Abstract
Effective network security administration depends to a great extent on having accurate, concise, high-quality information about malicious activity in one’s network. Honeynets can potentially provide such detailed information, but the volume and diversity of this data can prove overwhelming. We explore ways to integrate honeypot data into daily network security monitoring with a goal of sufficiently classifying and summarizing the data to provide ongoing “situational awareness.” We present such a system, built using the Bro network intrusion detection system coupled with statistical analysis of numerous honeynet “events”, and discuss experiences drawn from many months of operation. In particular, we develop methodologies by which sites receiving such probes can infer—using purely local observation—information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? One key aspect of this environment is its ability to provide insight into large-scale events. We look at the problem of accurately classifying botnet sweeps and worm outbreaks, which turns out to be difficult to grapple with due to the high dimensionality of such incidents. Using datasets collected during a number of these events, we explore the utility of several analysis methods, finding that when used together they show good potential for contributing towards effective situational awareness. Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties, such as trend, uniformity, coordination, and darknet-avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that such inferences exhibit promising accuracy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
HoneyBow Sensor. http://honeybow.mwcollect.org.
Honeysnap. http://www.honeynet.org/tools/honeysnap/index.html.
Net-Worm.Win32.Allaple.a. http://www.viruslist.com/en/viruses/encyclopedia?virusid=145521.
OS Platform Statistics by W3school. http://www.w3schools.com/browsers/browsers_stats.asp.
M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In Network and Distributed Security Symposium, San Diego, CA, January 2005.
J. Bethencourt et al. Mapping internet sensors with probe response attacks. In Proc. of the USENIX Security, 2005.
J. Cai et al. Honeynets and honeygames: A game theoretic approach to defending network monitors. Technical Report TR1577, University of Wiscconsin, 2006.
E. Cooke, M. Bailey, M. Mao, D. Watson, F. Jahanian, and D. McPherson. Toward understanding distributed blackhole placement. In Proceedings of CCS Workshop on Rapid Malcode (WORM ’04), October 2004.
J. R. Crandall, Z. Su, and S. F. Wu. On deriving unknown vulnerabilities from zeroday polymorphic and metamorphic worm exploits. In Proc. of ACM CCS, 2005.
Dshield. http://www.dshield.org.
German Honeynet Project. Tracking Botnets. http://www.honeynet.org/papers/bots, 2005.
G. Gu et al. Bothunter: Detecting malware infection through ids-driven dialog correlation. In Proc. of USENIX Security, 2007.
G. Gu et al. Botsniffer: Detecting botnet command and control channels in network traffic. In Proc. of NDSS, 2008.
The Honeynet Project. http://project.honeynet.org, 2003.
M. G. Kendall. Rank Correlation Methods. Griffin., 1976.
H. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In 13 th USENIX Security Symposium, San Diego, California, August 2004.
C. Kreibich and J. Crowcroft. Honeycomb–creating intrusion detection signatures using honeypots. In 2 nd Workshop on Hot Topics in Networks (Hotnets-II), Cambridge, Massachusetts, November 2003.
A. Kumar et al. Exploiting underlying structure for detailed reconstruction of an internet scale event. In Proc. of ACM IMC, 2005.
Z. Li, A. Goyal, Y. Chen, and V. Paxson. Towards situational awareness of large-scale botnet events using honeynets. Technical Report NWU-EECS-08-08, Northwestern University, 2008.
D. Moore. Network telescopes: Observing small or distant security events. Invited Presentation at the 11th USENIX Security Symposium, 2002.
D. Moore et al. Inside the slammer worm. IEEE Security and Privacy, 2003.
D. Moore, C. Shannon, and J. Brown. Code red: A case study on the spread and victims of an internet worm. In Proceedings of ACM SIGCOMM Internet Measurement Workshop, November 2002.
D. Moore, G. Voelker, and S. Savage. Inferring internet denial of service activity. In Proceedings of the 2001 USENIX Security Symposium, Washington D.C., August 2001.
Navy Aviation Schools Command. Situational Awareness. https://www.cnet.navy.mil.crm/crm/stand_mat/seven_skills/SA.asp, 2005.
Network Centric Operations Industry Consortium. Situational Awareness. http://www.ncoic.org/download/NCOIC_Lexicon_v8.pdf, 2005.
R. Pang et al. Characteristics of Internet background radiation. In Proc. of ACM IMC, 2004.
R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet Background Radiation. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2004.
V. Paxson. BRO: A system for detecting network intruders in real time. In 7 th USENIX Security Symposium, San Antonio, Texas, January 1998.
N. Provos. A virtual honeypot framework. In Proceedings of USENIX Security Symposium, San Diego, CA, August 2004.
N. Provos. A virtual honeypot framework. In Proc. of USENIX Security, 2004.
M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In Proc. of ACM IMC, 2006.
J. A. Rice. Mathematical Statistics and Data Analysis. Duxbury Press, 1994.
S. Singh, C. Estan, G. Varghese, and S. Savage. The Earlybird system for real-time detection of unknown worms. In Operating System Design and Implementation, 2004.
S. Staniford et al. How to 0wn the Internet in your spare time. In Proc. of USENIX Security, 2002.
W. E. Weisstein. Stirling Number of the Second Kind. http://mathworld.wolfram.com/StirlingNumberoftheSecondKind.html.
V. Yegneswaran, P. Barford, and D. Plonka. On the design and use of internet sinks for network abuse monitoring. In Proceedings of Recent Advances in Intrusion Detection, 2004.
V. Yegneswaran, P. Barford, and J. Ullrich. Internet intrusions: Global characteristics and prevalence. In Proceedings of ACM SIGMETRICS, June 2003.
V. Yegneswaran, J. T. Giffin, P. Barford, and S. Jha. An Architecture for Semantic-Aware Signature Generation. In Proceedings of USENIX Security Symposium, 2005.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag US
About this chapter
Cite this chapter
Barford, P., Chen, Y., Goyal, A., Li, Z., Paxson, V., Yegneswaran, V. (2010). Employing Honeynets For Network Situational Awareness. In: Jajodia, S., Liu, P., Swarup, V., Wang, C. (eds) Cyber Situational Awareness. Advances in Information Security, vol 46. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-0140-8_5
Download citation
DOI: https://doi.org/10.1007/978-1-4419-0140-8_5
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-0139-2
Online ISBN: 978-1-4419-0140-8
eBook Packages: Computer ScienceComputer Science (R0)