SweetBait: Zero-Hour Worm Detection and Containment Using Honeypots
The goals of this project sound an awful lot like the Honeycomb project. Very interesting ...
As next-generation computer worms may spread within minutes to million of hosts, protection via human intervention is no longer an option. We discuss the implementation of SweetBait, an automated protection system that employs low-interaction honeypots to capture suspicious trafic. After discarding whitelisted patterns, it automatically generates worm signatures. To provide a low response time, the signatures may be immediately distributed to network intrusion detection and prevention systems. At the same time the signatures are continuously refined for increased accuracy and lower false identification rates. By monitoring signature activity and predicting ascending or descending trends in worm virulence, we are able to sort signatures in order of urgency. As a result, the set of signatures to be monitored or filtered is managed in such a way that new and very active worms are always included in the set, while the size of the set is bounded. SweetBait is deployed on medium sized academic networks across the world and is able to react to zero-day worms within minutes. Furthermore, we demonstrate how globally sharing signatures can help immunise parts of the Internet.
Source: SweetBait: Zero-Hour Worm Detection and Containment Using Honeypots, Georgios Portokalidis and Herbert Bos.
October 13, 2005 in detection, honeypots, papers | Permalink | Comments (1)
Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm
Another paper on the topic of very large scale honeypot setups to detect malicious activity.The rapid evolution of large-scale worms, viruses and botnets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware | network honeypots | have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.Source: Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm, Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekeift, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage, to appear at the 2005 SOSP meeting.
September 6, 2005 in honeypots, papers | Permalink | Comments (0)
Net worms could wriggle around warning systems
At last week's Usenix Security 2005, an interesting paper was presented (actually, one of two very related papers). Mapping Internet Sensors With Probe Response Attacks by John Bethencourt, Jason Franklin, and Mary Vernon showed how easy it is for attackers with meager means to reliably identify various early detection networks. The authors focused on the ISC detection network, organized by SANS, but it's a problem that applies to many of these approaches.
Some people are worried about the effect this could have on worm authors. If they discover these networks, can't they simply avoid them in their worm propagation algorithms?
Armed with this information, the creator of a computer worm could create code that bypasses these traps and infects more computers as it spreads. The researchers say the same principle could enable troublemakers to bypass other forms of network defences, including blocks against intruders probing the system and barriers to prevent so-called denial of service attacks.
Several sensor networks provide network administrators with early warning of a possible worm outbreak. These include the SANS Institute's Internet Storm Center based in Maryland, US, the University of Michigan's Internet Motion Sensor and Symantec's DeepSight.
Source: Net worms could wriggle around warning systems, posted on 05 August 2005, via the NewScientist.com news service, written by Will Knight.
Frankly, I'm not very worried about this in the case of worm authors for three main reasons. First, we've seen this sort of thing before. SQLSnake used a list of class A networks with weighting for their relative populations. Still, people found the worm quickly, captured it an danalyzed it because they have live networks instrumented, honeypots in place, and in general watch their networks. Secondly, we've seen a growing prevalence for "island hopping" techniques, for example as used by the Nimda worm. Quoting from the CERT advisory for Nimda:
The selection of potential target IP addresses follows these rough probabilities:
- 50% of the time, an address with the same first two octets will be chosen
- 25% of the time, an address with the same first octet will be chosen
- 25% of the time, a random address will be chosen
This is not the only worm that has used this technique, many worms these days use this technique. Because the larger dark sensor networks are their own /16s, or even /8s, island hopping propagation tehcniques don't hit those networks as often as they would hit other, nearby allocated networks. It's especially effective at spreading, and yet the worms are caught, analyzed, and alerts are created. Thirdly, plenty of live networks, and dark networks, too, are monitored and the reports are not widely distributed. This defeats the attack mechanism (although other detection techniques are available to the determined attacker) described in the paper, and keeps the world's networks detecting worms.
The benefit of an open project like the ISC, MyNetWatchman and related projects is that they make wide scale statistics available to anyone. The real users of this technique (avoiding these networks) will be individual attackers, not the worm authors, or people interested in poisoning the observations from these networks. No one relies on them for their total attack detection mechanism, so the threat level involved in this is relatively low.
August 9, 2005 in detection, editorial, honeypots, media, papers | Permalink | Comments (1)
A Hybrid Honeypot Architecture for Scalable Network Monitoring
One of those classics. Recall that Bailey, Cooke and Watson are behind the IMS project, and Provos is the main author of Honeyd.To provide scalable, early warning and analysis of new Internet threats like worms or automated attacks, we propose a globally distributed, hybrid monitoring architecture that can capture and analyze new vulnerabilities and exploits as they occur. To achieve this, our architectures increases the exposure of high-interaction honeypots to these threats by employing low-interaction honeypots as frontend content filters. Host-based techniques capture relevant details such as packet payload of attacks while network monitoring provides wide coverage for quick detection and assessment. To reduce the load of the backends, we filter prevalent content at the network frontends and use a novel handoff mechanism to enable interactions between network and host components. We use measurements from live networks over five months to demonstrate the effectiveness of content prevalence as a filtering mechanism. Combining these observations with laboratory measurements, we demonstrate that our hybrid architecture is effective in preserving the detail of a specific threat while still achieving performance and scalability. We illustrate the benefits of this framework by showing how it enables earlier, higher-confidence detection, more detailed forensics, and robust signatures for mitigation of threats.Source: A Hybrid Honeypot Architecture for Scalable Network Monitoring, Michael Bailey, Evan Cooke, David Watson, Farnam Jahanian, and Niels Provos.
July 14, 2005 in detection, honeypots, papers | Permalink | Comments (4)
How to Hook Worms (IEEE Spectrum)
IBM researchers have an article in a recent issue of IEEE's magazine Spectrum. Their article covers "Billy Goat", their honeypot system used to detect worms. The system is less revolutionary than they seem to present it as at times, unless I'm missing something entirely. The descriptions I've seen so far don't make it any more impressive than a commercial tool like WormScout or a free tool like Honeyd. I welcome the opportunity for a demo if one arises (this holds true for any worm detection tools I post about on wormblog, I post what I can, especially with tools that I have some familiarity with, but I don't get access to commercial tools frequently).At IBM Zurich Research Laboratory, we're working on a remedy for worms that differs from other approaches in targeting worms specifically rather than trying to prevent all breaches of computer security. Our system, called Billy Goat, does just one thing but does it extremely accurately.Source: How to Hook Worms, by James Riordan, Andreas Wespi & Diego Zamboni.Protection of a computer system begins with good locks, in the form of hardware and software barriers. But just as homeowners often keep watchdogs to sniff out a burglar even after he has gotten past a locked door, so do many of today's systems monitor suspicious activities that take place inside a computer.
More technical information can be found in this research report from the IBM website. They describe the architecture and some of the algorithms they use, along with the SQL methods they use (which are interesting) to perform data analysis.
This paper describes some of the lessons, insights and constructions stemming from the creation, deployment, and operation of the Billy Goat worm detection system. The most important feature of Billy Goat is its reliability in terms of accuracy, resilience and rapidity in detection and identification of worms without false positives. It is widely deployed throughout IBM and several other corporate networks. We discuss the features and requirements of worm detection systems in general, and how they are addressed by Billy Goat. We also describe some experiences and findings from our deployments of the system.Lessons Learned from Billy Goat, an Accurate Worm-Detection System, by James Riordan, Diego Zamboni, Yann Duponchel, publication number RZ3609, published in 2005.
Finally, the research team is described in this article, More on the team, by Michael Waidner. IBM has a sizable research staff, and this is only one of their projects.
June 17, 2005 in detection, honeypots, tools | Permalink | Comments (1)
Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
An increaisng number of people are seeing the intersection of malware and automated delivery mechanisms rise in frequency and impact. I've long since looked at worms as an excellent malware distribution platform. The result is often called a 'botnet'. In this paper, three German researchers describe how they cna detect the presence of a botnet and infer its structure using very direct techniques.Denial-of-Service (DoS) attacks pose a significant threat to the Internet today especially if they are distributed, i.e., launched simultaneously at a large number of systems. Reactive techniques that try to detect such an attack and throttle down malicious traffic prevail today but usually require an additional infrastructure to be really effective. In this paper we show that preventive mechanisms can be as effective with much less effort: We present an approach to (distributed) DoS attack prevention that is based on the observation that coordinated automated activity by many hosts needs a mechanism to remotely control them. To prevent such attacks, it is therefore possible to identify, infiltrate and analyze this remote control mechanism and to stop it in an automated fashion. We show that this method can be realized in the Internet by describing how we infiltrated and tracked IRC-based botnets which are the main DoS technology used by attackers today.Source: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks, Felix C. Freiling and Thorsten Holz and Georg Wicherski.
May 28, 2005 in defense, honeypots, papers | Permalink | Comments (1)
MWCollect: Malware collection tool
The German Honeynet Alliance has released an interesting tool, mwcollect, that allows you to gather information about malware that attacks commonly abused subsystems, like the Microsoft DCOM system which has had vulnerabilities in the past few years (and several worms have used this, like Sasser and Blaster).
mwcollect is an easy solution to collect worm like malware in a non-native environment like FreeBSD or Linux (you might have compilation issues on FreeBSD though, Debian Linux has been extensively tested). The first versions were used to collect binaries for botnet monitoring and bots are still what mwcollect is mostly collecting. Some people consider it a next generation honeypot, however that comparism often leads to the misunderstanding that computers running mwcollect can actually be infected with the malware - that is not the case!
Source: The mwcollect website.
May 7, 2005 in detection, honeypots, tools | Permalink | Comments (0)
Collapsar: A VM-Based Architecture for Network Attack Detention
This presentation introduces a scalable overlay system much like yesterday's Honeyfarm idea.
Collapsar is different from current approaches. In (an) overlay based approach like NetBait or Domino Overlay, honeypots are deployed in different networks. Log information generated by these honeypots are securely aggregated so that advanced date mining techniques can be applied. However, those attacks still happen within those sites.
Source: Collapsar: A VM-Based Architecture for Network Attack Detention, Xuxian Jiang, Dongyan Xu, presented at USENIX Security 2004.
May 4, 2005 in detection, honeypots, papers | Permalink | Comments (0)
The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks
Another paper that analyzes the efficacy of a honeypot deployment on actually curtailing malicious traffic. This paper gives you some insight into the data management techniques, too, for large-scale honeypot and honeynet deployments.
Computer Networks connected to the Internet continue to be compromised and exploited by hackers. This is in spite of the fact that many networks run some type of security mechanism at their connection to the Internet. Large Enterprise Networks, such as the network for a major university, are very inviting targets to hackers who are looking to exploit networks. Large Enterprise Networks may consist of many machines running numerous operating systems. These networks normally have enormous storage capabilities and high speed/high bandwidth connections to the Internet. Due to the requirements for Academic Freedom, system administrators are restricted in what requirements they can place on users on these networks. The high bandwidth usages on these networks make it very difficult to identify malicious traffic within the enterprise network. We propose that a Honeynet can be used to assist the system administrator in identifying malicious traffic on the enterprise network. By its very nature, a Honeynet has no production value and should not be generating or receiving any traffic. Thus, any traffic to or from the Honeynet is suspicious in nature. Traffic from the enterprise network to a machine on the Honeynet may indicate a compromised enterprise system.
Source: The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks, John Levine, Richard LaBella, Henry Owen, Didier Contis, Brian Culver. From: Proceedings of the 2003 IEEE Workshop on Information Assurance, United States Military Academy, West Point, NY June 2003.
April 7, 2005 in detection, honeypots, papers | Permalink | Comments (0)
Worm Meets Beehive
I like this paper because it not only demonstrates a method, but it analyses the effectiveness of such a proposal. Study this one closely, the methods and findings are very interesting.
Internet worms continue to plague the Internet infrastructure with wider and deeper impact since the Morris Worm in early 1988. It has been further shown that better-engineered worms like Warhol worms and Flash worms could spread across the Internet in minutes or even tens of seconds rather than hours. Such virulent spreading invalidates any manual counter-measures and poses an extremely serious threat to the safety of the Internet.
To address this challenge, this paper proposes a novel worm-curtailing scheme, i.e., beehive, which is able to fightback worm propagation by actively immunizing any encountered worm-infected node. More specifically, by owning a portion of the unused but routable IP space that is open to infection attempts of different worms, a beehive not only attracts and traps these attempts, but also defensively gives a security shot to each attempting worm-infected node. The security shot will immunize the infected node so that the node will not be able to infect others. Our formal analysis shows that even one beehive network with a reasonable IP address space can effectively mitigate active spreading of worms among a million nodes. This paper presents both analysis and simulation results of beehive evaluation. Particularly, our results show that for a random-probing worm, a beehive network or 8 class B networks are able to reduce the maximum worm infection coverage to as low as 13%. To the best of our knowledge, no such worm fightback mechanism has been proposed and analyzed before. Finally, a beehive prototype is presented to demonstrate its practicality.
Source: Worm Meets Beehive, Xuxian Jiang, Dongyan Xu, Shan Lei, Paul Ruth and Jianzhong Sun.
April 6, 2005 in honeypots, papers | Permalink | Comments (1)
