Upload
owen-nelson
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Using Honeynets for Internet Situational Awareness
Vinod Yegneswaran, Paul Barford Vern Paxson
University of Wisconsin, Madison ICSI, LBNL
Hotnets 2005
2
Motivation
o Currrent tasks for security analystso Abuse monitoringo Audit and forensic analysiso NIDS/Firewall/ACL configurationo Vulnerability testingo Policy maintenanceo Liaison activities
o Network managemento End host management
3
NIDS: State of the art
o Pinpoint descriptions of low-level activitieso Source A launched CVE-XXX against Dest B
o Large volume of alertso Too many false alarmso Vulnerable to flooding attacks / IP spoofing
o Continual manual update of signatureso Lack of “longitudinal” baselineo Lack of breadth for root-cause inference
4
Our vision
o Network “Situational Awareness” (NetSA)o “Degree of consistency between one’s
perception of their situation and reality”-- US Navy
o “an accurate set of information about one’s environment scaled to specific level of interest” -- NCOIC
o Elevate quality and timeliness of alerts
5
Our approach
o Developing NetSA “building blocks” towardo Automated incident discovery o Robust classificationo Real-time event notificationo Forensic analysis capabilities
o Honeynet situational awarenesso Rich source of information of large-scale
malicious activity o Accurate attribution of events such as botnets,
worms and misconfiguration
6
System structure
o Tunnel filter: one source -> one desto Volume vs diversity
o Active responderso NetBIOS/SMB, DCE/RPC, MS-SQL, HTTP, Dameware,
MyDoomo Bro Radiation-analy
o Condensed protocol-aware summarieso Six-hour batches stored in MySQL backend
o Adaptationo Auto-update of “previously-unseen” activities
o Situational-analyo Organized reports highlighting most “unusual” and
significant events
7
Radiation-analy summarization
o Leverage Bro’s protocol knowledge and attack semanticso Distill activity into high-level abstractionso Quickly validate against past history to check for
previous instances
o Types of summarieso Connection profileso Source Profiles
o Infer connection-profile associations
o Session Profileso Hard to summarize due to high degree of variability
8
Radiation-analy vs MD5 signatures
9
NetSA report example
o Four componentso New and interesting eventso High beta eventso Very high beta eventso Top 10 profiles
o For profile (p), interval (i):o Beta (p, i) = Num_sources(p, i) / Avg
(num_sources(p)) across all intervals
10
NetSA report example
o New and interesting events
No. Sources; Port tag 1 445-tcp CREATE_FILE: ``samr'';
CREATE_FILE: ``webhost.exe''; CREATE_FILE: ``atsvc'‘
o High beta events
Beta dest_port No.sources(avg) tag12.6 1025-tcp 494 (39.2) [exploit] (RPC request (2904
bytes))11.5 135-tcp 416 (36.3) [exploit] (RPC request (1448
bytes))
11
NetSA report example
o Very high beta events (beta > 10)
TAG: 1025/tcp/[exploit] (RPC request (2904 bytes)) Hour 0..5 srcs: 97, 93, 79, 74, 68, 94, src-overlaps: 0, 8, 13, 10, 8, 10, /8s: 25, 26, 19, 21, 16, 19, dsts: 103, 97, 80, 71, 76, 96, dst-overlaps: 0, 14, 12, 8, 8, 8,
o Top 10 profiles
Port No. Sources Tag135-tcp 591 RPC bind: afa8bd80-7d8a-11c9-bef4-08002b10298
len=72; RPC request (24 bytes)1025-tcp 494 [exploit] (RPC request (2904 bytes))135-tcp 416 [exploit] (RPC request (1448 bytes))
…
12
Analysis dataset
o Collected from 6 months of operation on 1,280 address LBL honeyneto Operational for over a year now…
o Highlights from situational-analy summarieso 4 instances of misconfiguration (3 P2P, 1 NAT box)o 11 suspected botnet sweeps
oNumber of sources per incident 30 – 26,000oMS-SQL, DCE/RPC, Several NetBIOS/SMB
exploitso Slammer re-emergence (350 sources)o Historical worm data (5)
oCR I, CR – reemergence, CR II, Nimda, Wittyo5,500 – 155,000 sources
13
Situational awareness in-depth
o Toolkit for large-scale forensic analysis of anomalous events
o 9 offline statistical analyses (Worms/Botnets/Misconfig); o Source arrivals
o Temporal source counts, arrival window, source interarrivals
o Destination / source network coverageo Dest net footprint, first-dest pref, source-net
dispersiono Per-source macro-analysis
o Scanning profile, target scope, lifetimeo Based on hypothesized behavior
14
SA in-depth large scale events
Misconfig Botnet WormSource Arrivals:Temp. Src CountsArrival WindowInterarrival
Sharp onsetNarrowExponential
GradualNarrowExponential
Sharp onsetWideSuper-exp
Coverage:Dest FootprintFirst-Dest PrefSrc-net Dispersion
HotspotHotspotLow-medium
BinomialVariableLow-medium
BinomialBinomialHigh
Src Macro-analysis:Per-source profileTarget scopeSource lifetimes
HotspotIPv4Short
Variable<= /8Short
VariableIPv4Persistent
15
Temporal Source Counts
Codered I
Edonkey misconfig
Wkssvc botnet
16
First Destination-IP preference
Nimda Wkssvc botnet
o Considers ordering and preference
17
Per-source scanning profile(100 random sources)
Source ID vs dest IP Phase plot of dest IP
MS-SQL botnet incident
18
Inferring target scope
o How broadly was a given event scoped?o Was our network specifically targeted?
o Assumption: sources are not just sequentially scanning the honeyneto IDEA 1: Estimate global packet rate from change of
IPID o Often cannot look at all packet pairs due to honeynet size
(multiple wrap-arounds)
o IDEA 2: Look at IPID spacing between retransmitted SYNs from passive traces
o For UDP look at packets arriving less than 3 secs apart
o Target scope = Honeynet size * (global rate / local rate)
19
Inferring target scope: Example
Wkssvc (1280 addresses) multiplier ~ 10^413 M addresses
Witty UW (8K addresses)multiplier ~ 5* 10^5
4 B addresses
20
Summary
o Objective: Internet situational awarenesso Accurate timely summaries of honeynet data
o Bro NetSA (radiation-analy / situation-analy)o MySQL backend
o Situational in-depth statistical analyseso Provide different yet valuable perspectives on
individual eventso Toward real time classification of events
o Future worko Refinement and extension of in-depth SA
analyseso Distributed NetSA
21
Other arrival characteristics
o Arrival window o Expectation: botnets should see sharp spike in
arrivalso Often not true – botnets don’t have to push
commands, instead zombies could poll and pullo phatbot zombies wake up every 1000 seconds to
check for new commands
o Source interarrivalso Bots poll independently, implies their arrivals will
appear to be poisson with exponential interarrivals
o Worm interarrival rate should increase during the initial stages of the outbreak
22
Other arrival characteristics
23
Honeynet footprint
Nimda Wkssvc botnet