Honeypots architecture Security Properties Statistical results Conclusion A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut – J.-F. Lalande – C. Toinard LIFO Université d’Orléans ENSI de Bourges SHPCS’08, June 2008 J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 1/19
Honeypots architecture Security Properties Statistical results Conclusion Outline Honeypots architecture 1 Security Properties 2 Statistical results 3 Conclusion 4 J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 2/19
Honeypots architecture Security Properties Statistical results Conclusion Summary Honeypots architecture 1 Security Properties 2 Statistical results 3 Conclusion 4 J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 3/19
Honeypots architecture Security Properties Statistical results Conclusion Honeypots Honeypot: welcome an intruder or system cracker Low-Interaction Leurré.com Simulation of OS/services Partial attack capture Large-Scale Honeypot Honeynet High-Interaction Real operating system Attacks really performed J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 4/19
Honeypots architecture Security Properties Statistical results Conclusion 1/4: Internet → Honeywall Directly connected on the Internet Limitation of the bandwidth Frontal sensors to analyze the network traffic J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 5/19
Honeypots architecture Security Properties Statistical results Conclusion 2/4: Honeywall → Honeypot cluster Real Linux/Windows OS Mandatory Access Control Selinux/Grsecurity Security properties Never compromised Discretionary Access Control Could be compromised PXE auto-reinstallation J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 6/19
Honeypots architecture Security Properties Statistical results Conclusion 3/4: Honeypot cluster → Traces storage OSSIM : stores events from ossim agents into a mysql server Prelude: aggregates the collected information from prelude agents Syslog (logger): stores all the syslog traces J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 7/19
Honeypots architecture Security Properties Statistical results Conclusion 4/4: Traces storage → Correlation Correlation algorithms Alarms are visualized J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 8/19
Honeypots architecture Security Properties Statistical results Conclusion Summary Honeypots architecture 1 Security Properties 2 Statistical results 3 Conclusion 4 J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 9/19
Honeypots architecture Security Properties Statistical results Conclusion Security Properties Integrity of executable contexts integrity( SC . ∗ : . ∗ : user . ∗ , SC exec ) Integrity of user domain int_domain( SC . ∗ : . ∗ : user . ∗ ) Confidentiality System/User confidentiality( SC Systeme , sc . ∗ : . ∗ : user . ∗ ) Duties Separation of modification and execution privilegies duties_sep( SC Systeme ) Transition into the user domain bad_transition( . ∗ : . ∗ : user . ∗ , SC Systeme ) Respect of the Access Control Policy conformity() J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 10/19
Honeypots architecture Security Properties Statistical results Conclusion Security Properties Analysis Name Passerelle Util-1 VMware Util-2 Graphe SC 577 3017 624 595 IV 17 684 314 582 21 359 18 215 integrity 137 9 461 186 140 int_domain 16 283 510 215 18 130 16 546 Signature confidentiality 29 510 726 842 29 510 29 510 duties_sep 243 16 405 320 270 bad_transition 3555 126 228 4250 3941 Total 49 728 1 389 151 52 396 50 407 Analysis Time 47s 10min31s 1min2s 52s J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 11/19
Honeypots architecture Security Properties Statistical results Conclusion Summary Honeypots architecture 1 Security Properties 2 Statistical results 3 Conclusion 4 J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 12/19
Honeypots architecture Security Properties Statistical results Conclusion Main results Experimentation from February 27th 2007 to February 21th 2008 8,206,382 events / 302,543 alarms stored = 950 events/hour, 35 alarms/hour 45,590 opened sessions by scan robots 2,219 sessions performing activities Sensor Description Ocurences Prelude-lml SSHd: Root login refused 498,468 Snort Destination udp port not reachable 452,011 Prelude-lml SSHd: Bad password 49,329 OSSIM SSHd: Possible brute force tentative 43,989 Prelude-lml SSHd: Invalid user 43,311 PIGA Integrity: system file modification 41,063 Prelude-lml FTP bad login 21,366 Snort Potential outbound SSH scan 19,983 PIGA Confidentiality: information flow 16,191 . . . J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 13/19 Table: Main types of alarms
Honeypots architecture Security Properties Statistical results Conclusion Sensors and port statistics I J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 14/19
Honeypots architecture Security Properties Statistical results Conclusion Sensors and port statistics II J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 15/19
Honeypots architecture Security Properties Statistical results Conclusion Alerts per country - Incoming/outgoing I J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 16/19
Honeypots architecture Security Properties Statistical results Conclusion Alerts per country - Incoming/outgoing II J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 17/19
Honeypots architecture Security Properties Statistical results Conclusion Summary Honeypots architecture 1 Security Properties 2 Statistical results 3 Conclusion 4 J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 18/19
Honeypots architecture Security Properties Statistical results Conclusion Conclusion/Perspective Conclusion Now : Uptime of 2 years Robustness of proposed architecture No reinstallation of MAC Hosts Frequent DAC PXE reinstallation Perspectives Correlation : Session reconstruction Distributed Attacks Automatic forensics of compromised host Malware and Attacks database J. Briffaut – J.-F. Lalande – C. Toinard Securing a Large-Scale High-Interaction Honeypot 19/19
Recommend
More recommend