1 / 33

HoneyComb Automated IDS Signature Generation using Honeypots

HoneyComb Automated IDS Signature Generation using Honeypots. Supervisor : AP. Dr. Mohamed Othman. Prepare by LIW JIA SENG 124862. Introduction. Honeycomb is a system for automated generation of signatures for network intrusion detection systems (NIDSs).

dacian
Download Presentation

HoneyComb Automated IDS Signature Generation using Honeypots

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HoneyCombAutomated IDS SignatureGeneration using Honeypots Supervisor : AP. Dr. Mohamed Othman Prepare by LIW JIA SENG 124862

  2. Introduction • Honeycomb is a system for automated generation of signatures for network intrusion detection systems (NIDSs). • Applies protocol analysis and pattern-detection techniques to traffic captured on honeypots. • Honeycomb is good at spotting worms.

  3. Problem Statement • Manually creation of Intrusion Detection Signatures is a tedious, inefficiency process. • There are more and more malware variants and self-propagating malware can spread very rapidly. • We need fast, automatic detection.

  4. Objective • To extend the open source honeypot honeyd by honeycomb plug-in. • To implement the honeycomb on real environment. • Evaluate honeycomb on controlled environment. • Measure the system performance and quality of signatures.

  5. Scope • Re-implements the research for automated generation attack signatures for NIDSs using Honeypots. • Setting up a Honeypots extended system. • Conduct experiments on the system. • Measure system performance.

  6. Literature Review • Internet Worms: • Worm Propagation Behavior • Morris Worm • Code Red I • Code Red II • SQL Slammer • Nimda

  7. Literature Review • Intrusion Detection System: • Signature Based • Anomaly Detection • Snort • Bro • Related Works: • Sweetbait • PAYL • Autograph

  8. Honeycomb Architecture

  9. Signature Creation Algorithm

  10. Pattern Detection Horizontal detection • Comparing all messages at the same depth. • Messages are passed as input to the LCS algorithm in pairs.

  11. Pattern Detection Vertical detection • Concatenating several messages into a string. • Comparing this with a corresponding concatenated string.

  12. Signature Lifecycles • Relational operators on signatures: • sig1 = sig2: all elements equal • sig1 sig2: elements differ • sig1 sig2: sig1 contains subset of sig2’s facts • signew = sigpool: signew ignored • signew  sigpool: signew added • signew  sigpool: signew added • sigpool signew: signew augments sigpool

  13. System Framework

  14. HoneyComb Network Diagram

  15. Experiments • Controlled Environment Experiments : • Evaluate the effectiveness and the quality of the worm signature created by the HoneyComb • Live Traffic Experiments.: • Determine what kind of signatures those generate by HoneyComb in the real traffic environment.

  16. Controlled Environment Experiments

  17. Controlled Environment Experiments • TCP worm – Code Red II • UDP worm – SQL Slammer • Actual worms packet payload used. • Sent worms packets from compromise host to HoneyComb machine.

  18. Controlled Environment Experiments

  19. Controlled Environment Experiments • Result : • TCP Worms – Code Red II alert tcp 192.168.1.15/24 any -> 10.2.0.0/16 80 (msg: "Honeycomb Sat Apr 7 13h51m47 2007 "; ) alert tcp 192.168.1.15/24 any -> 10.2.0.0/16 80 (msg: "Honeycomb Sat Apr 7 14h21m47 2007";flags: PA+; flow: established; content: "GET/default.ida?XXXX XX XX (...) 00|CodeRedII|…";)

  20. Controlled Environment Experiments • Result : • UDP Worms – SQL Slammer alert udp 192.168.1.15/32 256 -> 10.2.0.0/24 1434 (msg: "Honeycomb Sat Apr 7 14h51m47 2007 "; content: "|04 01 01(...)|Qh.dllhel32hkernQhounthickChGetTf| (…) D6 EB|"; )

  21. Controlled Environment Experiments • A comparison of the signature content and the worm payload sent to the honeypots shows that HoneyComb generates a good quality of signatures in controlled environment. • HoneyComb able to detect the TCP and UDP worm efficiency.

  22. Live Traffic Experiment

  23. Live Traffic Experiment • Generated Signatures : • 18,288 signatures had been generated by HoneyComb . • 9,473 signatures were containing flow content strings. • HoneyComb able to generate the Slammer signatures precisely. • No any Code Red II signature created since it reported died in October 2001

  24. Live Traffic Experiment • Generated Signatures : alert udp any any -> 10.2.0.0/24 1434 (msg: "Honeycomb Sat Apr 7 14h51m47 2007 "; content: "|04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0|B|EB 0E 01 01 01 01 01 01 01|p|AE|B|01|p|AE|B|90 90 90 90 90 90 90 90|h|DC C9 B0|B|B8 01 01 01 01|1|C9 B1 18|P|E2 FD|5|01 01 01 05|P|89 E5|Qh.dllhel32hkernQhounthickChGetTf|B9|llQh32.dhws2_f|B9|etQhsockf|B9|toQhsend|BE 18 10 AE|B|8D|E|D4|P|FF 16|P|8D|E|E0|P|8D|E|F0|P|FF 16|P|BE 10 10 AE|B|8B 1E 8B 03|=U|8B EC|Qt|05 BE 1C 10 AE|B|FF 16 FF D0|1|C9|QQP|81 F1 03 01 04 9B 81 F1 01 01 01 01|Q|8D|E|CC|P|8B|E|C0|P|FF 16|j|11|j|02|j|02 FF D0|P|8D|E|C4|P|8B|E|C0|P|FF 16 89 C6 09 DB 81 F3|<a|D9 FF 8B|E|B4 8D 0C|@|8D 14 88 C1 E2 04 01 C2 C1 E2 08"; )

  25. Live Traffic Experiment • Generated Signatures : alert tcp any any -> 10.2.0.0/24 80,135,8080 (msg: "Honeycomb Thu Apr 19 05h28m19 2007 "; flags: FRAU21!; flow: established; content of signature 908 : "CONNECT smtp.pchome.com.tw:25 HTTP/1.0|0D 0A 0D 0A|HTTP/1.1 400 Bad Request|0D 0A|Server: Microsoft-IIS/5.0|0D 0A|Date: Tue, 17 Apr 2007 03:57:30 GMT|0D 0A|Content-Type: text/html|0D 0A|Content-Length: 87|0D 0A 0D 0A|<html><head><title>Error</title></head><body>The parameter is incorrect. </body></html>CONNECT smtp.pchome.com.tw:25 HTTP/1.0|0D 0A 0D|"; )

  26. Honeycomb Performance Benchmarking

  27. Discussion • HoneyComb v0.7 compiled with Honeyd v1.5b without error, but it provided a strange and useless result when running HoneyComb. • The source code in hc_udp.c and hc_tcp.c had been modified and recompiled to fix this error.

  28. Discussion -- Problem • Unable to generate the signatures for the polymorphic worms. • Honeycomb can be fooled by attackers, to generate signatures for legitimate traffic. • Consuming a large amount of memory to perform the packets pattern matching. • Lost the memory when the system restart, thus, the same signatures will be generated.

  29. Conclusion • Pattern matching worm detection mechanism of HoneyComb able to produce good quality signatures for worms. • Signatures created by HoneyComb can be converted into a format suitable for both Snort and Bro NIDS.

  30. Conclusion • Honeypot offer an offensive approach to intrusion detection and prevention. • HoneyComb suggest that automated signature creation on honeypot is feasible and effectiveness. • This automated signature creation system is a first step towards integrating honeypots more closely into security infrastructure.

  31. Future Works • Working to reducing the effort spent per arriving packets by the HoneyComb. • Solve the drawback on unable to generate signature for the polymorphic worms. • Provide a better tool to analyze the signatures created. • Implication IPv6 to existing HoneyComb architecture.

  32. Question and Answer

  33. Thank You

More Related