using honeynets for internet situational awareness
DESCRIPTION
Using Honeynets for Internet Situational Awareness. Vinod Yegneswaran, Paul Barford Vern Paxson University of Wisconsin, Madison ICSI, LBNL Hotnets 2005. Motivation. Currrent tasks for security analysts Abuse monitoring Audit and forensic analysis NIDS/Firewall/ACL configuration - PowerPoint PPT PresentationTRANSCRIPT
Using Honeynets for Internet Situational Awareness
Vinod Yegneswaran, Paul Barford Vern Paxson
University of Wisconsin, Madison ICSI, LBNL
Hotnets 2005
2
Motivation
o Currrent tasks for security analystso Abuse monitoringo Audit and forensic analysiso NIDS/Firewall/ACL configurationo Vulnerability testingo Policy maintenanceo Liaison activities
o Network managemento End host management
3
NIDS: State of the art
o Pinpoint descriptions of low-level activitieso Source A launched CVE-XXX against Dest B
o Large volume of alertso Too many false alarmso Vulnerable to flooding attacks / IP spoofing
o Continual manual update of signatureso Lack of “longitudinal” baselineo Lack of breadth for root-cause inference
4
Our vision
o Network “Situational Awareness” (NetSA)o “Degree of consistency between one’s
perception of their situation and reality”-- US Navy
o “an accurate set of information about one’s environment scaled to specific level of interest” -- NCOIC
o Elevate quality and timeliness of alerts
5
Our approach
o Developing NetSA “building blocks” towardo Automated incident discovery o Robust classificationo Real-time event notificationo Forensic analysis capabilities
o Honeynet situational awarenesso Rich source of information of large-scale
malicious activity o Accurate attribution of events such as botnets,
worms and misconfiguration
6
System structure
o Tunnel filter: one source -> one desto Volume vs diversity
o Active responderso NetBIOS/SMB, DCE/RPC, MS-SQL, HTTP, Dameware,
MyDoomo Bro Radiation-analy
o Condensed protocol-aware summarieso Six-hour batches stored in MySQL backend
o Adaptationo Auto-update of “previously-unseen” activities
o Situational-analyo Organized reports highlighting most “unusual” and
significant events
7
Radiation-analy summarization
o Leverage Bro’s protocol knowledge and attack semanticso Distill activity into high-level abstractionso Quickly validate against past history to check for
previous instances
o Types of summarieso Connection profileso Source Profiles
o Infer connection-profile associations
o Session Profileso Hard to summarize due to high degree of variability
8
Radiation-analy vs MD5 signatures
9
NetSA report example
o Four componentso New and interesting eventso High beta eventso Very high beta eventso Top 10 profiles
o For profile (p), interval (i):o Beta (p, i) = Num_sources(p, i) / Avg
(num_sources(p)) across all intervals
10
NetSA report example
o New and interesting events
No. Sources; Port tag 1 445-tcp CREATE_FILE: ``samr'';
CREATE_FILE: ``webhost.exe''; CREATE_FILE: ``atsvc'‘
o High beta events
Beta dest_port No.sources(avg) tag12.6 1025-tcp 494 (39.2) [exploit] (RPC request (2904
bytes))11.5 135-tcp 416 (36.3) [exploit] (RPC request (1448
bytes))
11
NetSA report example
o Very high beta events (beta > 10)
TAG: 1025/tcp/[exploit] (RPC request (2904 bytes)) Hour 0..5 srcs: 97, 93, 79, 74, 68, 94, src-overlaps: 0, 8, 13, 10, 8, 10, /8s: 25, 26, 19, 21, 16, 19, dsts: 103, 97, 80, 71, 76, 96, dst-overlaps: 0, 14, 12, 8, 8, 8,
o Top 10 profiles
Port No. Sources Tag135-tcp 591 RPC bind: afa8bd80-7d8a-11c9-bef4-08002b10298
len=72; RPC request (24 bytes)1025-tcp 494 [exploit] (RPC request (2904 bytes))135-tcp 416 [exploit] (RPC request (1448 bytes))
…
12
Analysis dataset
o Collected from 6 months of operation on 1,280 address LBL honeyneto Operational for over a year now…
o Highlights from situational-analy summarieso 4 instances of misconfiguration (3 P2P, 1 NAT box)o 11 suspected botnet sweeps
oNumber of sources per incident 30 – 26,000oMS-SQL, DCE/RPC, Several NetBIOS/SMB
exploitso Slammer re-emergence (350 sources)o Historical worm data (5)
oCR I, CR – reemergence, CR II, Nimda, Wittyo5,500 – 155,000 sources
13
Situational awareness in-depth
o Toolkit for large-scale forensic analysis of anomalous events
o 9 offline statistical analyses (Worms/Botnets/Misconfig); o Source arrivals
o Temporal source counts, arrival window, source interarrivals
o Destination / source network coverageo Dest net footprint, first-dest pref, source-net
dispersiono Per-source macro-analysis
o Scanning profile, target scope, lifetimeo Based on hypothesized behavior
14
SA in-depth large scale events
Misconfig Botnet WormSource Arrivals:Temp. Src CountsArrival WindowInterarrival
Sharp onsetNarrowExponential
GradualNarrowExponential
Sharp onsetWideSuper-exp
Coverage:Dest FootprintFirst-Dest PrefSrc-net Dispersion
HotspotHotspotLow-medium
BinomialVariableLow-medium
BinomialBinomialHigh
Src Macro-analysis:Per-source profileTarget scopeSource lifetimes
HotspotIPv4Short
Variable<= /8Short
VariableIPv4Persistent
15
Temporal Source Counts
Codered I
Edonkey misconfig
Wkssvc botnet
16
First Destination-IP preference
Nimda Wkssvc botnet
o Considers ordering and preference
17
Per-source scanning profile(100 random sources)
Source ID vs dest IP Phase plot of dest IP
MS-SQL botnet incident
18
Inferring target scope
o How broadly was a given event scoped?o Was our network specifically targeted?
o Assumption: sources are not just sequentially scanning the honeyneto IDEA 1: Estimate global packet rate from change of
IPID o Often cannot look at all packet pairs due to honeynet size
(multiple wrap-arounds)
o IDEA 2: Look at IPID spacing between retransmitted SYNs from passive traces
o For UDP look at packets arriving less than 3 secs apart
o Target scope = Honeynet size * (global rate / local rate)
19
Inferring target scope: Example
Wkssvc (1280 addresses) multiplier ~ 10^413 M addresses
Witty UW (8K addresses)multiplier ~ 5* 10^5
4 B addresses
20
Summary
o Objective: Internet situational awarenesso Accurate timely summaries of honeynet data
o Bro NetSA (radiation-analy / situation-analy)o MySQL backend
o Situational in-depth statistical analyseso Provide different yet valuable perspectives on
individual eventso Toward real time classification of events
o Future worko Refinement and extension of in-depth SA
analyseso Distributed NetSA
21
Other arrival characteristics
o Arrival window o Expectation: botnets should see sharp spike in
arrivalso Often not true – botnets don’t have to push
commands, instead zombies could poll and pullo phatbot zombies wake up every 1000 seconds to
check for new commands
o Source interarrivalso Bots poll independently, implies their arrivals will
appear to be poisson with exponential interarrivals
o Worm interarrival rate should increase during the initial stages of the outbreak
22
Other arrival characteristics
23
Honeynet footprint
Nimda Wkssvc botnet