a proposal for securing a large scale high interaction
play

A Proposal for Securing a Large-Scale High-Interaction Honeypot J. - PowerPoint PPT Presentation

Sep 09, 2022 •194 likes •401 views

Honeypots architecture Security Properties Statistical results Conclusion A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande C. Toinard LIFO Universit dOrlans ENSI de Bourges SHPCS08,

  1. Honeypots architecture Security Properties Statistical results Conclusion A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut – J.-F. Lalande – C. Toinard LIFO Université d’Orléans ENSI de Bourges SHPCS’08, June 2008 J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 1/19

  2. Honeypots architecture Security Properties Statistical results Conclusion Outline Honeypots architecture 1 Security Properties 2 Statistical results 3 Conclusion 4 J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 2/19

  3. Honeypots architecture Security Properties Statistical results Conclusion Summary Honeypots architecture 1 Security Properties 2 Statistical results 3 Conclusion 4 J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 3/19

  4. Honeypots architecture Security Properties Statistical results Conclusion Honeypots Honeypot: welcome an intruder or system cracker Low-Interaction Leurré.com Simulation of OS/services Partial attack capture Large-Scale Honeypot Honeynet High-Interaction Real operating system Attacks really performed J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 4/19

  5. Honeypots architecture Security Properties Statistical results Conclusion 1/4: Internet → Honeywall Directly connected on the Internet Limitation of the bandwidth Frontal sensors to analyze the network traffic J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 5/19

  6. Honeypots architecture Security Properties Statistical results Conclusion 2/4: Honeywall → Honeypot cluster Real Linux/Windows OS Mandatory Access Control Selinux/Grsecurity Security properties Never compromised Discretionary Access Control Could be compromised PXE auto-reinstallation J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 6/19

  7. Honeypots architecture Security Properties Statistical results Conclusion 3/4: Honeypot cluster → Traces storage OSSIM : stores events from ossim agents into a mysql server Prelude: aggregates the collected information from prelude agents Syslog (logger): stores all the syslog traces J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 7/19

  8. Honeypots architecture Security Properties Statistical results Conclusion 4/4: Traces storage → Correlation Correlation algorithms Alarms are visualized J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 8/19

  9. Honeypots architecture Security Properties Statistical results Conclusion Summary Honeypots architecture 1 Security Properties 2 Statistical results 3 Conclusion 4 J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 9/19

  10. Honeypots architecture Security Properties Statistical results Conclusion Security Properties Integrity of executable contexts integrity( SC . ∗ : . ∗ : user . ∗ , SC exec ) Integrity of user domain int_domain( SC . ∗ : . ∗ : user . ∗ ) Confidentiality System/User confidentiality( SC Systeme , sc . ∗ : . ∗ : user . ∗ ) Duties Separation of modification and execution privilegies duties_sep( SC Systeme ) Transition into the user domain bad_transition( . ∗ : . ∗ : user . ∗ , SC Systeme ) Respect of the Access Control Policy conformity() J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 10/19

  11. Honeypots architecture Security Properties Statistical results Conclusion Security Properties Analysis Name Passerelle Util-1 VMware Util-2 Graphe SC 577 3017 624 595 IV 17 684 314 582 21 359 18 215 integrity 137 9 461 186 140 int_domain 16 283 510 215 18 130 16 546 Signature confidentiality 29 510 726 842 29 510 29 510 duties_sep 243 16 405 320 270 bad_transition 3555 126 228 4250 3941 Total 49 728 1 389 151 52 396 50 407 Analysis Time 47s 10min31s 1min2s 52s J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 11/19

  12. Honeypots architecture Security Properties Statistical results Conclusion Summary Honeypots architecture 1 Security Properties 2 Statistical results 3 Conclusion 4 J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 12/19

  13. Honeypots architecture Security Properties Statistical results Conclusion Main results Experimentation from February 27th 2007 to February 21th 2008 8,206,382 events / 302,543 alarms stored = 950 events/hour, 35 alarms/hour 45,590 opened sessions by scan robots 2,219 sessions performing activities Sensor Description Ocurences Prelude-lml SSHd: Root login refused 498,468 Snort Destination udp port not reachable 452,011 Prelude-lml SSHd: Bad password 49,329 OSSIM SSHd: Possible brute force tentative 43,989 Prelude-lml SSHd: Invalid user 43,311 PIGA Integrity: system file modification 41,063 Prelude-lml FTP bad login 21,366 Snort Potential outbound SSH scan 19,983 PIGA Confidentiality: information flow 16,191 . . . J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 13/19 Table: Main types of alarms

  14. Honeypots architecture Security Properties Statistical results Conclusion Sensors and port statistics I J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 14/19

  15. Honeypots architecture Security Properties Statistical results Conclusion Sensors and port statistics II J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 15/19

  16. Honeypots architecture Security Properties Statistical results Conclusion Alerts per country - Incoming/outgoing I J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 16/19

  17. Honeypots architecture Security Properties Statistical results Conclusion Alerts per country - Incoming/outgoing II J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 17/19

  18. Honeypots architecture Security Properties Statistical results Conclusion Summary Honeypots architecture 1 Security Properties 2 Statistical results 3 Conclusion 4 J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 18/19

  19. Honeypots architecture Security Properties Statistical results Conclusion Conclusion/Perspective Conclusion Now : Uptime of 2 years Robustness of proposed architecture No reinstallation of MAC Hosts Frequent DAC PXE reinstallation Perspectives Correlation : Session reconstruction Distributed Attacks Automatic forensics of compromised host Malware and Attacks database J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 19/19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1. Interaction between convection and large-scale tropical circulations 2. Modern theories of

1. Interaction between convection and large-scale tropical circulations 2. Modern theories of

1. Interaction between convection and large-scale tropical circulations 2. Modern theories of monsoons 3. Tipping points in monsoons? Simona Bordoni Environmental Science and Engineering California Institute of Technology ICTP Summer School

730 views • 56 slides
Open tools and methods for large scale segmentation of Very High Resolution satellite images

Open tools and methods for large scale segmentation of Very High Resolution satellite images

Introduction Data representation and conversion Generic framework for large scale segmentation Pre and post processing Conclusion Open tools and methods for large scale segmentation of Very High Resolution satellite images Julien Michel

592 views • 29 slides
The ecology of trade Identifying large-scale dynamics of interaction with quantitative methods 1

The ecology of trade Identifying large-scale dynamics of interaction with quantitative methods 1

The ecology of trade Identifying large-scale dynamics of interaction with quantitative methods 1 Xavier Rubio-Campillo xavier.rubio@ed.ac.uk @xrubiocampillo Summary The wildlife of Roman quantifjcation The spatial structure of olive oil

689 views • 57 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
HelP: High-level Primitives for Large- Scale Graph Processing Semih Salihoglu Stanford

HelP: High-level Primitives for Large- Scale Graph Processing Semih Salihoglu Stanford

HelP: High-level Primitives for Large- Scale Graph Processing Semih Salihoglu Stanford University Jennifer Widom Stanford University 1 Large-scale Graph Processing 10s or 100s billion vertices and edges Distributed Shared-Nothing

658 views • 16 slides
Large Scale Search, Discovery and Analytics with Solr, Mahout and Hadoop Grant Ingersoll Chief

Large Scale Search, Discovery and Analytics with Solr, Mahout and Hadoop Grant Ingersoll Chief

Search Discover Analyze Large Scale Search, Discovery and Analytics with Solr, Mahout and Hadoop Grant Ingersoll Chief Scientist Lucid Imagination | | 1 1 Search is Dead, Long Live Search User Interaction User Interaction

452 views • 17 slides
INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO ENVIRONMENTAL CONFLICT RESOLUTION America Speaks presentation to the 2008 ECR Conference Table Introductions Please form groups of 4-5 and give: Your name

848 views • 41 slides
Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008 WenChuan Earthquake Zhang Huafeng and Jon Pedersen International Blaise Users Conference (IBUC) Baltimore, USA , 1 Introduction Two household

711 views • 22 slides
De Density nsity an and d La Large rge Sc Scale: ale: A 2 240 40-GHz, GHz, 32 32-Unit

De Density nsity an and d La Large rge Sc Scale: ale: A 2 240 40-GHz, GHz, 32 32-Unit

RTu1B-4 Heter He erodyne odyne Sen ensing sing CMO MOS S Arra rray y with ith Hi High gh De Density nsity an and d La Large rge Sc Scale: ale: A 2 240 40-GHz, GHz, 32 32-Unit nit Receiv eceiver er Us Using ing a De a

477 views • 45 slides
ALM ALMA A revea eals large e scale e [CI] [CI]

ALM ALMA A revea eals large e scale e [CI] [CI]

ALM ALMA A revea eals large e scale e [CI] [CI] emi emission around a high r hi h reds dshi hift r t radi dio g galaxy TH THERE RESA F

527 views • 19 slides
High-Dimensional Signature Compression for Large-Scale Image Classification Jorge S anchez and

High-Dimensional Signature Compression for Large-Scale Image Classification Jorge S anchez and

High-Dimensional Signature Compression for Large-Scale Image Classification Jorge S anchez and Florent Perronnin Textual and Visual Pattern Analysis (TVPA) group Xerox Research Centre Europe (XRCE) Abstract winners of the PASCAL VOC 2007 [8]

566 views • 8 slides
Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is graphene? Graphene is a truly 2D system made of Carbon atoms arranged in an honeycomb hexagonal lattice Zero-gap semiconductor with a low-energy linear

268 views • 6 slides
OpenINTEL an infrastructure for long-term, large-scale and high-performance active DNS

OpenINTEL an infrastructure for long-term, large-scale and high-performance active DNS

OpenINTEL an infrastructure for long-term, large-scale and high-performance active DNS measurements DACS DACS Design and Analysis of Communication Systems Why measure DNS? (Almost) every networked service relies on DNS DNS

773 views • 15 slides
Designing High Performance Autonomic Gateways for Large Scale Grids and Distributed

Designing High Performance Autonomic Gateways for Large Scale Grids and Distributed

1 Designing High Performance Autonomic Gateways for Large Scale Grids and Distributed Environments Laurent Lefvre INRIA / LIP cole Normale Suprieure de Lyon, France laurent.lefevre@inria.fr CCGSC2006, Flat Rock, North Carolina, Sept.

823 views • 50 slides
Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA Masters level course: Chalmers MPALG and MPSOF programmes (DAT345) GU Applied Data Science programme (DIT871) Learning outcomes include:

305 views • 18 slides
Oligopoly GCE A-LEVEL & IB ECONOMICS What is Oligopoly? A market controlled by a few large

Oligopoly GCE A-LEVEL & IB ECONOMICS What is Oligopoly? A market controlled by a few large

Oligopoly GCE A-LEVEL & IB ECONOMICS What is Oligopoly? A market controlled by a few large firms. - High barriers to entry and exit Due to large-scale production (economies of scale) or branding/long-term standing in the market -

783 views • 31 slides
INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS JOSH PYORRE Security Researcher Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre HONEYPOTS CURRENTLY IN USE

1.25k views • 96 slides
Anti-Honeypot Technology Thorsten Holz Laboratory for Dependable Distributed Systems

Anti-Honeypot Technology Thorsten Holz Laboratory for Dependable Distributed Systems

Dependable Distributed Systems Anti-Honeypot Technology Thorsten Holz Laboratory for Dependable Distributed Systems holz@i4.informatik.rwth-aachen.de Thorsten Holz Laboratory for Dependable Distributed Systems 21st Chaos Communication

576 views • 57 slides
Course Introduction Constraint Programming Marco Chiarandini Department of Mathematics &

Course Introduction Constraint Programming Marco Chiarandini Department of Mathematics &

DM841 Discrete Optimization Lecture 1 Course Introduction Constraint Programming Marco Chiarandini Department of Mathematics & Computer Science University of Southern Denmark Outline 1. Motivation 2. Course Organization 2 Outline 1.

499 views • 25 slides
/home/ytang/slides http://docs.nvidia.com/cuda/index.html

/home/ytang/slides http://docs.nvidia.com/cuda/index.html

/home/ytang/slides http://docs.nvidia.com/cuda/index.html __global__ void foo( ... ) { __global__ void foo( int *bar ) { if (

545 views • 20 slides
HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam University Institute for

HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam University Institute for

HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam University Institute for Computer Science Operating Systems and Distributed Systems Reykjavk, July 29, 2013 Outline 1 Introduction 2 An IPv6 darknet experiment HoneydV6 -

890 views • 31 slides
IST-Africa Talk Slides Conference Paper May 2016 CITATIONS READS 0 122 3 authors ,

IST-Africa Talk Slides Conference Paper May 2016 CITATIONS READS 0 122 3 authors ,

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/303210806 IST-Africa Talk Slides Conference Paper May 2016 CITATIONS READS 0 122 3 authors , including: Victor R Kebande Nickson

389 views • 23 slides
Network reconnaissance and IDS CS642: Computer Security

Network reconnaissance and IDS CS642: Computer Security

Network reconnaissance and IDS CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of

701 views • 44 slides
Picviz finding a needle in a haystack Sbastien Tricaud INL Usenix, San Diego 2008 Sbastien

Picviz finding a needle in a haystack Sbastien Tricaud INL Usenix, San Diego 2008 Sbastien

Picviz finding a needle in a haystack Sbastien Tricaud INL Usenix, San Diego 2008 Sbastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 1 / 47 Speaker: Sebastien Tricaud I Live and work in Paris (FR)

601 views • 48 slides

More recommend