honeyspider network 2 0
play

HoneySpider Network 2.0 detecting client-side attacks the easy way - PowerPoint PPT Presentation

Dec 07, 2023 •10 likes •280 views

HoneySpider Network 2.0 detecting client-side attacks the easy way Pawe Pawli nski CERT Polska / NASK 24th Annual FIRST Conference 21 June 2012 Pawe Pawli nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 1 / 23

  1. HoneySpider Network 2.0 detecting client-side attacks the easy way Paweł Pawli´ nski CERT Polska / NASK 24th Annual FIRST Conference 21 June 2012 Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 1 / 23

  2. Outline Introduction 1 Architecture 2 Services 3 4 Demonstration Future plans 5 Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 2 / 23

  3. Introduction Outline Introduction 1 Architecture 2 Services 3 4 Demonstration Future plans 5 Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 3 / 23

  4. Introduction Origins of HSN 2.0 Joint project CERT Polska NCSC-NL (GOVCERT.NL) Started in 2011 Successor to HoneySpider Network version 1.x used in production by CERTs we gained experience in scanning web pages automatically Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 4 / 23

  5. Introduction Project goals Detect attacks on client applications web pages files Apply multiple analyses PDF, SWF, JavaScript, . . . low and high interaction honeypots Configurable (processing details) Scalable (crawling) Open architecture Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 5 / 23

  6. Introduction Project goals Detect attacks on client applications web pages files Apply multiple analyses PDF, SWF, JavaScript, . . . version 1 low and high interaction honeypots Configurable (processing details) Scalable (crawling) Open architecture Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 5 / 23

  7. Architecture Outline Introduction 1 Architecture 2 Services 3 4 Demonstration Future plans 5 Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 6 / 23

  8. Architecture Overview HSN: 1.x vs 2.0 1.x 2.0 Framework Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 7 / 23

  9. Architecture Overview Architecture overview Operational Reporting Job Web GUI Job Report DB Alerts Framework export Job CLI Job Monitoring Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 8 / 23

  10. Architecture Overview Technical foundations Network communication Advanced Message Queueing Protocol Google Protocol Buffers Storage CouchDB JSON documents operational data + flexible mapping → persistent reports Programming languages Java Python (C++) Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 9 / 23

  11. Architecture Configurability Sample workflow Job start accepted yes no parameter A = "some value" rejected ... Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 10 / 23

  12. Architecture Configurability Sample workflow Job start accepted Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 10 / 23

  13. Architecture Configurability Sample workflow accepted yes no parameter A = "some value" rejected ... Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 10 / 23

  14. Services Outline Introduction 1 Architecture 2 Services 3 4 Demonstration Future plans 5 Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 11 / 23

  15. Services Implemented services Web client emulators HtmlUnit-based custom browser emulator implemented in Java uses Rhino engine complete control over all behaviors (requests, redirects, frames) link extraction Thug (low interaction honeypot) implemented in Python uses V8 engine less control detects common attacks These are not crawlers! Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 12 / 23

  16. Services Implemented services Analyzers Static JavaScript analyzer port from version 1 n-grams + Bayes classifier SWF analyzer (NASK) Shellcode detection (scdbg) Cuckoo Sandbox Capture-HPC high-interaction honeypot used in HSN 1.x new features and stability fixes Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 13 / 23

  17. Services Implemented services Utilities Feeder file with URLs search engine results . . . URL normalizer Reporter (persistent data) Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 14 / 23

  18. Services Razorback integration Razorback: short introduction Modular IDS Data acquisition decoupled from offline analyses Dispatcher: routes data Nuggets (services) collection (Snort, SMTP , . . . ) analyzers enrichment (DNS, . . . ) SQL database GUI Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 15 / 23

  19. Services Razorback integration Razorback: short introduction Modular IDS Data acquisition decoupled from offline analyses Dispatcher: routes data Nuggets (services) collection (Snort, SMTP , . . . ) analyzers enrichment (DNS, . . . ) SQL database GUI Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 15 / 23

  20. Services Razorback integration Razorback analyzers Universal Razorback-to-HSN 2.0 adapter Only recompilation required, no changes to source code Tested nuggets: swfScanner pdfFox clamavNugget officeCat virusTotal archiveInflate Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 16 / 23

  21. Services Extensibility Extensibility Open communication protocol Well-defined data contract for each service Open technologies: AMQP , protobuf, REST, JSON Libraries provided for Java and Python Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 17 / 23

  22. Demonstration Outline Introduction 1 Architecture 2 Services 3 4 Demonstration Future plans 5 Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 18 / 23

  23. Demonstration Demonstration . . . Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 19 / 23

  24. Future plans Outline Introduction 1 Architecture 2 Services 3 4 Demonstration Future plans 5 Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 20 / 23

  25. Future plans Current state of HSN 2.0 All essential components implemented framework storage web client Growing set of analyzers Functional web interface More tests and stabilization needed Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 21 / 23

  26. Future plans Future plans Release as open source (soon!) Improve management of the whole system More analyzers integrate existing tools analysis of sandbox data alternative web clients (high-interactive?) looking for more ideas! Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 22 / 23

  27. Thank you for your attention. Questions? Paweł Pawli´ nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 23 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes

HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes

HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes (GOVCERT.NL) Rogier Spoor (SURFnet) 20th Annual FIRST Conference on Computer Security Incident Handling, June 22-27, Vancouver Goals

501 views • 36 slides
1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

Network Layer Network Layer Chapter 4: Network Layer Mobile network Chapter goals: Global ISP understand principles behind network layer Network Layer services: Home network network layer service models Regional ISP forwarding

550 views • 3 slides
5 Network Layer Network Layer Network Layer Network Layer Example: Choosing among multiple ASes

5 Network Layer Network Layer Network Layer Network Layer Example: Choosing among multiple ASes

Network Layer Network Layer Network Layer Network Layer Network Layer Comparison of LS and DV algorithms Message complexity Robustness: what happens 1 Introduction 5 Routing algorithms if router malfunctions? LS: with n nodes, E

325 views • 4 slides
7 Network Layer Network Layer Network Layer Network Layer Subnets Classful Address

7 Network Layer Network Layer Network Layer Network Layer Subnets Classful Address

Network Layer Network Layer Network Layer Network Layer IP Fragmentation & Reassembly IP Fragmentation and Reassembly network links have MTU length ID fragflag offset (max.transfer size) - largest possible link-level frame.

948 views • 5 slides
Network Coding Network Coding Jie Gao Existing network Existing network Independent data

Network Coding Network Coding Jie Gao Existing network Existing network Independent data

Network Coding Network Coding Jie Gao Existing network Existing network Independent data stream sharing the same network resources Packets over the Internet Signals in a phone network An analog: cars sharing a highway.

1.01k views • 46 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
1 Creating a network app application transport network data link write programs that

1 Creating a network app application transport network data link write programs that

Last time Mobile network Internet overview Global ISP whats a protocol? network edge, core, access network Home network Regional ISP Regional ISP packet-switching versus k t it hi circuit-switching Internet/ISP

524 views • 20 slides
Network Virtualization What is Network Virtualization? Abstraction of the physical network

Network Virtualization What is Network Virtualization? Abstraction of the physical network

Network Virtualization What is Network Virtualization? Abstraction of the physical network Support for multiple logical networks running on a common shared physical substrate A container of network services Aspects of the

589 views • 21 slides
4 Network Layer Network Layer Network Layer Network Layer Switching Via Memory Three types of

4 Network Layer Network Layer Network Layer Network Layer Switching Via Memory Three types of

Network Layer Network Layer Network Layer Network Layer Routing Table Aggregation - > 4 billion Forwarding table Longest prefix matching possible entries Prefix Match Link Interface Destination Address Range Link Interface 11001000

288 views • 3 slides
Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Topics Network service models Datagrams (packets), virtual circuits

840 views • 42 slides
Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Topics Network service models Datagrams (packets), virtual circuits

524 views • 28 slides
Network Layer (Routing) Where we are in the Course Moving on up to the Network Layer!

Network Layer (Routing) Where we are in the Course Moving on up to the Network Layer!

Network Layer (Routing) Where we are in the Course Moving on up to the Network Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Topics Network service models Datagrams (packets), virtual

757 views • 40 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Data Link Layer MAC address Protocol Network Layer address must identify the network

Data Link Layer MAC address Protocol Network Layer address must identify the network

Overview What is a computer network? CSCE 515: What is the Internet? Computer Network What are the popular network reference Programming model? -- Midterm Review OSI, TCP/IP Wenyuan Xu What is the main responsibilities and

339 views • 12 slides
Data Link Layer MAC address Protocol Network Layer address must identify the network

Data Link Layer MAC address Protocol Network Layer address must identify the network

Overview What is a computer network? CSCE 515: What is the Internet? Computer Network What are the popular network reference Programming model? -- Review (partial) OSI, TCP/IP Wenyuan Xu What is the main responsibilities

299 views • 13 slides
1 Connection-oriented service Connectionless service Goal: data transfer between end systems

1 Connection-oriented service Connectionless service Goal: data transfer between end systems

A closer look at network structure: network edge: applications and hosts network core: Network Overview routers network of networks access networks, physical media: communication links Introduction Introduction 1-1 1-2

543 views • 8 slides
One of the major challenges in the design and verification of manycore systems is cache coherency.

One of the major challenges in the design and verification of manycore systems is cache coherency.

One of the major challenges in the design and verification of manycore systems is cache coherency. In bus-based architectures, this is a well-studied problem. When replacing the bus by a communication network, however, new problems arise.

411 views • 40 slides
Compact Behavioural Modelling Behavioural Modelling Compact of Electromagnetic Effects of

Compact Behavioural Modelling Behavioural Modelling Compact of Electromagnetic Effects of

PBLM 1 Compact Behavioural Modelling Behavioural Modelling Compact of Electromagnetic Effects of Electromagnetic Effects in On- -Chip Interconnect Chip Interconnect in On Invited presentation at Invited presentation at MACSI- -NET

673 views • 33 slides
Open Cloud Mesh Peter Szegedi GANT Amsterdam 17th TF-Storage, Pisa, Italy 14/10/2015 Networks

Open Cloud Mesh Peter Szegedi GANT Amsterdam 17th TF-Storage, Pisa, Italy 14/10/2015 Networks

Open Cloud Mesh Peter Szegedi GANT Amsterdam 17th TF-Storage, Pisa, Italy 14/10/2015 Networks Services People www.geant.org History Around early 2012, TF-Storage participants started to actively look into data storage software

409 views • 9 slides
Contrasting Topologies for Regular Interconnection Networks under the Constraints of Nanoscale

Contrasting Topologies for Regular Interconnection Networks under the Constraints of Nanoscale

Contrasting Topologies for Regular Interconnection Networks under the Constraints of Nanoscale Technologies MPSoC Research Group @ University of Ferrara Daniele Ludovici , Francisco Gilabert, Maria Gomez, Georgi Gaydadjiev, Davide Bertozzi

980 views • 33 slides
Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska,

Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska,

Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, Henry M. Levy Transactions Vol. 8, No. 1, ACM February 1990, pp. 37-55 presented by Ian Dees for PSU CS533, Jonathan Walpole February 2, 2009 This

255 views • 24 slides
Course Updates Website set-up at https://ae640a.github.io/ Lectures uploaded

Course Updates Website set-up at https://ae640a.github.io/ Lectures uploaded

Course Updates Website set-up at https://ae640a.github.io/ Lectures uploaded Canvas invite (for assignments & submissions) will be sent once course list (after add-drop) is available Attendance: 70% Minimum Last 2

823 views • 47 slides
Duke University CompSci 514 Quiz 2 Spring 2015 Name (Print): , (Family name) (Given name)

Duke University CompSci 514 Quiz 2 Spring 2015 Name (Print): , (Family name) (Given name)

Duke University CompSci 514 Quiz 2 Spring 2015 Name (Print): , (Family name) (Given name) Student ID Number: Date of Exam: March 31, 2015 Time Period: 6:30pm-7:50pm Number of Exam Pages: 9 (including this cover sheet) Exam Type: open

325 views • 9 slides
Process (contd.) Indranil Sen Gupta (odd section) and Mainack Mondal (even section) CS39002

Process (contd.) Indranil Sen Gupta (odd section) and Mainack Mondal (even section) CS39002

Process (contd.) Indranil Sen Gupta (odd section) and Mainack Mondal (even section) CS39002 Spring 2019-20 So far on processes What is a process? Structure of a process Process states Process control block Context switch

1.05k views • 54 slides

More recommend