intrusion detection w ith
play

Intrusion Detection w ith Motivation Honeypots What is a honeypot? - PDF document

Oct 28, 2023 •476 likes •645 views

Overview Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots What can you do with them? Claire OShea Problems with honeypots COMP 290 Spring 2005 Overview Motivation Examples of

  1. Overview Intrusion Detection w ith � Motivation Honeypots � What is a honeypot? � Types of honeypots � What can you do with them? Claire O’Shea � Problems with honeypots COMP 290 – Spring 2005 Overview Motivation � Examples of honeypots � Key to effective intrusion detection is • “An Evening with Berferd” information • Honeyd • Learn more about past attacks • Honeynets • Detect currently occurring attacks • Identify new types of attacks � Summary • Do all this in real time Motivation Motivation � Other methods we have seen for doing � Both these methods involve dealing with this: a very large data set! • Scan packets for specific signatures • Takes time to analyze • False positives and false negatives: hard to (signature-based detection) • Look for deviations from normal traffic define what is “suspicious activity” • The relevant data may not even be recorded (anomaly-based detection) • Ex: snort will not detect a shrew attack � This is where honeypots come in…

  2. What is a honeypot? What is a honeypot? “A honeypot is an information system resource � The basic idea: set up a “normal” but whose value lies in unauthorized or illicit use of unused computer on your network that resource.” • Nobody knows it’s there, so it should get no -- Lance Spitzer legitimate network traffic • Any traffic it gets is malicious by definition � Could be… • All interactions with the honeypot are logged • A password file on a remote machine • An Excel spreadsheet • An entry in a database • A computer on a network This is the kind of honeypot we will talk about! What is a honeypot? Types of honeypots � Advantages of using a honeypot � To an attacker, a honeypot should • Small, valuable data sets: no normal traffic, always look like a normal computer – only attacks but what is it really? • Very few false positives or false negatives • It could actually be a normal computer • Uses minimal resources • It could be a simulation of certain aspects of • Easy to set up and use a computer • Can capture new types of attacks • Different types of honeypots are useful for • Can gather detailed information about attacks different purposes Types of honeypots Low -interaction honeypots � Two basic categories: � Attacker interacts with a “simulated” computer • Low-interaction honeypots � Many levels of simulation possible • Network stack • High-interaction honeypots • Services • Operating system

  3. Low -interaction honeypots Low -interaction honeypots � Advantages � One real machine can simulate a whole • Very simple network of virtual honeypots • Low-risk (attacker never gets into a real system) • Require very minimal resources Architecture of Honeyd, � Disadvantages a low-interaction honeypot. • Only collect limited information Only the router and the Honeyd machine (10.0.0.2) are real • Might not detect new types of attacks computers! • Easy for attacker to detect Low -interaction honeypots High-interaction honeypots � Mostly used for intrusion detection on � Real machines running real services real networks � We assume that these machines will be • More specifics on this later compromised! • All interactions with the machines are � Examples of low-interaction honeypots • Specter monitored and logged, providing detailed information about what the attacker did • Honeyd • KFSensor High-interaction honeypots High-interaction honeypots � Two main requirements of this � Fishbowl analogy framework • Set up a framework that provides • Data Control – prevent the attacker from data logging and security (the using the honeypots to harm other machines fishbowl) • Within that framework, put machines • Data Capture – record all the attacker’s that you want the attacker to interact activities with (the rocks, plants, etc) • Watch how the attacker (the fish) • Both of these should be invisible to the interacts with the machines attacker!

  4. High-interaction honeypots High-interaction honeypots � Advantages � Mostly used for research • Capture a detailed profile of an attack • Georgia Tech runs a Honeynet • Can capture new types of attacks � Generally not used for intrusion detection � Disadvantages • Too expensive to set up and maintain • Difficult to set up a good high-interaction � Examples of high-interaction honeypots honeypot • Symantec Decoy Server • May put other machines in your network at • Honeynets risk • Monitoring the honeypots is time-intensive Uses of honeypots Uses of honeypots � What can you do with a honeypot? � Decoys • Populate all unused addresses on your � Intrusion detection/prevention • Lots of ways to use a honeypot as part of network with honeypots • Attacker has to waste time trying to attack the your security system • Most honeypot research is in this area honeypots • Slows down the spread of worms � Attack analysis • Slows down and annoys human attackers (maybe • Observe attackers’ behavior and develop enough to make them go away?) better tools to guard against it • Still a fairly new field! Uses of honeypots Uses of honeypots � Tarpits � Tarpits (continued) • Intended to slow an attacker down • Open mail relays • Labrea Tarpit • The honeypot offers an anonymous mail relay (which attracts spammers) • Allows attacker to open a TCP connection, then • Responds very slowly to SMTP commands reduces window size to 0 • Forces spammers to waste time interacting with • Attacker can’t get any data through, and can’t the honeypot close the connection • Honeypot may pretend to forward the mail, but • Connection uses up resources on the attacker’s actually drop it system

  5. Uses of honeypots Uses of honeypots � Automatic signature � Burglar alarms generation • When the honeypot is compromised, admins • Honeycomb – a plug-in for know that an attack is going on in their network honeyd • Honeypot logs provide detailed information about • Detects patterns in the logged the attack data, creates Snort and Bro • Some evidence (from GT Honeynet) that signatures attacks can be predicted a few days in • Works fairly well with no human advance, based on abnormal activity on the input, and much faster than honeypots manual signature generation Uses of honeypots Problems w ith honeypots � Many more ways to use honeypots � So what’s wrong with honeypots? • Identify zero-day worms • Attacker may do bad things with the • Disrupt DDoS attacks compromised system • Attacker may discover that the system is a • Monitor botnets honeypot • Etc… • Legal concerns • Difficult to catch more intelligent attackers with honeypots Problems w ith honeypots Problems w ith honeypots � Once a honeypot is compromised… � What if the attacker detects the • It may be used to attack other machines (on honeypot? • Detection before the attack your network or elsewhere). • Preventing this should be the top priority of a • A smart attacker might check whether a machine honeynet – but no guarantees! is a honeypot before trying to compromise it • It may be used for criminal activity (ex. • If the disguise fails at this stage, the honeypot is useless – we have not learned anything about the serving illegal files) attacker • If any of this is detected, it will initially be blamed on you!

  6. Problems w ith honeypots Problems w ith honeypots • Detection after the attack � Legal concerns • The honeypot has still collected useful data! • Privacy – anybody interacting with the • If it is a burglar alarm, its work is done at this point; honeypot does not know that the interactions detection doesn’t matter • If it is a research honeypot intended to gather long- are being logged • This is OK if it is done for security reasons term data on the attacker, detection is a big problem! (Service Provider Protection) • How will the attacker respond? • Avoid logging certain things (ex. IRC servers) • Abandon the honeypot • Disable its functionality (logging, etc) • Introduce false information into the logs Problems w ith honeypots Problems w ith honeypots � What kind of attackers can a � Legal concerns honeypot catch? • Liability – if your honeypot is used to attack • It depends on the “bait” you use someone else, can they sue you? • Normal machines will mostly • You intentionally allowed the attacker to get in, so attract automated attacks you may be blamed • To catch specific threats (like • All this is speculation; honeypots are a new credit card thieves) you need a technology, so there are no precedents honeypot that “looks” valuable to • But these concerns can make admins them! • This is very hard to do, so it’s nervous about deploying honeypots! hardly ever done! Examples of honeypots “An Evening With Berferd” � “Berferd” � The classic paper on honeypots: Bill Cheswick, “An Evening with Berferd: In � Honeyd (a low-interaction honeypot) Which a Cracker is Lured, Endured, and � Honeynets (a high-interaction honeypot) Studied.” (1991) • Cheswick, a network admin at Bell Labs, detects an attacker trying to break into the system and decides to see what he does…

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 11 Page 1 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection

143 views • 12 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International Conference on Computing in High Energy and Nuclear Physics Outline: Introduction Threat model Intrusion prevention Intrusion detection

420 views • 16 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

584 views • 30 slides
Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

260 views • 12 slides
Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What

Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What

Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What this talk is about? Automotive intrusion detection Automotive cyber-security architecture From the highest viewpoint J 3 Outline Quick

926 views • 63 slides
HoneySAP Who really wants your money? M ARTIN G ALLO M ARCH 2015 P A G E AGENDA SAP SAP

HoneySAP Who really wants your money? M ARTIN G ALLO M ARCH 2015 P A G E AGENDA SAP SAP

HoneySAP Who really wants your money? M ARTIN G ALLO M ARCH 2015 P A G E AGENDA SAP SAP security Threat landscape Have Needs Honeypots HoneySAP Approach Goal Design Architecture Services Integration Example profiles Demo

748 views • 45 slides
Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of

Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of

Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Joint work with: Tanja Lange Technische Universiteit Eindhoven Memories of graduate school Early 1990s,

768 views • 40 slides
Diffusion model Developing diffusion model: kinetic strength of the heat cycle The

Diffusion model Developing diffusion model: kinetic strength of the heat cycle The

Diffusion model Developing diffusion model: kinetic strength of the heat cycle The transformation of pearlite to austenite The homogenization of austenite Volume fraction of martensite Hardness of transformed surface layer

93 views • 7 slides
Vertical Visibility among Parallel Polygons in Three Dimensions GD 2015 Radoslav Fulek (IST,

Vertical Visibility among Parallel Polygons in Three Dimensions GD 2015 Radoslav Fulek (IST,

Vertical Visibility among Parallel Polygons in Three Dimensions GD 2015 Radoslav Fulek (IST, Austria), Rado s Radoi ci c (CUNY) Visibility clique Visibility clique We consider a finite set S of translates/homothetes of two dimensional

822 views • 71 slides
Using Honeypots for Security Operations Jim Barlow <jbarlow@ncsa.uiuc.edu> Head of

Using Honeypots for Security Operations Jim Barlow <jbarlow@ncsa.uiuc.edu> Head of

Using Honeypots for Security Operations Jim Barlow <jbarlow@ncsa.uiuc.edu> Head of Security Operations and Incident Response National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign National

229 views • 20 slides
Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

CPS-SPC 16 @ Vienna AU Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O. T IPPENHAUER daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box 1 Overview In this

922 views • 25 slides
Counting Outdated Honeypots: Legal and Useful Alexander Vetterl * , Richard Clayton * and Ian

Counting Outdated Honeypots: Legal and Useful Alexander Vetterl * , Richard Clayton * and Ian

Counting Outdated Honeypots: Legal and Useful Alexander Vetterl * , Richard Clayton * and Ian Walden *University of Cambridge, Queen Mary University of London 4th International Workshop on Traffic Measurements for Cybersecurity May 23,

423 views • 17 slides
Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project & Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers & Co- author, Know Your Enemy ! Work

676 views • 52 slides

More recommend