Transcript ppt - Events

Using Honeynets for Internet Situational
Awareness
Vinod Yegneswaran, Paul Barford
University of Wisconsin, Madison
Hotnets 2005
Vern Paxson
ICSI, LBNL
Motivation
o Currrent tasks for security analysts
o
o
o
o
o
o
Abuse monitoring
Audit and forensic analysis
NIDS/Firewall/ACL configuration
Vulnerability testing
Policy maintenance
Liaison activities
o Network management
o End host management
2
NIDS: State of the art
o Pinpoint descriptions of low-level activities
o Source A launched CVE-XXX against Dest B
o Large volume of alerts
o Too many false alarms
o Vulnerable to flooding attacks / IP spoofing
o Continual manual update of signatures
o Lack of “longitudinal” baseline
o Lack of breadth for root-cause inference
3
Our vision
o Network “Situational Awareness”
(NetSA)
o “Degree of consistency between one’s
perception of their situation and reality”
-- US Navy
o “an accurate set of information about one’s
environment scaled to specific level of
interest” -- NCOIC
o Elevate quality and timeliness of alerts
4
Our approach
o Developing NetSA “building blocks” toward
o
o
o
o
Automated incident discovery
Robust classification
Real-time event notification
Forensic analysis capabilities
o Honeynet situational awareness
o Rich source of information of large-scale malicious
activity
o Accurate attribution of events such as botnets,
worms and misconfiguration
5
System structure
o Tunnel filter: one source -> one dest
o Volume vs diversity
o Active responders
o NetBIOS/SMB, DCE/RPC, MS-SQL, HTTP, Dameware,
MyDoom
o Bro Radiation-analy
o Condensed protocol-aware summaries
o Six-hour batches stored in MySQL backend
o Adaptation
o Auto-update of “previously-unseen” activities
o Situational-analy
o Organized reports highlighting most “unusual” and significant
events
6
Radiation-analy summarization
o Leverage Bro’s protocol knowledge and attack
semantics
o Distill activity into high-level abstractions
o Quickly validate against past history to check for previous
instances
o Types of summaries
o Connection profiles
o Source Profiles
o Infer connection-profile associations
o Session Profiles
o Hard to summarize due to high degree of variability
7
Radiation-analy vs MD5 signatures
8
NetSA report example
o Four components
o
o
o
o
New and interesting events
High beta events
Very high beta events
Top 10 profiles
o For profile (p), interval (i):
o Beta (p, i) = Num_sources(p, i) / Avg (num_sources(p))
across all intervals
9
NetSA report example
o New and interesting events
No. Sources; Port
tag
1
445-tcp CREATE_FILE: ``samr''; CREATE_FILE:
``webhost.exe''; CREATE_FILE: ``atsvc'‘
o High beta events
Beta
dest_port No.sources(avg)
tag
12.6 1025-tcp 494 (39.2) [exploit] (RPC request (2904 bytes))
11.5 135-tcp 416 (36.3) [exploit] (RPC request (1448 bytes))
10
NetSA report example
o Very high beta events (beta > 10)
TAG: 1025/tcp/[exploit] (RPC request (2904 bytes))
Hour 0..5
srcs: 97, 93, 79, 74, 68, 94,
src-overlaps: 0, 8, 13, 10, 8, 10,
/8s: 25, 26, 19, 21, 16, 19,
dsts: 103, 97, 80, 71, 76, 96,
dst-overlaps: 0, 14, 12, 8, 8, 8,
o Top 10 profiles
Port
135-tcp
1025-tcp
135-tcp
…
No. Sources
Tag
591 RPC bind: afa8bd80-7d8a-11c9-bef4-08002b10298
len=72; RPC request (24 bytes)
494 [exploit] (RPC request (2904 bytes))
416 [exploit] (RPC request (1448 bytes))
11
Analysis dataset
o Collected from 6 months of operation on 1,280
address LBL honeynet
o Operational for over a year now…
o Highlights from situational-analy summaries
o 4 instances of misconfiguration (3 P2P, 1 NAT box)
o 11 suspected botnet sweeps
o Number of sources per incident 30 – 26,000
o MS-SQL, DCE/RPC, Several NetBIOS/SMB
exploits
o Slammer re-emergence (350 sources)
o Historical worm data (5)
o CR I, CR – reemergence, CR II, Nimda, Witty
o 5,500 – 155,000 sources
12
Situational awareness in-depth
o Toolkit for large-scale forensic analysis of
anomalous events
o 9 offline statistical analyses
(Worms/Botnets/Misconfig);
o Source arrivals
o Temporal source counts, arrival window, source
interarrivals
o Destination / source network coverage
o Dest net footprint, first-dest pref, source-net
dispersion
o Per-source macro-analysis
o Scanning profile, target scope, lifetime
o Based on hypothesized behavior
13
SA in-depth large scale events
Misconfig Botnet
Worm
Source Arrivals:
Temp. Src Counts
Arrival Window
Interarrival
Sharp onset
Narrow
Exponential
Gradual
Narrow
Exponential
Sharp onset
Wide
Super-exp
Coverage:
Dest Footprint
First-Dest Pref
Src-net Dispersion
Hotspot
Hotspot
Low-medium
Binomial
Binomial
Variable
Binomial
Low-medium High
Src Macro-analysis:
Per-source profile
Hotspot
Target scope
IPv4
Source lifetimes
Short
Variable
<= /8
Short
Variable
IPv4
Persistent
14
Temporal Source Counts
Edonkey
misconfig
Codered I
Wkssvc
botnet
15
First Destination-IP preference
o Considers ordering and preference
Nimda
Wkssvc botnet
16
Per-source scanning profile
(100 random sources)
Source ID vs dest IP
Phase plot of dest IP
MS-SQL botnet incident
17
Inferring target scope
o How broadly was a given event scoped?
o Was our network specifically targeted?
o Assumption: sources are not just sequentially
scanning the honeynet
o IDEA 1: Estimate global packet rate from change of IPID
o Often cannot look at all packet pairs due to honeynet size
(multiple wrap-arounds)
o IDEA 2: Look at IPID spacing between retransmitted
SYNs from passive traces
o For UDP look at packets arriving less than 3 secs apart
o Target scope = Honeynet size * (global rate / local
rate)
18
Inferring target scope: Example
Wkssvc (1280 addresses)
multiplier ~ 10^4
13 M addresses
Witty UW (8K addresses)
multiplier ~ 5* 10^5
19
 4 B addresses
Summary
o Objective: Internet situational awareness
o Accurate timely summaries of honeynet data
o Bro NetSA (radiation-analy / situation-analy)
o MySQL backend
o Situational in-depth statistical analyses
o Provide different yet valuable perspectives on
individual events
o Toward real time classification of events
o Future work
o Refinement and extension of in-depth SA
analyses
o Distributed NetSA
20
Other arrival characteristics
o Arrival window
o Expectation: botnets should see sharp spike in
arrivals
o Often not true – botnets don’t have to push commands,
instead zombies could poll and pull
o phatbot zombies wake up every 1000 seconds to check
for new commands
o Source interarrivals
o Bots poll independently, implies their arrivals will
appear to be poisson with exponential interarrivals
o Worm interarrival rate should increase during the
initial stages of the outbreak
21
Other arrival characteristics
22
Honeynet footprint
Nimda
Wkssvc botnet
23