Using Honeynets for Internet Situational Awareness

Vinod Yegneswaran, Paul Barford Vern Paxson

University of Wisconsin, Madison ICSI, LBNL

Hotnets 2005

2

Motivation

o Currrent tasks for security analystso Abuse monitoringo Audit and forensic analysiso NIDS/Firewall/ACL configurationo Vulnerability testingo Policy maintenanceo Liaison activities

o Network managemento End host management

3

NIDS: State of the art

o Pinpoint descriptions of low-level activitieso Source A launched CVE-XXX against Dest B

o Large volume of alertso Too many false alarmso Vulnerable to flooding attacks / IP spoofing

o Continual manual update of signatureso Lack of “longitudinal” baselineo Lack of breadth for root-cause inference

4

Our vision

o Network “Situational Awareness” (NetSA)o “Degree of consistency between one’s

perception of their situation and reality”-- US Navy

o “an accurate set of information about one’s environment scaled to specific level of interest” -- NCOIC

o Elevate quality and timeliness of alerts

5

Our approach

o Developing NetSA “building blocks” towardo Automated incident discovery o Robust classificationo Real-time event notificationo Forensic analysis capabilities

o Honeynet situational awarenesso Rich source of information of large-scale

malicious activity o Accurate attribution of events such as botnets,

worms and misconfiguration

6

System structure

o Tunnel filter: one source -> one desto Volume vs diversity

o Active responderso NetBIOS/SMB, DCE/RPC, MS-SQL, HTTP, Dameware,

MyDoomo Bro Radiation-analy

o Condensed protocol-aware summarieso Six-hour batches stored in MySQL backend

o Adaptationo Auto-update of “previously-unseen” activities

o Situational-analyo Organized reports highlighting most “unusual” and

significant events

7

Radiation-analy summarization

o Leverage Bro’s protocol knowledge and attack semanticso Distill activity into high-level abstractionso Quickly validate against past history to check for

previous instances

o Types of summarieso Connection profileso Source Profiles

o Infer connection-profile associations

o Session Profileso Hard to summarize due to high degree of variability

8

Radiation-analy vs MD5 signatures

9

NetSA report example

o Four componentso New and interesting eventso High beta eventso Very high beta eventso Top 10 profiles

o For profile (p), interval (i):o Beta (p, i) = Num_sources(p, i) / Avg

(num_sources(p)) across all intervals

10

NetSA report example

o New and interesting events

No. Sources; Port tag 1 445-tcp CREATE_FILE: ``samr'';

CREATE_FILE: ``webhost.exe''; CREATE_FILE: ``atsvc'‘

o High beta events

Beta dest_port No.sources(avg) tag12.6 1025-tcp 494 (39.2) [exploit] (RPC request (2904

bytes))11.5 135-tcp 416 (36.3) [exploit] (RPC request (1448

bytes))

11

NetSA report example

o Very high beta events (beta > 10)

TAG: 1025/tcp/[exploit] (RPC request (2904 bytes)) Hour 0..5 srcs: 97, 93, 79, 74, 68, 94, src-overlaps: 0, 8, 13, 10, 8, 10, /8s: 25, 26, 19, 21, 16, 19, dsts: 103, 97, 80, 71, 76, 96, dst-overlaps: 0, 14, 12, 8, 8, 8,

o Top 10 profiles

Port No. Sources Tag135-tcp 591 RPC bind: afa8bd80-7d8a-11c9-bef4-08002b10298

len=72; RPC request (24 bytes)1025-tcp 494 [exploit] (RPC request (2904 bytes))135-tcp 416 [exploit] (RPC request (1448 bytes))

…

12

Analysis dataset

o Collected from 6 months of operation on 1,280 address LBL honeyneto Operational for over a year now…

o Highlights from situational-analy summarieso 4 instances of misconfiguration (3 P2P, 1 NAT box)o 11 suspected botnet sweeps

oNumber of sources per incident 30 – 26,000oMS-SQL, DCE/RPC, Several NetBIOS/SMB

exploitso Slammer re-emergence (350 sources)o Historical worm data (5)

oCR I, CR – reemergence, CR II, Nimda, Wittyo5,500 – 155,000 sources

13

Situational awareness in-depth

o Toolkit for large-scale forensic analysis of anomalous events

o 9 offline statistical analyses (Worms/Botnets/Misconfig); o Source arrivals

o Temporal source counts, arrival window, source interarrivals

o Destination / source network coverageo Dest net footprint, first-dest pref, source-net

dispersiono Per-source macro-analysis

o Scanning profile, target scope, lifetimeo Based on hypothesized behavior

14

SA in-depth large scale events

Misconfig Botnet WormSource Arrivals:Temp. Src CountsArrival WindowInterarrival

Sharp onsetNarrowExponential

GradualNarrowExponential

Sharp onsetWideSuper-exp

Coverage:Dest FootprintFirst-Dest PrefSrc-net Dispersion

HotspotHotspotLow-medium

BinomialVariableLow-medium

BinomialBinomialHigh

Src Macro-analysis:Per-source profileTarget scopeSource lifetimes

HotspotIPv4Short

Variable<= /8Short

VariableIPv4Persistent

15

Temporal Source Counts

Codered I

Edonkey misconfig

Wkssvc botnet

16

First Destination-IP preference

Nimda Wkssvc botnet

o Considers ordering and preference

17

Per-source scanning profile(100 random sources)

Source ID vs dest IP Phase plot of dest IP

MS-SQL botnet incident

18

Inferring target scope

o How broadly was a given event scoped?o Was our network specifically targeted?

o Assumption: sources are not just sequentially scanning the honeyneto IDEA 1: Estimate global packet rate from change of

IPID o Often cannot look at all packet pairs due to honeynet size

(multiple wrap-arounds)

o IDEA 2: Look at IPID spacing between retransmitted SYNs from passive traces

o For UDP look at packets arriving less than 3 secs apart

o Target scope = Honeynet size * (global rate / local rate)

19

Inferring target scope: Example

Wkssvc (1280 addresses) multiplier ~ 10^413 M addresses

Witty UW (8K addresses)multiplier ~ 5* 10^5

4 B addresses

20

Summary

o Objective: Internet situational awarenesso Accurate timely summaries of honeynet data

o Bro NetSA (radiation-analy / situation-analy)o MySQL backend

o Situational in-depth statistical analyseso Provide different yet valuable perspectives on

individual eventso Toward real time classification of events

o Future worko Refinement and extension of in-depth SA

analyseso Distributed NetSA

21

Other arrival characteristics

o Arrival window o Expectation: botnets should see sharp spike in

arrivalso Often not true – botnets don’t have to push

commands, instead zombies could poll and pullo phatbot zombies wake up every 1000 seconds to

check for new commands

o Source interarrivalso Bots poll independently, implies their arrivals will

appear to be poisson with exponential interarrivals

o Worm interarrival rate should increase during the initial stages of the outbreak

22

Other arrival characteristics

23

Honeynet footprint

Nimda Wkssvc botnet