HoneyComb Automated IDS Signature Generation using Honeypots
description
Transcript of HoneyComb Automated IDS Signature Generation using Honeypots
HoneyCombHoneyComb Automated IDS SignatureGeneration using Honeypots
Prepare by
LIW JIA SENG 124862
Supervisor : AP. Dr. Mohamed Othman
IntroductionIntroduction
Honeycomb is a system for automated generation of signatures for network intrusion detection systems (NIDSs).
Applies protocol analysis and pattern-detection techniques to traffic captured on honeypots.
Honeycomb is good at spotting worms.
Problem StatementProblem Statement
Manually creation of Intrusion Detection Signatures is a tedious, inefficiency process.
There are more and more malware variants and self-propagating malware can spread very rapidly.
We need fast, automatic detection.
ObjectiveObjective
To extend the open source honeypot honeyd by honeycomb plug-in.
To implement the honeycomb on real environment.
Evaluate honeycomb on controlled environment.
Measure the system performance and quality of signatures.
ScopeScope
Re-implements the research for automated generation attack signatures for NIDSs using Honeypots.
Setting up a Honeypots extended system.
Conduct experiments on the system. Measure system performance.
Literature ReviewLiterature Review
Internet Worms : Worm Propagation Behavior Morris Worm Code Red I Code Red II SQL Slammer Nimda
Literature ReviewLiterature Review
Intrusion Detection System : Signature Based Anomaly Detection Snort Bro
Related Works : Sweetbait PAYL Autograph
Honeycomb ArchitectureHoneycomb Architecture
Signature Creation AlgorithmSignature Creation Algorithm
Pattern DetectionPattern Detection
Horizontal detection Comparing all messages at the same depth.
Messages are passed as input to the LCS algorithm in pairs.
Pattern DetectionPattern Detection
Vertical detection Concatenating several messages into a string.
Comparing this with a corresponding concatenated string.
Signature LifecyclesSignature Lifecycles
Relational operators on signatures: sig1 = sig2: all elements equal sig1 sig2: elements differ sig1 sig2: sig1 contains subset of
sig2’s factssignew = sigpool: signew ignoredsignew sigpool: signew addedsignew sigpool: signew addedsigpool signew: signew augments
sigpool
System FrameworkSystem Framework
HoneyComb Network DiagramHoneyComb Network Diagram
ExperimentsExperiments
Controlled Environment Experiments : Evaluate the effectiveness and the
quality of the worm signature created by the HoneyComb
Live Traffic Experiments.: Determine what kind of signatures
those generate by HoneyComb in the real traffic environment.
Controlled Environment Controlled Environment ExperimentsExperiments
Controlled Environment Controlled Environment ExperimentsExperiments
TCP worm – Code Red IIUDP worm – SQL SlammerActual worms packet payload
used.Sent worms packets from
compromise host to HoneyComb machine.
Controlled Environment Controlled Environment ExperimentsExperiments
Controlled Environment Controlled Environment ExperimentsExperiments
Result : TCP Worms – Code Red II
alert tcp 192.168.1.15/24 any -> 10.2.0.0/16 80 (msg: "Honeycomb Sat Apr 7 13h51m47 2007 "; )
alert tcp 192.168.1.15/24 any -> 10.2.0.0/16 80 (msg: "Honeycomb Sat Apr 7 14h21m47 2007";flags: PA+; flow: established; content: "GET/default.ida?XXXX XX XX (...) 00|CodeRedII|…";)
Controlled Environment Controlled Environment ExperimentsExperiments
Result : UDP Worms – SQL Slammer
alert udp 192.168.1.15/32 256 -> 10.2.0.0/24 1434 (msg: "Honeycomb Sat Apr 7 14h51m47 2007 "; content: "|04 01 01(...)|Qh.dllhel32hkernQhounthickChGetTf| (…) D6 EB|"; )
Controlled Environment Controlled Environment ExperimentsExperiments
A comparison of the signature content and the worm payload sent to the honeypots shows that HoneyComb generates a good quality of signatures in controlled environment.
HoneyComb able to detect the TCP and UDP worm efficiency.
Live Traffic ExperimentLive Traffic Experiment
Live Traffic ExperimentLive Traffic Experiment
Generated Signatures : 18,288 signatures had been
generated by HoneyComb . 9,473 signatures were containing
flow content strings. HoneyComb able to generate the
Slammer signatures precisely. No any Code Red II signature
created since it reported died in October 2001
Live Traffic ExperimentLive Traffic Experiment
Generated Signatures :alert udp any any -> 10.2.0.0/24 1434 (msg: "Honeycomb Sat Apr 7 14h51m47 2007 "; content: "|04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0|B|EB 0E 01 01 01 01 01 01 01|p|AE|B|01|p|AE|B|90 90 90 90 90 90 90 90|h|DC C9 B0|B|B8 01 01 01 01|1|C9 B1 18|P|E2 FD|5|01 01 01 05|P|89 E5|Qh.dllhel32hkernQhounthickChGetTf|B9|llQh32.dhws2_f|B9|etQhsockf|B9|toQhsend|BE 18 10 AE|B|8D|E|D4|P|FF 16|P|8D|E|E0|P|8D|E|F0|P|FF 16|P|BE 10 10 AE|B|8B 1E 8B 03|=U|8B EC|Qt|05 BE 1C 10 AE|B|FF 16 FF D0|1|C9|QQP|81 F1 03 01 04 9B 81 F1 01 01 01 01|Q|8D|E|CC|P|8B|E|C0|P|FF 16|j|11|j|02|j|02 FF D0|P|8D|E|C4|P|8B|E|C0|P|FF 16 89 C6 09 DB 81 F3|<a|D9 FF 8B|E|B4 8D 0C|@|8D 14 88 C1 E2 04 01 C2 C1 E2 08"; )
Live Traffic ExperimentLive Traffic Experiment
Generated Signatures :alert tcp any any -> 10.2.0.0/24 80,135,8080 (msg: "Honeycomb Thu Apr 19 05h28m19 2007 "; flags: FRAU21!; flow: established; content of signature 908 : "CONNECT smtp.pchome.com.tw:25 HTTP/1.0|0D 0A 0D 0A|HTTP/1.1 400 Bad Request|0D 0A|Server: Microsoft-IIS/5.0|0D 0A|Date: Tue, 17 Apr 2007 03:57:30 GMT|0D 0A|Content-Type: text/html|0D 0A|Content-Length: 87|0D 0A 0D 0A|<html><head><title>Error</title></head><body>The parameter is incorrect. </body></html>CONNECT smtp.pchome.com.tw:25 HTTP/1.0|0D 0A 0D|"; )
Honeycomb Performance Honeycomb Performance BenchmarkingBenchmarking
Honeycomb performance overhead
0.00
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
1.10
0 100 200 300 400 500 600 700 800 900 1000 1100 1200 1300 1400 1500 1600 1700 1800 1900 2000
Received packets
Pro
cess
ing
time
(s)
Honeyd
Honeycomb
DiscussionDiscussion
HoneyComb v0.7 compiled with Honeyd v1.5b without error, but it provided a strange and useless result when running HoneyComb.
The source code in hc_udp.c and hc_tcp.c had been modified and recompiled to fix this error.
Discussion -- ProblemDiscussion -- Problem
Unable to generate the signatures for the polymorphic worms.
Honeycomb can be fooled by attackers, to generate signatures for legitimate traffic.
Consuming a large amount of memory to perform the packets pattern matching.
Lost the memory when the system restart, thus, the same signatures will be generated.
ConclusionConclusion
Pattern matching worm detection mechanism of HoneyComb able to produce good quality signatures for worms.
Signatures created by HoneyComb can be converted into a format suitable for both Snort and Bro NIDS.
ConclusionConclusion
Honeypot offer an offensive approach to intrusion detection and prevention.
HoneyComb suggest that automated signature creation on honeypot is feasible and effectiveness.
This automated signature creation system is a first step towards integrating honeypots more closely into security infrastructure.
Future WorksFuture Works
Working to reducing the effort spent per arriving packets by the HoneyComb.
Solve the drawback on unable to generate signature for the polymorphic worms.
Provide a better tool to analyze the signatures created.
Implication IPv6 to existing HoneyComb architecture.
Question and AnswerQuestion and Answer
Thank YouThank You