data capture and analysis c-dac mohali. overview honeynet/honeypot technology ◦ honeypot/honeynet...
TRANSCRIPT
![Page 1: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/1.jpg)
Data Capture and AnalysisC-DAC Mohali
![Page 2: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/2.jpg)
Overview Honeynet/Honeypot Technology
◦ Honeypot/Honeynet Backgroud◦ Type of Honeypots◦ Deployment of Honeypots
Data Collection Data Control Data Analysis
![Page 3: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/3.jpg)
Honeypot/Honeynet concepts
◦ A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource
◦ Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise
◦ A highly controlled network where every packet entering or leaving the honeypot system and related system activities are monitored, captured and analyzed.
◦ Primary value to most organizations is information”
![Page 4: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/4.jpg)
Advantages Fidelity – Information of high value Reduced false positives Reduced false negatives Simple concept Not resource intensive
![Page 5: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/5.jpg)
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
Attack Detection Techniques
Detection Techniques
Proactive Techniques Defensive Techniques
Anomaly-based Signature-basedHoneynets
![Page 6: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/6.jpg)
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
HoneyPot A
Gateway
Attackers
Attack Data
How it works
MonitorDetect
Response
![Page 7: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/7.jpg)
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
Honeynet Requirements & Standards Data Control: Contain the attack activity and ensure
that the compromised honeypots do not further harm other systems.Out bound control without blackhats detecting control activities.
Data Capture: Capture all activity within the Honeynet and the information that enters and leaves the Honeynet, without blackhats knowing they are being watched.
Data Collection: captured data is to be Securely forwarded to a centralized data collection point for analysis and archiving.
Attacker Luring: Generating interest of attacker to attack the honeynet
Static : web server deployment, making it vulnerable
Dynamic : IRC, Chat servers,Hackers forums
![Page 8: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/8.jpg)
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
Classification
By level of interaction High Low Middle?
By Implementation Virtual Physical
By purpose Production Research
![Page 9: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/9.jpg)
Types of Honeypots Low-interaction
◦ Emulates services and operating systems.◦ Easy to deploy, minimal risk◦ Captures limited information
High Interaction◦ Provide real operating systems and services, no
emulation.◦ Complex to deploy, greater risk.◦ Capture extensive information.
![Page 10: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/10.jpg)
Virtual Honeynet
![Page 11: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/11.jpg)
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
What Honeynet Achieves Diverts attacker’s attention from the real
network in a way that the main information resources are not compromised.
Captures samples of new viruses and worms for future study
Helps to build attacker’s profile in order to identify their preferred attack targets, methods.
![Page 12: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/12.jpg)
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
What value Honeynet adds
Prevention of attacks through deception and deterrence
Detection of attacks By acting as a alarm
Response of attacks By collecting data and evidence of an
attacker’s activity
![Page 13: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/13.jpg)
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed.
Data CaptureData ControlData Analysis
GEN III
![Page 14: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/14.jpg)
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
Honeynet Gen III
![Page 15: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/15.jpg)
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
IPTABLES
ARGUS
SNORT
POF
SEBEKD
TCPDUMP
HFLOWDHFLOW
DB
WALLEYE
PCAP DATA
ETH0
SEBEK CLIENT
HONEYPOT
ETH1(0.0.0.0)
ETH2
GUIWEB INTERFACE
(192.168.2.2)
CONVERT INTO UNIFIED FORMAT
(203.100.79.122)
Data Capture Mechanism
SYS LOGSSYS LOGS
AISDAISD
HIDS HIDS
APP LOGS APP LOGS
![Page 16: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/16.jpg)
HONEYPOTHONEYWALL
Raw Packet Capture
Analyzed PacketCapture
System LogsKernel Level
Logs
Tcpdump
P0F
Snort
Argus Syslogd Sebek Client-Server
Network Level Data Capture System Level Data Capture
DATA CAPTURE TOOLS IN GEN 3 HONEYNET
![Page 17: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/17.jpg)
04/19/23
CDAC-Mohali "NETWORK PACKET CAPTURING &
ANALYSIS"
Data Control
Internet
Honeywall
Honeypot
Honeypot
No Restrictions
Connections Limited Packet Scrubbed
![Page 18: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/18.jpg)
PURPOSE:Mitigate risk of COMPROMISED Honeypot being used to harm non-honeynet systems
Count outbound connections (Reverse Firewall)IPS (Snort-Inline)Bandwidth Throttling (Reverse Firewall)
DATA CONTROL
![Page 19: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/19.jpg)
IPTABLES packet handling
IPTABLES FIREWALL
OUTPUTCHAIN
INPUTCHAIN
FORWARDCHAIN
![Page 20: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/20.jpg)
Data Control### Set the connection outbound limits for different protocols.
SCALE="day"TCPRATE=“20"UDPRATE="20"ICMPRATE="50"OTHERRATE="5“
iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW -m limit --limit ${TCPRATE}/${SCALE} --limit-burst ${TCPRATE} -s ${host} -j tcpHandler
iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW -m limit --limit 1/${SCALE} --limit-burst 1 -s ${host} -j LOG --log-prefix "Drop TCP after ${TCPRATE} attempts“
iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW -s ${host} -j DROP
![Page 21: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/21.jpg)
Distributed Honeynet System Distributed sensor Honeynet
◦ Configuration/reconfiguration
◦ Central Logging & Alerting◦ Honeypot management & analysis (forensics take
time!)
![Page 22: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/22.jpg)
Central Database Server
Router
Router
Router
HoneywallHoneywall
Virtual Switch
Honeypot1
Nepenthes
Software BridgeHoneypot1 Honeypot2
Software Bridge
Nepenthes
Software Bridge
Honeywall
Software Bridge
Host machine
Honeywall
NepenthesHost machine
In t e r n e t
Honeypot1 Honeypot2
Virtual Switch
Honeypot1 Honeypot2
Host machineVirtual Switch
Host machine
Honeypot2
Network Diagram of Distributed Honeynet System
Virtual Switch
Nepenthes
BSNL N/W /28 CONNECT N/W /27
STPI N/W /28Airtel N/W /29
Router
Router
Large Enterprise Network (STPI) /27 Broadband Providers (BSNL,CONNECT,AIRTEL) /28,/28/29
![Page 23: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/23.jpg)
Life Cycle of Distributed HoneyNet System
![Page 24: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/24.jpg)
Remote Node Architecture
![Page 25: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/25.jpg)
![Page 26: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/26.jpg)
Malware Analysis
![Page 27: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/27.jpg)
Malware Collection Module
Malware Analysis Module Botnet Tracking
Low-Interaction Honeypot
High Interaction Honeynet
Remote Node of DHS
Sandbox (Bot
Execution)
Bot Detection
Engine
1 2 3
Malware collection Data Base
Antivirus
Bot hunter
Bot Binary databaseBotnet Tracking
database
Central server
Botnet Tracking engine
![Page 28: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/28.jpg)
![Page 29: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/29.jpg)
![Page 30: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/30.jpg)
IPTABLES
ARGUS
SNORT
POF
SEBEKD
TCPDUMP
HFLOWDHFLOW
DB
WALLEYE
PCAP DATA
ETH0
SEBEK CLIENT
HONEYPOT
ETH1(0.0.0.0)
REVERSE FIREWALL RULES(CONTROL OUTBOUND TRAFFIC)
ETH2
GUIWEB INTERFACE
CONVERT INTO UNIFIED FORMAT
HONEYWALL
DATA ANALYSIS STEPS
Collect & Merge
![Page 31: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/31.jpg)
Walleye Web Interface “Eye on the Honeywall” is a web based
interface for Honeywall Configuration, Administration and Data analysis
![Page 32: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/32.jpg)
Honeywall Roo Logical Design
![Page 33: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/33.jpg)
![Page 34: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/34.jpg)
Walleye Analysis Interface
![Page 35: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/35.jpg)
Botnet Detection
![Page 36: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/36.jpg)
Introduction
Botnet Problem Typical Botnet Life Cycle How Botnet Grows Challenges for Botnet detection Roadmap to Detection system Botnet Detection Approaches Our Implemented Approach Experiments and results
![Page 37: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/37.jpg)
What Is a Bot/Botnet? Bot
A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent
Profit-driven, professionally written, widely propagated
Botnet (Bot Army): network of bots controlled by criminals Definition: “A coordinated group of malware
instances that are controlled by a botmaster via some C&C channel”
Architecture: centralized (e.g., IRC,HTTP), distributed (e.g., P2P)
![Page 38: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/38.jpg)
Botnets are used for …
All DDoS attacks Spam Click fraud Information theft Phishing attacks Distributing other malware, e.g., spywarePCs
are part of a botnet!”
![Page 39: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/39.jpg)
Typical Botnet Life Cycle
![Page 40: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/40.jpg)
How the Botnet Grows
![Page 41: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/41.jpg)
How the Botnet Grows
![Page 42: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/42.jpg)
How the Botnet Grows
![Page 43: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/43.jpg)
How the Botnet Grows
![Page 44: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/44.jpg)
IRC Botnet Life Cycle
![Page 45: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/45.jpg)
Challenges for Botnet Detection
Bots are stealthy on the infected machines –We focus on a network-based solution Bot infection is usually a multi-faceted and
multiphase process – Only looking at one specific aspect likely to fail Bots are dynamically evolving Botnets can have very flexible design of C&C channels –A solution very specific to a botnet instance is not desirable
![Page 46: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/46.jpg)
Related Work
Network Level ◦ G. Gu, J. Zhang, andW. Lee. BotSniffer: Detecting
botnet command and control channels in network traffic
◦ J. R. Binkley and S. Singh. An algorithm for anomaly-based botnet detection
◦ J. Goebel and T. Holz. Rishi: Identify bot contaminated hosts by irc nickname evaluation
◦ C. Livadas, R. Walsh, D. Lapsley, and W. Strayer. Using machine learning technliques to identify botnet traffic
![Page 47: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/47.jpg)
Related Work
Host Level◦ E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R.
Kemmerer. Behavior-based spyware detection◦ R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati. A
fast automaton-based method for detecting anomalous program behaviors.
Hybrid ◦ BotMiner: Clustering analysis of network traffic for
protocol- and structure independent botnet detection
![Page 48: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/48.jpg)
Botnet Detection Approaches
Setting up Honeynets (Honeynet Based Solutions) Network Traffic Monitoring:
– Signature Based
– Anomaly Based
– DNS Based
– Mining Based
![Page 49: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/49.jpg)
Honeynet Based Solution
It enable us to isolate the bot from network and monitor its traffic in more controlled way, instead of waiting to be infected and then monitor the t traffic
– Bot execution in Honeynet test bed
– Monitor the traffic generated by bots Open Analysis :
– Provides connection to Internet
– More flexible than closed analysis. l
![Page 50: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/50.jpg)
Our Implemented Approach
• Honeynet Based Solution– Achievements
• Approach Implemented• Honeynet Based Bot Analysis
Architecture• Payload Parser • Web GUI and report generation
![Page 51: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/51.jpg)
Flowchart
![Page 52: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/52.jpg)
![Page 53: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/53.jpg)
Features
Systematically collect and analyze bot traffic over internet Provides controlled connection to Internet: rate limit the outbound connections. It uses network-based anomaly detection to identify C & C command sequences
![Page 54: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/54.jpg)
Principal Mechanism for Botnet Detection
Bot Execution
- Bot Execution in Honeynet Based Environment
- Collection of Execution traces to extract C & C server information.
- Complete payload sent to central server. Payload Parser
- Extraction of IRC,HTTP command signatures Botnet Observation
- extraction of attack,propagation scan or other attack
commands
- extraction of specific network patterns,secondary
injections attempts Output
- List of unique C & C server
- Command exchanged between bot client & bot server
![Page 55: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/55.jpg)
Experimental Result
Botname : B14 , MD5 : a4dde6f9e4feb8a539974022cff5f92c
Symantec : W32.IRCBot, Microsoft : Backdoor:Win32/Poebot
PASS 146751dhzx
:ftpelite.mine.nu
NICK kcrbhf8wlzo
USER XPUSA6059014236 0 0 :o4dfmj2ctyc
:ftpelite.mine.nu
PING :AE645AF3
PONG AE645AF3
:ftpelite.mine.nu 332 kcrbhf8wlzo #100+ :| .vscan netapi 50 5 9999 216.x.x.x | .sbk windows-krb.exe | .sbk crscs.exe | .sbk msdrive32.exe | .sbk woot.exe | .sbk dn.exe | .sbk Zsnkstm.exe | .sbk cndrive32.exe |
PRIVMSG #100+ :.4[SC]: Random Port Scan started on 216.x.x.x:445 with a delay of 5 seconds for 9999 minutes using 50 threads.
![Page 56: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/56.jpg)
Experimental Results: IRC
![Page 57: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/57.jpg)
Bot Family Number of Samples Percentage
Rbot 70 6.28%
Poebot.gen 32 2.87
Rbot.gen 30 2.69
IRCbot.genK 22 1.99
Poebot.BT 12 1.08
IRCbot 8 0.71
Poebot.BI 6 0.54
IRCbot.genS 4 0.35
Poebot 4 0.35
Poebot.T 4 0.35
![Page 58: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/58.jpg)
In total we could identify 99 IRC-based bot binaries ,a rate of 8.25% of the overall binaries in 12 months
![Page 59: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/59.jpg)
Botnet C&C Server Info
![Page 60: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/60.jpg)
Sno Source IP count123456789
10
122.160.115.76122.160.76.92122.160.42.85122.160.1.248
122.160.74.18061.142.12.86
122.160.136.220122.160.154.222
122.161.16.82122.160.75.115
191917966605449484848
Sno Ports count123456789
445135
14341398025
3306705161
2571139111423512761
![Page 61: Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet Backgroud ◦ Type of Honeypots ◦ Deployment of Honeypots](https://reader033.vdocuments.mx/reader033/viewer/2022061507/56649e265503460f94b15b5f/html5/thumbnails/61.jpg)