyStat: Local Worm Detection Using Honeypots By: D.Dagon, X.Qin, G.Gu, W.Lee, J.Grizzard, J.Levine, H.Owen Georgia Institute of Technology. Background.

kear
Download Presentation

Use HoneyStat!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Use HoneyStat! Don’t become a stat… Local Worm Detection using Honeypots Justin Miller Jan 25, 2007

  2. Original Paper HoneyStat: Local Worm Detection Using Honeypots By: D.Dagon, X.Qin, G.Gu, W.Lee, J.Grizzard, J.Levine, H.Owen Georgia Institute of Technology

  3. Background • Worm detection systems • Detection in local networks • HoneyStat nodes • Data collection • Improvements in HoneyStat

  4. Worm Detection • Relied on artifacts incidental to worm infection • Measure incoming scan rates • Filter results for small networks • Increase data collection • Global monitoring centers • Doesn’t help local networks

  5. Worm Detection • Proposition: use honeypots to improve accuracy of alerts (local intrusion detection) • Honeypot – computer system set up as a trap for attackers

  6. Honeypot • Network decoy • Distracts attackers • Gather early warnings about new attacks • Facilitate in-depth analysis of adversary’s strategy

  7. Honeypot Use • Gather info about how human attackers operate • Labor-intensive log (1:40) • 1 week per hour of data log • Virtual honeypots • Used to prevent OS fingerprinting

  8. Honeypot Use • Detect/disable worms (honeyd) • Not ready for early warning IDS • Know attack pattern • Catch zero day worms – already know system vulnerability

  9. Worm Detection • Worm propagation proposals • Model to study worm spreading • Early detection proposals • Statistical models analyze repeated outgoing connections • Worm info collected at routers

  10. Objective • Early worm detection challenges • Large space to monitor • Coordinated responses • Focus on local networks • Detection using local honeypots • Lower false positive rate of worms

  11. Infection Cycles • 3 actions result from infection • Memory events • Network events • Disk events • Describe worm installation on compromised system

  12. Memory Events • Begins with probe for victim • Provides port • Victim shell listens on port 4,444 • Honeypot acknowledges incoming packets • Infection begins corrupting process

  13. Network Events • Blaster shell remains open for only one connection • Instructs victim to download “egg” program • Honeypot initiates TCP or UDP traffic

  14. Disk Events • Occur after Blaster “egg” is downloaded • Disk writes – become active after system reboot • Not all worms have disk writes

  15. Data Capture • Most worms follow similar cycle • Traditional worm detection • Usually at start or end of cycle • Activity in middle of cycle can be tracked • Intrusion detection based on scan rates has high rate of noise

  16. HoneyStat Node • Minimal honeypot created in an emulator • Covers large address space • Honeypots remain idle until HoneyStat event occurs

  17. HoneyStat Data • Data recorded includes: • OS/patch level of host • Type of event • Trace file of all prior network activity

  18. HoneyStat Events • Events forwarded to analysis node • Usually central server • Places alert events in queue • Perform statistical analysis

  19. Data Analysis • Check if event corresponds to an active honeypot • Update previous event to include new event • Reset honeypot if event involved Network Events (DL an egg or initiating outgoing scans)

  20. Data Analysis • Analysis node examines basic properties of the event • HoneyStat event is correlated with other observed events • Search for worm pattern • Objective: Zero-day worms • Statistical analysis identifies worm behavior

  21. Logistic Regression • Analyzes port correlation • Non-linear transformation of linear regression model • Honeypot event is dichotomous • Awake (1) or asleep (0)

  22. Logistic Regression • Model is binary expectation of the honeypot state • j: counter for honeypot events • i: counter for each individual port traffic for a specific honeypot

  23. Logistic Regression • Measures inverse of time between honeypot events • Resolve equation after each event • Identify candidate ports that explain why honeypots become active • Also finds traffic patterns • Traffic measured for last 5 minutes

  24. Logistic Analysis • Estimate βi,j coefficients (MLE) • Find coefficients that minimize prediction error • Find which variables significantly affect honeypot activity • Single variable = ALERT!

  25. Practical Aspects • Properly identify worm outbreaks • Low false positive rate • Sample data from 6 honeypots active during Blaster worm

  26. Worm Detection

  27. Worm Detection

  28. Worm Detection • Logit Analysis of Multiple HoneyStat Events

  29. Worm Detection • Scans on ports 135, 139, 445 • No test can focus on 135 alone • Leads to pattern for 1 worm • Require: 10 sample events • Not sure of effective sample size

  30. Benefits • Accurate data stream • Events result from successful attack • Reduces amount of data to process • Detects zero day worms • Detects ports worm enter/exit • Finds presence and also explains worm activity

  31. False Positives • Identify wrong network traffic • Worm present, HoneyStat identifies wrong source • Repeated human breakins could be identified as a worm • Disregard manual breakins • These are more dangerous than robotic worms

  32. Sample Data • Tested HoneyStat on the Internet • Injected a worm attack at Georgia Tech • Log from 2002-2004 • Random sample of 250+ synthetic honeypot events • 0 false positives

  33. HoneyStat as IDS • Low false positive rate • Good for local IDS • Effectively detects worms using random scan techniques • Will attack honeypots

  34. HoneyStat as IDS • What about non-random worms? • Ω = entire IPv4 space (232) • T = # of potential victims • N = total vulnerable machines • nt = # of victims at time t • s = scan rate

  35. HoneyStat as IDS • ki+1 = sniT/Ω • # scans entering space T at time (i+1) • P = 1 – (1 - 1/T)ki+1 • Probability of host being hit

  36. HoneyStat as IDS • Worm propagation equation: ni+1 = ni + [N - ni](1 – (1 - 1/T)sniT/Ω) • T and Ω are big, reducing to: • ni+1 = sni/Ω • Same as previous models

  37. HoneyStat as IDS

  38. HoneyStat as IDS • Machines can be multihomed • Each searches 100’s of IP addresses • Local early worm detection • D = 211 • α = 0.25 • First victim found after 0.19% of vulnerable hosts are infected

  39. Contributions • Statistical techniques used in worm detection • Previously applied time series-based statistical analysis • Logistic regression detects worm outbreaks

  40. Weakness • Honeypot evasion • Attackers have worms detect and avoid honeypot traps • Attackers make observations about victim’s machine • Effective sample size unknown

  41. Improvements • Reduce traffic length (logistic) measured < 5 minutes • Studies recent network events • Improve quality of data • Avoid linear identification of multiple worms • Best Subsets logistic regression • Study effective sample size

  42. Conclusion • Further research for local IDS • Logistic regression detects worm outbreaks • Honeypots create accurate alert • 3 classes: memory, disk, network events • Logit analysis eliminates noise • Extensive data traces identifies worm activity

  43. Questions ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

More Related