honeyspider network
play

HoneySpider Network Fighting client side threats Piotr Kijewski - PowerPoint PPT Presentation

Dec 27, 2023 •133 likes •501 views

HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes (GOVCERT.NL) Rogier Spoor (SURFnet) 20th Annual FIRST Conference on Computer Security Incident Handling, June 22-27, Vancouver Goals

  1. HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes (GOVCERT.NL) Rogier Spoor (SURFnet) 20th Annual FIRST Conference on Computer Security Incident Handling, June 22-27, Vancouver

  2. Goals • Introduction honeyclients & malicious servers • Technical ins and outs HoneySpider Network The HoneySpider Network - Fighting client side threats 01-07-08

  3. Outline • Honeyclients • Malicious servers • HoneySpider Network – Why ? • Project status • Technical concept • Wrap up The HoneySpider Network - Fighting client side threats 01-07-08

  4. What is a Honeyclient ? (I) Definition: Honeyclients are active security devices in search of malicious servers that attack clients. The honeyclient poses as a client and interacts with the server to examine whether an attack has occurred. Source: http://en.wikipedia.org/wiki/Client_honeypot_/_honeyclient The HoneySpider Network - Fighting client side threats 01-07-08

  5. What is a Honeyclient ? (II) Different honeyclients depending on level of interaction: 4. Low interaction honeyclients 5. High interaction honeyclients The HoneySpider Network - Fighting client side threats 01-07-08

  6. Low Interaction Honeyclient • Light weight or simulated clients (web crawler) • Identifies known attacks based on: - Static analyses - Signatures • May fail to emulate vulnerabilities in client applications • Tools: - HoneyC - SpyBye - PhoneyC The HoneySpider Network - Fighting client side threats 01-07-08

  7. High Interaction Honeyclient • Fully functional operating system with vulnerable applications (browsers, plugins) • Detection of known/unknown attacks via comparison of different states (before and after visit of a server) • Slow & prone to detection evasion • Tools: - Capture-HPC - MITRE Honeyclient - HoneyMonkey The HoneySpider Network - Fighting client side threats 01-07-08

  8. Malicious servers (I) • Drive-by download - Download of malware without knowledge of the user - Malware offered and executed through exploitation of (multiple) vulnerabilities in a browser, plugin, etc - Specific targeted based on browser (IE/Firefox), JVM versions, patch level operating system The HoneySpider Network - Fighting client side threats 01-07-08

  9. Malicious servers (II) • Code obfuscation - Hide the exploit-vector - Evasion of signature-based detection (AV products, Intrusion Detection Systems) - Examples seen for Javascript, VBScript The HoneySpider Network - Fighting client side threats 01-07-08

  10. Malicious servers (III) Exploits imported from other servers via iframes, redirects, Javascript client side redirects Source: http://www.honeynet.org/papers/mws/KYE-Malicious_Web_Servers.htm The HoneySpider Network - Fighting client side threats 01-07-08

  11. Honeyclient project – Why? • Number of browser exploits increased last years • Better understanding client side threats • Existing tools lack in: - Integration & management - Stability & maturity - Limited heuristics - Stealth technology - Self-learning • Provide a service to constituents/customers The HoneySpider Network - Fighting client side threats 01-07-08

  12. Goal • Detect, identify and describe threats that infect computers through Web browser technology, such as: - Browser (0)-day exploits - Malware offered via drive-by-downloads The HoneySpider Network - Fighting client side threats 01-07-08

  13. Project status • Completed functional & technical requirements • Organized project management • Frequent meetings face-2-face & videoconference • Started software development September 2007 • 1 st Milestone of software developed & currently tested • Development 2 nd Milestone started • Project will be finished first quarter 2009 The HoneySpider Network - Fighting client side threats 01-07-08

  14. Architecture The HoneySpider Network - Fighting client side threats 01-07-08

  15. Technical concept The HoneySpider Network - Fighting client side threats 01-07-08

  16. Import layer The HoneySpider Network - Fighting client side threats 01-07-08

  17. Import layer • URLs (aka objects) report to the import layer via agents (scripts) • URLs prioritized depending on importance / origin (configurable) • Contracted URLs: - Important URLs which need to be checked frequently (sites of constituents / customers) • Web form: - Manual submission of URLs • Loose crawler: - URLs from {Google|Yahoo}-queries The HoneySpider Network - Fighting client side threats 01-07-08

  18. Filter layer The HoneySpider Network - Fighting client side threats 01-07-08

  19. Filter layer • Filter URLs which are: - Already analyzed - Not active (domain or IP unreachable) • Applies on URLs from every source, except contracted URLs • Black list filter: - URLs identified as malicious - Hit count & TTL on URL • White list filter: - URLs identified as benign - Hit count & TTL on URL (or permanent listed) The HoneySpider Network - Fighting client side threats 01-07-08

  20. Analysis layer The HoneySpider Network - Fighting client side threats 01-07-08

  21. Low interaction component (I) • Webcrawler (Heritrix) • Proxy (Spybye) with ClamAV • Snort IDS • Pcap dumps • Extensions: - Rhino (JavaScript engine) -> Javascript de-obfuscation - Heuristics -> Identify obfuscated & malicious JavaScripts The HoneySpider Network - Fighting client side threats 01-07-08

  22. Low interaction component (II) The HoneySpider Network - Fighting client side threats 01-07-08

  23. Low interaction component (III) • Heuristics Currently used to identify obfuscated JavaScripts. In the future also used to identify obfuscated VBScripts and to classify websites ( benign, suspicious, malicious ). • Current implemented heuristics – Weka Classifiers (machine learning techniques) – JSAdvancedEngineDetection – JSIterationCounter – JSExecutionTimeout – JSOutOfMemoryError The HoneySpider Network - Fighting client side threats 01-07-08

  24. Low interaction component (IV) • Heuristics under research Detect malicious web content the same way as detection of spam. • Most promising heuristics - Naïve Bayes (good test results, undergoing further testing ‘in the wild’) The HoneySpider Network - Fighting client side threats 01-07-08

  25. High interaction component (I) • Based on Capture-HPC • Multiple patch levels Microsoft Windows • IE / Firefox (possibly plugins, like QuickTime & Flash) • Checks for: - Started or terminated processes - Filesystem modifications - Registry modifications • Proxy (Spybye) with ClamAV • Snort IDS • Pcap dumps The HoneySpider Network - Fighting client side threats 01-07-08

  26. High interaction component (II) The HoneySpider Network - Fighting client side threats 01-07-08

  27. External analysis • Submission of a binary file or URL to external sources • Results are stored in a database • Plugins for: - VirusTotal - Anubis - Norman Sandbox - CW Sandbox - Stopbadware The HoneySpider Network - Fighting client side threats 01-07-08

  28. And more analysis… • URL Localizer - ASN - Name of the ISP - Country • Active checker - Check if domain still resolves - Check if server is active The HoneySpider Network - Fighting client side threats 01-07-08

  29. Management layer The HoneySpider Network - Fighting client side threats 01-07-08

  30. Management layer • Objects tagging - Confidence level - Priority level - Process classification - Alert classification • Queue manager - Manages the main object-queue • Signature manager - Generation of signatures - Judge quality of signatures - Distribute signatures to {Network|AV} monitor The HoneySpider Network - Fighting client side threats 01-07-08

  31. Presentation layer The HoneySpider Network - Fighting client side threats 01-07-08

  32. Presentation layer • Web-based GUI • Alerter plugin - Sends alerts via email, SMS • Reporter plugin - Creates reports (PDF) with graphical statistics and/or detailed information • External output plugin - External systems can fetch results of processed objects The HoneySpider Network - Fighting client side threats 01-07-08

  33. Wrap up (I) Honeyclients  Honeyclients are active security devices in search of malicious servers that attack clients  Low-interaction honeyclient currently used to detect known attacks  High-interaction honeyclient used to detect known & unknown attacks The HoneySpider Network - Fighting client side threats 01-07-08

  34. Wrap up (II) Honeyclient project  To identify suspicious and malicious URLs  A combination of low- & high-interaction honeyclients  Many URLs from multiple sources processed based on importance The HoneySpider Network - Fighting client side threats 01-07-08

  35. Links • HoneySpider Network http://www.honeyspider.org/ • Capture HPC https://projects.honeynet.org/capture-hpc/ • Heritrix http://crawler.archive.org/ • Weka http://www.cs.waikato.ac.nz/ml/weka/ The HoneySpider Network - Fighting client side threats 01-07-08

  36. Questions ? The HoneySpider Network - Fighting client side threats 01-07-08

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HoneySpider Network 2.0 detecting client-side attacks the easy way Pawe Pawli nski CERT

HoneySpider Network 2.0 detecting client-side attacks the easy way Pawe Pawli nski CERT

HoneySpider Network 2.0 detecting client-side attacks the easy way Pawe Pawli nski CERT Polska / NASK 24th Annual FIRST Conference 21 June 2012 Pawe Pawli nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 1 / 23

280 views • 27 slides
1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

Network Layer Network Layer Chapter 4: Network Layer Mobile network Chapter goals: Global ISP understand principles behind network layer Network Layer services: Home network network layer service models Regional ISP forwarding

550 views • 3 slides
5 Network Layer Network Layer Network Layer Network Layer Example: Choosing among multiple ASes

5 Network Layer Network Layer Network Layer Network Layer Example: Choosing among multiple ASes

Network Layer Network Layer Network Layer Network Layer Network Layer Comparison of LS and DV algorithms Message complexity Robustness: what happens 1 Introduction 5 Routing algorithms if router malfunctions? LS: with n nodes, E

325 views • 4 slides
7 Network Layer Network Layer Network Layer Network Layer Subnets Classful Address

7 Network Layer Network Layer Network Layer Network Layer Subnets Classful Address

Network Layer Network Layer Network Layer Network Layer IP Fragmentation & Reassembly IP Fragmentation and Reassembly network links have MTU length ID fragflag offset (max.transfer size) - largest possible link-level frame.

948 views • 5 slides
Network Coding Network Coding Jie Gao Existing network Existing network Independent data

Network Coding Network Coding Jie Gao Existing network Existing network Independent data

Network Coding Network Coding Jie Gao Existing network Existing network Independent data stream sharing the same network resources Packets over the Internet Signals in a phone network An analog: cars sharing a highway.

1.01k views • 46 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
1 Creating a network app application transport network data link write programs that

1 Creating a network app application transport network data link write programs that

Last time Mobile network Internet overview Global ISP whats a protocol? network edge, core, access network Home network Regional ISP Regional ISP packet-switching versus k t it hi circuit-switching Internet/ISP

524 views • 20 slides
Network Virtualization What is Network Virtualization? Abstraction of the physical network

Network Virtualization What is Network Virtualization? Abstraction of the physical network

Network Virtualization What is Network Virtualization? Abstraction of the physical network Support for multiple logical networks running on a common shared physical substrate A container of network services Aspects of the

589 views • 21 slides
4 Network Layer Network Layer Network Layer Network Layer Switching Via Memory Three types of

4 Network Layer Network Layer Network Layer Network Layer Switching Via Memory Three types of

Network Layer Network Layer Network Layer Network Layer Routing Table Aggregation - > 4 billion Forwarding table Longest prefix matching possible entries Prefix Match Link Interface Destination Address Range Link Interface 11001000

288 views • 3 slides
Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Topics Network service models Datagrams (packets), virtual circuits

840 views • 42 slides
Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Topics Network service models Datagrams (packets), virtual circuits

524 views • 28 slides
Network Layer (Routing) Where we are in the Course Moving on up to the Network Layer!

Network Layer (Routing) Where we are in the Course Moving on up to the Network Layer!

Network Layer (Routing) Where we are in the Course Moving on up to the Network Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Topics Network service models Datagrams (packets), virtual

757 views • 40 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Data Link Layer MAC address Protocol Network Layer address must identify the network

Data Link Layer MAC address Protocol Network Layer address must identify the network

Overview What is a computer network? CSCE 515: What is the Internet? Computer Network What are the popular network reference Programming model? -- Midterm Review OSI, TCP/IP Wenyuan Xu What is the main responsibilities and

339 views • 12 slides
Data Link Layer MAC address Protocol Network Layer address must identify the network

Data Link Layer MAC address Protocol Network Layer address must identify the network

Overview What is a computer network? CSCE 515: What is the Internet? Computer Network What are the popular network reference Programming model? -- Review (partial) OSI, TCP/IP Wenyuan Xu What is the main responsibilities

299 views • 13 slides
1 Connection-oriented service Connectionless service Goal: data transfer between end systems

1 Connection-oriented service Connectionless service Goal: data transfer between end systems

A closer look at network structure: network edge: applications and hosts network core: Network Overview routers network of networks access networks, physical media: communication links Introduction Introduction 1-1 1-2

543 views • 8 slides
CSE543 - Computer and Network Security Module: Web Security Professor Trent Jaeger Fall 2010 1

CSE543 - Computer and Network Security Module: Web Security Professor Trent Jaeger Fall 2010 1

978 views • 41 slides
Web Security! Big Picture: Browser and Network request website Browser reply OS Network

Web Security! Big Picture: Browser and Network request website Browser reply OS Network

CSE 484 / CSE M 584: Computer Security and Privacy CSRF and XSS attacks Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell,

1.29k views • 59 slides
Web Attacks, cont CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin

Web Attacks, cont CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin

Web Attacks, cont CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 24, 2011 Announcements Guest lecture a week from Thursday (March

777 views • 51 slides
The rd NS v Sim ulator W orkshop br ought to you by Kevin F all La

The rd NS v Sim ulator W orkshop br ought to you by Kevin F all La

The rd NS v Sim ulator W orkshop br ought to you by Kevin F all La wrence Berk eley National Lab oratory kfal le elblgov httpwwwnr ge elblgovkfal l AND Kannan V aradhan

935 views • 72 slides
Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov Claudio Orlandi Aarhus University RWC 2018 Agenda I A Threat Model for Encrypted Cloud Storage (ECS). I A high-level look into a modern ECS service

770 views • 47 slides
Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant Gupta Security Architect, McAfee Inc. June 3, 2013 McAfee Confidential Internal Use Only Abstract Reverse engineering and analysis of binary code

381 views • 20 slides
Virus dans une carte mythe ou (proche) ralit ? Dcembre 2013 Sminaire Confiance

Virus dans une carte mythe ou (proche) ralit ? Dcembre 2013 Sminaire Confiance

Virus dans une carte mythe ou (proche) ralit ? Dcembre 2013 Sminaire Confiance Numrique Jean-Louis Lanet Jean-louis.lanet@unilim.fr Agenda Class of attacks Java Based Smart Card Hide this code and execute it.

708 views • 60 slides
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 10: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 10: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 10: 1 Chapter 10: Software Security Chapter 10: 2 Secure Software Software is secure if it can handle intentionally malformed input; the attacker picks (the

708 views • 33 slides

More recommend