1 / 14

Investigation and Evaluation of Systems for Generating Automatic Alerts Using Honeynet Data

Investigation and Evaluation of Systems for Generating Automatic Alerts Using Honeynet Data. Master’s Thesis Seminar Presentation 9.8.2005 Esko Harjama. Contents. Background Problem statement & Methodology Introduction Alerting issues Automatic Isolation Function Evaluation Prototyping

holiver
Download Presentation

Investigation and Evaluation of Systems for Generating Automatic Alerts Using Honeynet Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Investigation and Evaluation of Systems for Generating Automatic Alerts Using Honeynet Data Master’s Thesis Seminar Presentation 9.8.2005 Esko Harjama

  2. Contents • Background • Problem statement & Methodology • Introduction • Alerting issues • Automatic Isolation Function • Evaluation • Prototyping • Results & Conclusions

  3. Background • Supervisors • Prof. Jörg Ott (Netlab), • Prof. Guillame Urvoy-Keller (Eurecom) • Instructor • M.Sc. Idar Kvernevik (F-Secure Oyj) • Carried out as a project for F-Secure

  4. Problem Statement • Honeynets gather information on illicit network traffic and attacks against Honeynet computers • These attacks need to be recognized and investigated • Since 24/7 system monitoring is not practical, an effective alerting system is required to complement monitoring processes • The problem is • How to implement alerting • Where to deploy it • What information and rules should be used to decide when to trigger alerting • Is there need to isolate the computer in addition to alerting and in what cases

  5. Methodologies used • Literature study • IDS, Honeypot and alerting background • Investigation of existing tools and methods for alerting • Evaluation • Evaluation of the pre-selected tools based on criteria • Prototyping • Prototyping the selected solution in the reference environment • Analysis of the results

  6. Introduction: Intrusion Detection Systems, Honeypots • IDS • Monitors network traffic and reports on specified behavior • IDS process: capture, analysis, classification, report, reaction • Example: Snort, a popular open-source IDS based on pattern-matching • Honeypot • Computers placed in the network to ”lure” attackers • Networks of Honeypots form ”Honeynets” • Offer information on specific attacks and statistics • Example project: Honeynet.org alliance

  7. Alerting issues • Alert response processes • Push/Pull ideology • False positives/negatives • Alerting approaches • Log file vs. database monitoring • Information sources • Snort alerts, gateway syslog/iptables logs, upstream end-user data, remote Honeynets • Alerting tools • Snort tools; reporting, configuration, ”alerting” • Log-monitoring applications • Alerting methods • Log, email, SMS, etc

  8. Automatic Isolation Function • Reasoning • Prevents further attacks from the compromised computer against 3rd parties • Prevent the attacker from erasing any attack methods and details from the computer • Prevent undesired actions inside the Honeynet • Conditions for isolation • Trend increase in the number of attacks/packets • Specific, defined attack behavior • Possible points of isolation • Gateway • Host

  9. Reference Honeynet Setup

  10. Evaluation results

  11. Selected tool: Simple Event Correlator (SEC) • Selected because of flexibility in configuration, features suit our needs well, lack of GUI is the only downside. • SEC is a perl program for log-monitoring, run from the shell • Flexible rule structure based on regular expressions • Complemented with PigSentry for new alert and trend increase monitoring • Output can be piped also to log, email and SMS

  12. Prototyping • At the moment, SEC and PigSentry have been running in the reference setup for a couple of weeks, monitoring Snort and Pigsentry logs • Alerts on: • Snort high priority alerts • New alerts and trend increases (Pigsentry) • Especially trend increases are useful • Special alert conditions can also be added • Looks like alerting requires thresholding in all cases, in case of a compromise, alerts quickly escalate and create lots of alerts

  13. Results & Conclusions (so far) • The selected method works for alerting purposes and is pretty flexible for using all kind of data and different output methods • Definition of the monitoring processes and the conditions for triggering alert conditions are problematic • External alerting features are useful in the Honeynet setup, but the tuning of the alerting rules is important • Isolation function depends also on the definition of thr triggering conditions, needs more investigation. • More information on the Honeynet events is needed to better configure the set of rules  test period ongoing

  14. Questions ?

More Related