Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet...

Data Capture and AnalysisC-DAC Mohali

Overview Honeynet/Honeypot Technology

◦ Honeypot/Honeynet Backgroud◦ Type of Honeypots◦ Deployment of Honeypots

Data Collection Data Control Data Analysis

Honeypot/Honeynet concepts

◦ A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource

◦ Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise

◦ A highly controlled network where every packet entering or leaving the honeypot system and related system activities are monitored, captured and analyzed.

◦ Primary value to most organizations is information”

Advantages Fidelity – Information of high value Reduced false positives Reduced false negatives Simple concept Not resource intensive

04/19/23

CDAC-Mohali "NETWORK PACKET CAPTURING &

ANALYSIS"

Attack Detection Techniques

Detection Techniques

Proactive Techniques Defensive Techniques

Anomaly-based Signature-basedHoneynets

04/19/23


ANALYSIS"

HoneyPot A

Gateway

Attackers

Attack Data

How it works

MonitorDetect

Response

04/19/23


ANALYSIS"

Honeynet Requirements & Standards Data Control: Contain the attack activity and ensure

that the compromised honeypots do not further harm other systems.Out bound control without blackhats detecting control activities.

Data Capture: Capture all activity within the Honeynet and the information that enters and leaves the Honeynet, without blackhats knowing they are being watched.

Data Collection: captured data is to be Securely forwarded to a centralized data collection point for analysis and archiving.

Attacker Luring: Generating interest of attacker to attack the honeynet

Static : web server deployment, making it vulnerable

Dynamic : IRC, Chat servers,Hackers forums

04/19/23


ANALYSIS"

Classification

By level of interaction High Low Middle?

By Implementation Virtual Physical

By purpose Production Research

Types of Honeypots Low-interaction

◦ Emulates services and operating systems.◦ Easy to deploy, minimal risk◦ Captures limited information

High Interaction◦ Provide real operating systems and services, no

emulation.◦ Complex to deploy, greater risk.◦ Capture extensive information.

Virtual Honeynet

04/19/23


ANALYSIS"

What Honeynet Achieves Diverts attacker’s attention from the real

network in a way that the main information resources are not compromised.

Captures samples of new viruses and worms for future study

Helps to build attacker’s profile in order to identify their preferred attack targets, methods.

04/19/23


ANALYSIS"

What value Honeynet adds

Prevention of attacks through deception and deterrence

Detection of attacks By acting as a alarm

Response of attacks By collecting data and evidence of an

attacker’s activity

04/19/23


ANALYSIS"

A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed.

Data CaptureData ControlData Analysis

GEN III

04/19/23


ANALYSIS"

Honeynet Gen III

04/19/23


ANALYSIS"

IPTABLES

ARGUS

SNORT

POF

SEBEKD

TCPDUMP

HFLOWDHFLOW

DB

WALLEYE

PCAP DATA

ETH0

SEBEK CLIENT

HONEYPOT

ETH1(0.0.0.0)

ETH2

GUIWEB INTERFACE

(192.168.2.2)

CONVERT INTO UNIFIED FORMAT

(203.100.79.122)

Data Capture Mechanism

SYS LOGSSYS LOGS

AISDAISD

HIDS HIDS

APP LOGS APP LOGS

HONEYPOTHONEYWALL

Raw Packet Capture

Analyzed PacketCapture

System LogsKernel Level

Logs

Tcpdump

P0F

Snort

Argus Syslogd Sebek Client-Server

Network Level Data Capture System Level Data Capture

DATA CAPTURE TOOLS IN GEN 3 HONEYNET

04/19/23


ANALYSIS"

Data Control

Internet

Honeywall

Honeypot

Honeypot

No Restrictions

Connections Limited Packet Scrubbed

PURPOSE:Mitigate risk of COMPROMISED Honeypot being used to harm non-honeynet systems

Count outbound connections (Reverse Firewall)IPS (Snort-Inline)Bandwidth Throttling (Reverse Firewall)

DATA CONTROL

IPTABLES packet handling

IPTABLES FIREWALL

OUTPUTCHAIN

INPUTCHAIN

FORWARDCHAIN

Data Control### Set the connection outbound limits for different protocols.

SCALE="day"TCPRATE=“20"UDPRATE="20"ICMPRATE="50"OTHERRATE="5“

iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW -m limit --limit ${TCPRATE}/${SCALE} --limit-burst ${TCPRATE} -s ${host} -j tcpHandler

iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW -m limit --limit 1/${SCALE} --limit-burst 1 -s ${host} -j LOG --log-prefix "Drop TCP after ${TCPRATE} attempts“

iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW -s ${host} -j DROP

Distributed Honeynet System Distributed sensor Honeynet

◦ Configuration/reconfiguration

◦ Central Logging & Alerting◦ Honeypot management & analysis (forensics take

time!)

Central Database Server

Router

Router

Router

HoneywallHoneywall

Virtual Switch

Honeypot1

Nepenthes

Software BridgeHoneypot1 Honeypot2

Software Bridge

Nepenthes

Software Bridge

Honeywall

Software Bridge

Host machine

Honeywall

NepenthesHost machine

In t e r n e t

Honeypot1 Honeypot2

Virtual Switch

Honeypot1 Honeypot2

Host machineVirtual Switch

Host machine

Honeypot2

Network Diagram of Distributed Honeynet System

Virtual Switch

Nepenthes

BSNL N/W /28 CONNECT N/W /27

STPI N/W /28Airtel N/W /29

Router

Router

Large Enterprise Network (STPI) /27 Broadband Providers (BSNL,CONNECT,AIRTEL) /28,/28/29

Life Cycle of Distributed HoneyNet System

Remote Node Architecture

Malware Analysis

Malware Collection Module

Malware Analysis Module Botnet Tracking

Low-Interaction Honeypot

High Interaction Honeynet

Remote Node of DHS

Sandbox (Bot

Execution)

Bot Detection

Engine

1 2 3

Malware collection Data Base

Antivirus

Bot hunter

Bot Binary databaseBotnet Tracking

database

Central server

Botnet Tracking engine

IPTABLES

ARGUS

SNORT

POF

SEBEKD

TCPDUMP

HFLOWDHFLOW

DB

WALLEYE

PCAP DATA

ETH0

SEBEK CLIENT

HONEYPOT

ETH1(0.0.0.0)

REVERSE FIREWALL RULES(CONTROL OUTBOUND TRAFFIC)

ETH2

GUIWEB INTERFACE

CONVERT INTO UNIFIED FORMAT

HONEYWALL

DATA ANALYSIS STEPS

Collect & Merge

Walleye Web Interface “Eye on the Honeywall” is a web based

interface for Honeywall Configuration, Administration and Data analysis

Honeywall Roo Logical Design

Walleye Analysis Interface

Botnet Detection

Introduction

Botnet Problem Typical Botnet Life Cycle How Botnet Grows Challenges for Botnet detection Roadmap to Detection system Botnet Detection Approaches Our Implemented Approach Experiments and results

What Is a Bot/Botnet? Bot

A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent

Profit-driven, professionally written, widely propagated

Botnet (Bot Army): network of bots controlled by criminals Definition: “A coordinated group of malware

instances that are controlled by a botmaster via some C&C channel”

Architecture: centralized (e.g., IRC,HTTP), distributed (e.g., P2P)

Botnets are used for …

All DDoS attacks Spam Click fraud Information theft Phishing attacks Distributing other malware, e.g., spywarePCs

are part of a botnet!”

Typical Botnet Life Cycle

How the Botnet Grows

IRC Botnet Life Cycle

Challenges for Botnet Detection

Bots are stealthy on the infected machines –We focus on a network-based solution Bot infection is usually a multi-faceted and

multiphase process – Only looking at one specific aspect likely to fail Bots are dynamically evolving Botnets can have very flexible design of C&C channels –A solution very specific to a botnet instance is not desirable

Related Work

Network Level ◦ G. Gu, J. Zhang, andW. Lee. BotSniffer: Detecting

botnet command and control channels in network traffic

◦ J. R. Binkley and S. Singh. An algorithm for anomaly-based botnet detection

◦ J. Goebel and T. Holz. Rishi: Identify bot contaminated hosts by irc nickname evaluation

◦ C. Livadas, R. Walsh, D. Lapsley, and W. Strayer. Using machine learning technliques to identify botnet traffic

Related Work

Host Level◦ E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R.

Kemmerer. Behavior-based spyware detection◦ R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati. A

fast automaton-based method for detecting anomalous program behaviors.

Hybrid ◦ BotMiner: Clustering analysis of network traffic for

protocol- and structure independent botnet detection

Botnet Detection Approaches

Setting up Honeynets (Honeynet Based Solutions) Network Traffic Monitoring:

– Signature Based

– Anomaly Based

– DNS Based

– Mining Based

Honeynet Based Solution

It enable us to isolate the bot from network and monitor its traffic in more controlled way, instead of waiting to be infected and then monitor the t traffic

– Bot execution in Honeynet test bed

– Monitor the traffic generated by bots Open Analysis :

– Provides connection to Internet

– More flexible than closed analysis. l

Our Implemented Approach

• Honeynet Based Solution– Achievements

• Approach Implemented• Honeynet Based Bot Analysis

Architecture• Payload Parser • Web GUI and report generation

Flowchart

Features

Systematically collect and analyze bot traffic over internet Provides controlled connection to Internet: rate limit the outbound connections. It uses network-based anomaly detection to identify C & C command sequences

Principal Mechanism for Botnet Detection

Bot Execution

- Bot Execution in Honeynet Based Environment

- Collection of Execution traces to extract C & C server information.

- Complete payload sent to central server. Payload Parser

- Extraction of IRC,HTTP command signatures Botnet Observation

- extraction of attack,propagation scan or other attack

commands

- extraction of specific network patterns,secondary

injections attempts Output

- List of unique C & C server

- Command exchanged between bot client & bot server

Experimental Result

Botname : B14 , MD5 : a4dde6f9e4feb8a539974022cff5f92c

Symantec : W32.IRCBot, Microsoft : Backdoor:Win32/Poebot

PASS 146751dhzx

:ftpelite.mine.nu

NICK kcrbhf8wlzo

USER XPUSA6059014236 0 0 :o4dfmj2ctyc

:ftpelite.mine.nu

PING :AE645AF3

PONG AE645AF3

:ftpelite.mine.nu 332 kcrbhf8wlzo #100+ :| .vscan netapi 50 5 9999 216.x.x.x | .sbk windows-krb.exe | .sbk crscs.exe | .sbk msdrive32.exe | .sbk woot.exe | .sbk dn.exe | .sbk Zsnkstm.exe | .sbk cndrive32.exe |

PRIVMSG #100+ :.4[SC]: Random Port Scan started on 216.x.x.x:445 with a delay of 5 seconds for 9999 minutes using 50 threads.

Experimental Results: IRC

Bot Family Number of Samples Percentage

Rbot 70 6.28%

Poebot.gen 32 2.87

Rbot.gen 30 2.69

IRCbot.genK 22 1.99

Poebot.BT 12 1.08

IRCbot 8 0.71

Poebot.BI 6 0.54

IRCbot.genS 4 0.35

Poebot 4 0.35

Poebot.T 4 0.35

In total we could identify 99 IRC-based bot binaries ,a rate of 8.25% of the overall binaries in 12 months

Botnet C&C Server Info

Sno Source IP count123456789

10

122.160.115.76122.160.76.92122.160.42.85122.160.1.248

122.160.74.18061.142.12.86

122.160.136.220122.160.154.222

122.161.16.82122.160.75.115

191917966605449484848

Sno Ports count123456789

445135

14341398025

3306705161

2571139111423512761

Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet...

Documents

Transcript of Data Capture and Analysis C-DAC Mohali. Overview Honeynet/Honeypot Technology ◦ Honeypot/Honeynet...