Transcript Defensive honeynet Assisted for IDS

Enhancing network intrusion
detection system with honeynet
Author: Xiali Hei，
Kwok-yan Lam，
Yiyuan Huang
Date: 10/8/2004
Introduction
• False negative and false positive are two choke
points that cumber the development of intrusion
detection system.
• Efficient mechanism is necessary for enhancing
detection performance of network intrusion
detection system.
• Honeypot is a kind of new technology and it can be
used to enhance IDS’s detection performance
• Design and implement new honeynet to make it
suitable for detection in NIDS
Disadvantage of NIDS
• False positive
• False negative
• Data overload: large data leads to false
negative
• Resources: bandwidth cannot meet needs
• Encryption: NIDS can’t detect encrypted (such
as ssh.) attacks
The requirements to enhance IDS’s
detection performance
• Update rule sets in time before new attacks’ prevailing
• Precisely discriminate abnormal traffics from normal
traffics
• Judge attack phases: discriminate fingerprinting,
scanning, penetrating
• Decrease traffics
To satisfy the upper requirements,we choose
honeypot. And honeypot can meet most of
them .Next, let us discuss it in detail.
Overview of honeypot
• Honeypot
– A secure resource.
– A web site with imitated contents to lure hackers.
– To research and explore hackers’ behaviors.
• Honeynet
–
–
–
–
one type of high-interaction honeypot
designed to capture extensive information on threats.
a network that contains one or plenty of honeypots.
provides real systems, applications, and services for
attackers.
In this design, we exploit honeynet’s detection function.
Advantages of honeypot
over IDS
• It has less false positives than network intrusion
detection system.
– honeypot captures only upon perceived hostile
activities, while network intrusion detection system
monitors all normal traffics and hostile traffics.
• It can alert you before the real system are attacked.
– Once the hacker has an access to the honeypot, he will be found
and logged by honeypot even though he hasn’t finished attack.
– On the contrary, network intrusion detection system finds the
hacker only after the attack has being finished.
• It can detect encrypted attacks with some
software such as Sebek.
• It can detect new attack to reduce false negative.
• It only produces little data but those data are of
high value.
Disadvantage of honeypot
• It can’t detect passive attacks or direct to server
attacks
• It is possibly fingerprinted and used as a launch
platform to attack real network.
• It is evident that IDS and honeypot are
complementary in detecting attacks. So we
enhance IDS’s detection performance by
applying honeypot in this design.
Network design
Network design(cont.)
– It employs honeynet, and the key element of honeynet is the
gateway with the name honeywall using Linux host.
– The honeywall separates the honeynet victims from the rest of
the world and it is our control center.
– The external interface of our gateway (eth0) is connected to the
production systems' network.
– The internal interface of our gateway (eth1) is connected to the
honeynet systems' network.
– Both internal and external systems are on the same IP network.
– The third interface (eth2) is for remote administration of the
gateway.
– Center monitor interacts with intrusion detection system
(network intrusion detection system management console) by
honeynet software.
Honeynet Software
• It is designed to mine new attack patterns and
provide new attack patterns or attack information
about hackers to network intrusion detection system.
• It is composed of Pattern Protection module,
Information Communication module and Data
Analysis module.
• It accesses to and asks for data from network
intrusion detection system pattern database and
honeypot logs.
Data flow diagram
Data flow diagram(cont.)
• Data Analysis module mines attack patterns
according to audit data on center monitor of
honeynet and then compares them with network
intrusion detection system pattern database on center
monitor.
• If network intrusion detection system pattern
database has the pattern then it filters the pattern, or
the new patterns will be sent to network intrusion
detection system management console and stored in
network intrusion detection system pattern database
on center monitor.
• Network intrusion detection system will update its
pattern database periodically.
Results
• This system had been running for one month.
• Case one: inline-snort sensor detects and generats an
alert to a known FTP attack against the honeynet.
[Classification: Attempted User Privilege Gain] [Priority: 1]
05/16-17:55:52.235847 202.24.220.143:2243 -> 192.168.1.102:21
TCP TTL:48 TOS:0x0 ID:16648 IpLen:20 DgmLen:76 DF
***AP*** Seq: 0xCF7869CC Ack: 0xEBCD7EC0 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 237391678 29673183
When the center monitor receives this alert, Honeynet Software reports this
attack (FTP EXPLOIT format string, from 202.24.220.143:2243) to network
intrusion detection system management console in advance. Four hours later,
network intrusion detection system detects this attack and blocks it.
• Advantage:
– From the above case, it is clear that this design can
lower false negative and false positive in some degree.
– Compared with existing methods, it has no problem of
base-rate fallacy and pattern incompletion. What’s
more, it can directly face the ongoing attack
environments other than analysis the successful attack
audits trail. In some extension, it can predict possible
attack.
• Disadvantage : The combination of honeynet and IDS
in total network will slower network rate.
Possible future extension
• How to identify the same hacker on two
machines
• Protect the rules on honeypot
• The amount of communication traffic will
lower reaction time of the system
• Delay time : honeynet must offer the
information about hackers before the hacker
compromised system.
• Protect the communication links: this traffic
must be protected against eavesdropping
Thank you!
Q&A