Employing Honeynets For Network Situational Awareness
Effective network security administration depends to a great extent on having accurate, concise, high-quality information about malicious activity in one’s network. Honeynets can potentially provide such detailed information, but the volume and diversity of this data can prove overwhelming. We explore ways to integrate honeypot data into daily network security monitoring with a goal of sufficiently classifying and summarizing the data to provide ongoing “situational awareness.” We present such a system, built using the Bro network intrusion detection system coupled with statistical analysis of numerous honeynet “events”, and discuss experiences drawn from many months of operation. In particular, we develop methodologies by which sites receiving such probes can infer—using purely local observation—information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? One key aspect of this environment is its ability to provide insight into large-scale events. We look at the problem of accurately classifying botnet sweeps and worm outbreaks, which turns out to be difficult to grapple with due to the high dimensionality of such incidents. Using datasets collected during a number of these events, we explore the utility of several analysis methods, finding that when used together they show good potential for contributing towards effective situational awareness. Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties, such as trend, uniformity, coordination, and darknet-avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that such inferences exhibit promising accuracy.
KeywordsSituational Awareness Interarrival Time Address Space Source Count Source Arrival
Unable to display preview. Download preview PDF.
- 1.HoneyBow Sensor. http://honeybow.mwcollect.org.
- 3.Net-Worm.Win32.Allaple.a. http://www.viruslist.com/en/viruses/encyclopedia?virusid=145521.
- 4.OS Platform Statistics by W3school. http://www.w3schools.com/browsers/browsers_stats.asp.
- 5.M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In Network and Distributed Security Symposium, San Diego, CA, January 2005.Google Scholar
- 6.J. Bethencourt et al. Mapping internet sensors with probe response attacks. In Proc. of the USENIX Security, 2005.Google Scholar
- 7.J. Cai et al. Honeynets and honeygames: A game theoretic approach to defending network monitors. Technical Report TR1577, University of Wiscconsin, 2006.Google Scholar
- 8.E. Cooke, M. Bailey, M. Mao, D. Watson, F. Jahanian, and D. McPherson. Toward understanding distributed blackhole placement. In Proceedings of CCS Workshop on Rapid Malcode (WORM ’04), October 2004.Google Scholar
- 9.J. R. Crandall, Z. Su, and S. F. Wu. On deriving unknown vulnerabilities from zeroday polymorphic and metamorphic worm exploits. In Proc. of ACM CCS, 2005.Google Scholar
- 10.Dshield. http://www.dshield.org.
- 11.German Honeynet Project. Tracking Botnets. http://www.honeynet.org/papers/bots, 2005.
- 12.G. Gu et al. Bothunter: Detecting malware infection through ids-driven dialog correlation. In Proc. of USENIX Security, 2007.Google Scholar
- 13.G. Gu et al. Botsniffer: Detecting botnet command and control channels in network traffic. In Proc. of NDSS, 2008.Google Scholar
- 14.The Honeynet Project. http://project.honeynet.org, 2003.
- 15.M. G. Kendall. Rank Correlation Methods. Griffin., 1976.Google Scholar
- 16.H. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In 13 th USENIX Security Symposium, San Diego, California, August 2004.Google Scholar
- 17.C. Kreibich and J. Crowcroft. Honeycomb–creating intrusion detection signatures using honeypots. In 2 nd Workshop on Hot Topics in Networks (Hotnets-II), Cambridge, Massachusetts, November 2003.Google Scholar
- 18.A. Kumar et al. Exploiting underlying structure for detailed reconstruction of an internet scale event. In Proc. of ACM IMC, 2005.Google Scholar
- 19.Z. Li, A. Goyal, Y. Chen, and V. Paxson. Towards situational awareness of large-scale botnet events using honeynets. Technical Report NWU-EECS-08-08, Northwestern University, 2008.Google Scholar
- 20.D. Moore. Network telescopes: Observing small or distant security events. Invited Presentation at the 11th USENIX Security Symposium, 2002.Google Scholar
- 21.D. Moore et al. Inside the slammer worm. IEEE Security and Privacy, 2003.Google Scholar
- 22.D. Moore, C. Shannon, and J. Brown. Code red: A case study on the spread and victims of an internet worm. In Proceedings of ACM SIGCOMM Internet Measurement Workshop, November 2002.Google Scholar
- 23.D. Moore, G. Voelker, and S. Savage. Inferring internet denial of service activity. In Proceedings of the 2001 USENIX Security Symposium, Washington D.C., August 2001.Google Scholar
- 24.Navy Aviation Schools Command. Situational Awareness. https://www.cnet.navy.mil.crm/crm/stand_mat/seven_skills/SA.asp, 2005.
- 25.Network Centric Operations Industry Consortium. Situational Awareness. http://www.ncoic.org/download/NCOIC_Lexicon_v8.pdf, 2005.
- 26.R. Pang et al. Characteristics of Internet background radiation. In Proc. of ACM IMC, 2004.Google Scholar
- 27.R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet Background Radiation. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2004.Google Scholar
- 28.V. Paxson. BRO: A system for detecting network intruders in real time. In 7 th USENIX Security Symposium, San Antonio, Texas, January 1998.Google Scholar
- 29.N. Provos. A virtual honeypot framework. In Proceedings of USENIX Security Symposium, San Diego, CA, August 2004.Google Scholar
- 30.N. Provos. A virtual honeypot framework. In Proc. of USENIX Security, 2004.Google Scholar
- 31.M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In Proc. of ACM IMC, 2006.Google Scholar
- 32.J. A. Rice. Mathematical Statistics and Data Analysis. Duxbury Press, 1994.Google Scholar
- 33.S. Singh, C. Estan, G. Varghese, and S. Savage. The Earlybird system for real-time detection of unknown worms. In Operating System Design and Implementation, 2004.Google Scholar
- 34.S. Staniford et al. How to 0wn the Internet in your spare time. In Proc. of USENIX Security, 2002.Google Scholar
- 35.W. E. Weisstein. Stirling Number of the Second Kind. http://mathworld.wolfram.com/StirlingNumberoftheSecondKind.html.
- 36.V. Yegneswaran, P. Barford, and D. Plonka. On the design and use of internet sinks for network abuse monitoring. In Proceedings of Recent Advances in Intrusion Detection, 2004.Google Scholar
- 37.V. Yegneswaran, P. Barford, and J. Ullrich. Internet intrusions: Global characteristics and prevalence. In Proceedings of ACM SIGMETRICS, June 2003.Google Scholar
- 38.V. Yegneswaran, J. T. Giffin, P. Barford, and S. Jha. An Architecture for Semantic-Aware Signature Generation. In Proceedings of USENIX Security Symposium, 2005.Google Scholar