HoneyStat - PowerPoint PPT Presentation

1 / 39

About This Presentation

Title:

HoneyStat

Description:

Also 20 /24 live machines deployed as Honeynets. 11. Results (Kalman Filter) 12. Kalman Filter ... Results. 37. Effect of Redeploying Honeypots. 38. Global ... – PowerPoint PPT presentation

Number of Views:76

Avg rating:3.0/5.0

Slides: 40

Provided by: sarmav

Category:

Tags: honeystat

more less

Transcript and Presenter's Notes

Title: HoneyStat

1
HoneyStat

Presented
by
Sarma Vangala

2
Papers

Worm Detection using Local Networks by Xinzhou
Qin, David Dagon, Guofei Gu, Wenke Lee, Mike
Warfield, Pete Allor
HoneyStat Local worm detection using Honeypots
by David Dagon, Xinzhou Qin, Guofei Gu, Wenke
Lee, Julian Grizzard, John Levine, Henry Owen

3
Motivation

Global worm detection systems need large
detection networks (about 220)
Acquiring and managing them difficult
Easier to detect worm attacks in local networks
Difficult to contain using a CDC model

4
Contributions

Worm detection at local network level
Destination Source Correlation algorithm
HoneyStat

5
Comparison of local network and global detection
mechanisms

Compare the performance of Kalman filter based
detection (Zou et al), victim number based
algorithm (ours) and destination source
correlation algorithms

6
Kalman Filter based Worm Detection

For each TCP and UDP port an alarm threshold for
illegitimate scans is set
Once scan traffic is above threshold for a
certain number of times, Kalman filter activated
Non worm noise Kalman filter oscillates around
0
Worm Kalman filter value oscillates about a
constant positive value
Sensitive to monitoring interval used and

7
Destination Source Correlation

Key point After a vulnerable host is infected by
scan on port i, the infected host sends out
scans to other hosts targeting at same port i,
in a short time
Identify this destination-source pattern

8
DSC Algorithm

Maintain a sliding window of previous network
traffic for each port
Maintain addresses of scanning host and
destination host in monitored network
If scan from a host that received a scan on an
identical port increment counter
If counter above threshold, ALERT

9
Implementation Using Bloom Filter

3 Bloom Filters to maintain Di-1, Di and Si to
track destination addresses at ticks i-1 and i
and source addresses at i
Get scan rate
If scanning pattern different from normal profile
(mean and variance of normal traffic scan rate)
suspicious activity happening

10
Monitored Network

Darknet of 100 /24 networks (25600 nodes)
Darknet assigned unused IP addresses and inactive
in Internet
No outbound traffic
Also 20 /24 live machines deployed as Honeynets

11
Results (Kalman Filter)
12
Kalman Filter (Sensitivity of Parameters)
13
Kalman Filter (Contd.)
14
VNBA
15
DSC
16
DSC Detection
17
DSC (Scanning Technique Scan Rate)
18
Comparison
19
DSC Analysis

Bloom filter only false positives (address
counted as victim even if it is not)
m Bloom Filter Size (in bits)
n - hosts in monitored network
k - hash functions used in Bloom filter
Probability of false positive (P) (1-e-kn/m)2k

20
Size of Bloom filter needed for /16

n 214
m/n 30 gt P 2.7225 X 10-12
m 60kB / port (4GB for all ports !)

21
Threshold

WAND traffic traces to find anomalies in normal
scan rates of traffic
Mean 0.1, variance 0 using Chebyshevs
inequality
Pr(x-meangtt) lt variance / t2

22
Analysis of DSC

Can detect Divide-Conquer scanning worms
Problem with Bloom filter size
Cannot detect scans that are not random (authors
idea of routable and divide conquer scans are not
correct)
Can evade detection if worm waits long enough

23
HoneyStat

Motivation avoiding noise in detection
mechanisms
Use honeypots to gather data
Correlate events in honeypots to reduce the
quantity of data to be managed
Correlation however in short observation
intervals so that detection of zero-day worms
possible

24
Worm Infection Cycle

3 main events involved ex. Blaster
Memory Events Buffer Overflow
Network Events download egg program leading
to TCP (SYN) or UDP traffic
Disk Events written to a directory so that it
can be activated on reboot

25
Blaster Scenario
26
Problems with other types of deployments

ACKs incoming packets to see what happens next
(not possible in Darknet deployments)
Not possible using present virtual honeypots
(emulates only TCP/IP stack behavior, cannot
simulate future vulnerabilities)
Need honeypots which emulate complete system
behavior

27
HoneyStat deployment

VMware GSX server V3 supporting upto 64 virtual
machines on a single hardware system
Windows NT upto 32 addresses per interface gt 64
X 32 211 per machine

28
Identifying Events

MemoryEvent buffer overflow protection software
or other anomaly detection techniques (no users
so false positive rate is low)
NetworkEvent normally do not generate outgoing
traffic but if they do it is an anomaly
DiskEvent trap writes to key files and logs
(authors use kqueue)

29
Recording Events in HoneyStat

OS/Patch level of hosts
Stack states, outgoing packets, delta changes in
file sizes
Trace of all outbound activity within a short
time tp
Once recorded data sent to analysis engine for
identification

30
Analysis of data

Data from same honeypot -gt aggregate if
NetworkEvent or DiskEvent
If NetworkEvent reset honeypot (resets fast)
Check if other honeypots have to be redeployed
(load same OS on others to capture more events)
Correlate events using logistic regression

31
Event Aggregation
32
Logistic Analysis

Correlate events in a short time window within a
short interval and yet be accurate
Logistic analysis to find port correlation
Nonlinear technique relating continuous variables
to a two-state variable (0 or 1)
E(Y) 1/(1e-Z) where
Z ?0 ? ??(?i,jXi,j)

33
Calculation of X and Y

Xi,j inverse of time between an event and the
port activity
Bias towards recent traffic
Estimate ?s
Reduce error using a maximum likelihood
estimation (gives minimum error)
? is accumulated error from all ?s
Walds statistic to check insignificant variables
based on user specified threshold

34
Worm Detection using HoneyStat