![Page 1: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/1.jpg)
HoneyCombHoneyComb Automated IDS SignatureGeneration using Honeypots
Prepare by
LIW JIA SENG 124862
Supervisor : AP. Dr. Mohamed Othman
![Page 2: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/2.jpg)
IntroductionIntroduction
Honeycomb is a system for automated generation of signatures for network intrusion detection systems (NIDSs).
Applies protocol analysis and pattern-detection techniques to traffic captured on honeypots.
Honeycomb is good at spotting worms.
![Page 3: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/3.jpg)
Problem StatementProblem Statement
Manually creation of Intrusion Detection Signatures is a tedious, inefficiency process.
There are more and more malware variants and self-propagating malware can spread very rapidly.
We need fast, automatic detection.
![Page 4: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/4.jpg)
ObjectiveObjective
To extend the open source honeypot honeyd by honeycomb plug-in.
To implement the honeycomb on real environment.
Evaluate honeycomb on controlled environment.
Measure the system performance and quality of signatures.
![Page 5: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/5.jpg)
ScopeScope
Re-implements the research for automated generation attack signatures for NIDSs using Honeypots.
Setting up a Honeypots extended system.
Conduct experiments on the system. Measure system performance.
![Page 6: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/6.jpg)
Literature ReviewLiterature Review
Internet Worms : Worm Propagation Behavior Morris Worm Code Red I Code Red II SQL Slammer Nimda
![Page 7: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/7.jpg)
Literature ReviewLiterature Review
Intrusion Detection System : Signature Based Anomaly Detection Snort Bro
Related Works : Sweetbait PAYL Autograph
![Page 8: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/8.jpg)
Honeycomb ArchitectureHoneycomb Architecture
![Page 9: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/9.jpg)
Signature Creation AlgorithmSignature Creation Algorithm
![Page 10: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/10.jpg)
Pattern DetectionPattern Detection
Horizontal detection Comparing all messages at the same depth.
Messages are passed as input to the LCS algorithm in pairs.
![Page 11: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/11.jpg)
Pattern DetectionPattern Detection
Vertical detection Concatenating several messages into a string.
Comparing this with a corresponding concatenated string.
![Page 12: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/12.jpg)
Signature LifecyclesSignature Lifecycles
Relational operators on signatures: sig1 = sig2: all elements equal sig1 sig2: elements differ sig1 sig2: sig1 contains subset of
sig2’s factssignew = sigpool: signew ignoredsignew sigpool: signew addedsignew sigpool: signew addedsigpool signew: signew augments
sigpool
![Page 13: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/13.jpg)
System FrameworkSystem Framework
![Page 14: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/14.jpg)
HoneyComb Network DiagramHoneyComb Network Diagram
![Page 15: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/15.jpg)
ExperimentsExperiments
Controlled Environment Experiments : Evaluate the effectiveness and the
quality of the worm signature created by the HoneyComb
Live Traffic Experiments.: Determine what kind of signatures
those generate by HoneyComb in the real traffic environment.
![Page 16: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/16.jpg)
Controlled Environment Controlled Environment ExperimentsExperiments
![Page 17: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/17.jpg)
Controlled Environment Controlled Environment ExperimentsExperiments
TCP worm – Code Red IIUDP worm – SQL SlammerActual worms packet payload
used.Sent worms packets from
compromise host to HoneyComb machine.
![Page 18: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/18.jpg)
Controlled Environment Controlled Environment ExperimentsExperiments
![Page 19: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/19.jpg)
Controlled Environment Controlled Environment ExperimentsExperiments
Result : TCP Worms – Code Red II
alert tcp 192.168.1.15/24 any -> 10.2.0.0/16 80 (msg: "Honeycomb Sat Apr 7 13h51m47 2007 "; )
alert tcp 192.168.1.15/24 any -> 10.2.0.0/16 80 (msg: "Honeycomb Sat Apr 7 14h21m47 2007";flags: PA+; flow: established; content: "GET/default.ida?XXXX XX XX (...) 00|CodeRedII|…";)
![Page 20: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/20.jpg)
Controlled Environment Controlled Environment ExperimentsExperiments
Result : UDP Worms – SQL Slammer
alert udp 192.168.1.15/32 256 -> 10.2.0.0/24 1434 (msg: "Honeycomb Sat Apr 7 14h51m47 2007 "; content: "|04 01 01(...)|Qh.dllhel32hkernQhounthickChGetTf| (…) D6 EB|"; )
![Page 21: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/21.jpg)
Controlled Environment Controlled Environment ExperimentsExperiments
A comparison of the signature content and the worm payload sent to the honeypots shows that HoneyComb generates a good quality of signatures in controlled environment.
HoneyComb able to detect the TCP and UDP worm efficiency.
![Page 22: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/22.jpg)
Live Traffic ExperimentLive Traffic Experiment
![Page 23: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/23.jpg)
Live Traffic ExperimentLive Traffic Experiment
Generated Signatures : 18,288 signatures had been
generated by HoneyComb . 9,473 signatures were containing
flow content strings. HoneyComb able to generate the
Slammer signatures precisely. No any Code Red II signature
created since it reported died in October 2001
![Page 24: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/24.jpg)
Live Traffic ExperimentLive Traffic Experiment
Generated Signatures :alert udp any any -> 10.2.0.0/24 1434 (msg: "Honeycomb Sat Apr 7 14h51m47 2007 "; content: "|04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0|B|EB 0E 01 01 01 01 01 01 01|p|AE|B|01|p|AE|B|90 90 90 90 90 90 90 90|h|DC C9 B0|B|B8 01 01 01 01|1|C9 B1 18|P|E2 FD|5|01 01 01 05|P|89 E5|Qh.dllhel32hkernQhounthickChGetTf|B9|llQh32.dhws2_f|B9|etQhsockf|B9|toQhsend|BE 18 10 AE|B|8D|E|D4|P|FF 16|P|8D|E|E0|P|8D|E|F0|P|FF 16|P|BE 10 10 AE|B|8B 1E 8B 03|=U|8B EC|Qt|05 BE 1C 10 AE|B|FF 16 FF D0|1|C9|QQP|81 F1 03 01 04 9B 81 F1 01 01 01 01|Q|8D|E|CC|P|8B|E|C0|P|FF 16|j|11|j|02|j|02 FF D0|P|8D|E|C4|P|8B|E|C0|P|FF 16 89 C6 09 DB 81 F3|<a|D9 FF 8B|E|B4 8D 0C|@|8D 14 88 C1 E2 04 01 C2 C1 E2 08"; )
![Page 25: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/25.jpg)
Live Traffic ExperimentLive Traffic Experiment
Generated Signatures :alert tcp any any -> 10.2.0.0/24 80,135,8080 (msg: "Honeycomb Thu Apr 19 05h28m19 2007 "; flags: FRAU21!; flow: established; content of signature 908 : "CONNECT smtp.pchome.com.tw:25 HTTP/1.0|0D 0A 0D 0A|HTTP/1.1 400 Bad Request|0D 0A|Server: Microsoft-IIS/5.0|0D 0A|Date: Tue, 17 Apr 2007 03:57:30 GMT|0D 0A|Content-Type: text/html|0D 0A|Content-Length: 87|0D 0A 0D 0A|<html><head><title>Error</title></head><body>The parameter is incorrect. </body></html>CONNECT smtp.pchome.com.tw:25 HTTP/1.0|0D 0A 0D|"; )
![Page 26: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/26.jpg)
Honeycomb Performance Honeycomb Performance BenchmarkingBenchmarking
Honeycomb performance overhead
0.00
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
1.10
0 100 200 300 400 500 600 700 800 900 1000 1100 1200 1300 1400 1500 1600 1700 1800 1900 2000
Received packets
Pro
cess
ing
time
(s)
Honeyd
Honeycomb
![Page 27: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/27.jpg)
DiscussionDiscussion
HoneyComb v0.7 compiled with Honeyd v1.5b without error, but it provided a strange and useless result when running HoneyComb.
The source code in hc_udp.c and hc_tcp.c had been modified and recompiled to fix this error.
![Page 28: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/28.jpg)
Discussion -- ProblemDiscussion -- Problem
Unable to generate the signatures for the polymorphic worms.
Honeycomb can be fooled by attackers, to generate signatures for legitimate traffic.
Consuming a large amount of memory to perform the packets pattern matching.
Lost the memory when the system restart, thus, the same signatures will be generated.
![Page 29: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/29.jpg)
ConclusionConclusion
Pattern matching worm detection mechanism of HoneyComb able to produce good quality signatures for worms.
Signatures created by HoneyComb can be converted into a format suitable for both Snort and Bro NIDS.
![Page 30: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/30.jpg)
ConclusionConclusion
Honeypot offer an offensive approach to intrusion detection and prevention.
HoneyComb suggest that automated signature creation on honeypot is feasible and effectiveness.
This automated signature creation system is a first step towards integrating honeypots more closely into security infrastructure.
![Page 31: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/31.jpg)
Future WorksFuture Works
Working to reducing the effort spent per arriving packets by the HoneyComb.
Solve the drawback on unable to generate signature for the polymorphic worms.
Provide a better tool to analyze the signatures created.
Implication IPv6 to existing HoneyComb architecture.
![Page 32: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/32.jpg)
Question and AnswerQuestion and Answer
![Page 33: HoneyComb Automated IDS Signature Generation using Honeypots](https://reader036.vdocuments.mx/reader036/viewer/2022070410/56814683550346895db3a3ad/html5/thumbnails/33.jpg)
Thank YouThank You