340 likes | 550 Views
HoneyComb Automated IDS Signature Generation using Honeypots. Supervisor : AP. Dr. Mohamed Othman. Prepare by LIW JIA SENG 124862. Introduction. Honeycomb is a system for automated generation of signatures for network intrusion detection systems (NIDSs).
E N D
HoneyCombAutomated IDS SignatureGeneration using Honeypots Supervisor : AP. Dr. Mohamed Othman Prepare by LIW JIA SENG 124862
Introduction • Honeycomb is a system for automated generation of signatures for network intrusion detection systems (NIDSs). • Applies protocol analysis and pattern-detection techniques to traffic captured on honeypots. • Honeycomb is good at spotting worms.
Problem Statement • Manually creation of Intrusion Detection Signatures is a tedious, inefficiency process. • There are more and more malware variants and self-propagating malware can spread very rapidly. • We need fast, automatic detection.
Objective • To extend the open source honeypot honeyd by honeycomb plug-in. • To implement the honeycomb on real environment. • Evaluate honeycomb on controlled environment. • Measure the system performance and quality of signatures.
Scope • Re-implements the research for automated generation attack signatures for NIDSs using Honeypots. • Setting up a Honeypots extended system. • Conduct experiments on the system. • Measure system performance.
Literature Review • Internet Worms: • Worm Propagation Behavior • Morris Worm • Code Red I • Code Red II • SQL Slammer • Nimda
Literature Review • Intrusion Detection System: • Signature Based • Anomaly Detection • Snort • Bro • Related Works: • Sweetbait • PAYL • Autograph
Pattern Detection Horizontal detection • Comparing all messages at the same depth. • Messages are passed as input to the LCS algorithm in pairs.
Pattern Detection Vertical detection • Concatenating several messages into a string. • Comparing this with a corresponding concatenated string.
Signature Lifecycles • Relational operators on signatures: • sig1 = sig2: all elements equal • sig1 sig2: elements differ • sig1 sig2: sig1 contains subset of sig2’s facts • signew = sigpool: signew ignored • signew sigpool: signew added • signew sigpool: signew added • sigpool signew: signew augments sigpool
Experiments • Controlled Environment Experiments : • Evaluate the effectiveness and the quality of the worm signature created by the HoneyComb • Live Traffic Experiments.: • Determine what kind of signatures those generate by HoneyComb in the real traffic environment.
Controlled Environment Experiments • TCP worm – Code Red II • UDP worm – SQL Slammer • Actual worms packet payload used. • Sent worms packets from compromise host to HoneyComb machine.
Controlled Environment Experiments • Result : • TCP Worms – Code Red II alert tcp 192.168.1.15/24 any -> 10.2.0.0/16 80 (msg: "Honeycomb Sat Apr 7 13h51m47 2007 "; ) alert tcp 192.168.1.15/24 any -> 10.2.0.0/16 80 (msg: "Honeycomb Sat Apr 7 14h21m47 2007";flags: PA+; flow: established; content: "GET/default.ida?XXXX XX XX (...) 00|CodeRedII|…";)
Controlled Environment Experiments • Result : • UDP Worms – SQL Slammer alert udp 192.168.1.15/32 256 -> 10.2.0.0/24 1434 (msg: "Honeycomb Sat Apr 7 14h51m47 2007 "; content: "|04 01 01(...)|Qh.dllhel32hkernQhounthickChGetTf| (…) D6 EB|"; )
Controlled Environment Experiments • A comparison of the signature content and the worm payload sent to the honeypots shows that HoneyComb generates a good quality of signatures in controlled environment. • HoneyComb able to detect the TCP and UDP worm efficiency.
Live Traffic Experiment • Generated Signatures : • 18,288 signatures had been generated by HoneyComb . • 9,473 signatures were containing flow content strings. • HoneyComb able to generate the Slammer signatures precisely. • No any Code Red II signature created since it reported died in October 2001
Live Traffic Experiment • Generated Signatures : alert udp any any -> 10.2.0.0/24 1434 (msg: "Honeycomb Sat Apr 7 14h51m47 2007 "; content: "|04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0|B|EB 0E 01 01 01 01 01 01 01|p|AE|B|01|p|AE|B|90 90 90 90 90 90 90 90|h|DC C9 B0|B|B8 01 01 01 01|1|C9 B1 18|P|E2 FD|5|01 01 01 05|P|89 E5|Qh.dllhel32hkernQhounthickChGetTf|B9|llQh32.dhws2_f|B9|etQhsockf|B9|toQhsend|BE 18 10 AE|B|8D|E|D4|P|FF 16|P|8D|E|E0|P|8D|E|F0|P|FF 16|P|BE 10 10 AE|B|8B 1E 8B 03|=U|8B EC|Qt|05 BE 1C 10 AE|B|FF 16 FF D0|1|C9|QQP|81 F1 03 01 04 9B 81 F1 01 01 01 01|Q|8D|E|CC|P|8B|E|C0|P|FF 16|j|11|j|02|j|02 FF D0|P|8D|E|C4|P|8B|E|C0|P|FF 16 89 C6 09 DB 81 F3|<a|D9 FF 8B|E|B4 8D 0C|@|8D 14 88 C1 E2 04 01 C2 C1 E2 08"; )
Live Traffic Experiment • Generated Signatures : alert tcp any any -> 10.2.0.0/24 80,135,8080 (msg: "Honeycomb Thu Apr 19 05h28m19 2007 "; flags: FRAU21!; flow: established; content of signature 908 : "CONNECT smtp.pchome.com.tw:25 HTTP/1.0|0D 0A 0D 0A|HTTP/1.1 400 Bad Request|0D 0A|Server: Microsoft-IIS/5.0|0D 0A|Date: Tue, 17 Apr 2007 03:57:30 GMT|0D 0A|Content-Type: text/html|0D 0A|Content-Length: 87|0D 0A 0D 0A|<html><head><title>Error</title></head><body>The parameter is incorrect. </body></html>CONNECT smtp.pchome.com.tw:25 HTTP/1.0|0D 0A 0D|"; )
Discussion • HoneyComb v0.7 compiled with Honeyd v1.5b without error, but it provided a strange and useless result when running HoneyComb. • The source code in hc_udp.c and hc_tcp.c had been modified and recompiled to fix this error.
Discussion -- Problem • Unable to generate the signatures for the polymorphic worms. • Honeycomb can be fooled by attackers, to generate signatures for legitimate traffic. • Consuming a large amount of memory to perform the packets pattern matching. • Lost the memory when the system restart, thus, the same signatures will be generated.
Conclusion • Pattern matching worm detection mechanism of HoneyComb able to produce good quality signatures for worms. • Signatures created by HoneyComb can be converted into a format suitable for both Snort and Bro NIDS.
Conclusion • Honeypot offer an offensive approach to intrusion detection and prevention. • HoneyComb suggest that automated signature creation on honeypot is feasible and effectiveness. • This automated signature creation system is a first step towards integrating honeypots more closely into security infrastructure.
Future Works • Working to reducing the effort spent per arriving packets by the HoneyComb. • Solve the drawback on unable to generate signature for the polymorphic worms. • Provide a better tool to analyze the signatures created. • Implication IPv6 to existing HoneyComb architecture.