a visual analytic approach for analyzing ssh honeypots
play

A visual analytic approach for analyzing SSH honeypots Jop van der - PowerPoint PPT Presentation

May 14, 2023 •556 likes •946 views

A visual analytic approach for analyzing SSH honeypots Jop van der Lelie Rory Breuk National Cyber Security Centre (NCSC-NL) Center for expertise on cyber security and incident response of the Dutch government Preventing ICT and

  1. A visual analytic approach for analyzing SSH honeypots Jop van der Lelie Rory Breuk

  2. National Cyber Security Centre (NCSC-NL) ● Center for expertise on cyber security and incident response of the Dutch government ● Preventing ICT and internet related incidents and coordinates response of these incidents

  3. Introduction ● Network monitoring ● Intrusion Detection System (IDS) ● NetFlow ● Honeypot

  4. Honeypot A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource Spitzner 2003

  5. Honeypot ● Low-interaction ○ Dionaea ○ Amun ● High-interaction ○ (virtual) server with sebek

  6. Honeypot ● Gather malware ● Study worm activity ● Study attacks/attackers

  7. In practice Both SURFnet and the Dutch NCSC use honeypots to monitor their networks but... What can we do with it?!

  8. Research question Which visualizations can be used to give more insight into attacks performed on SSH honeypots?

  9. Kippo: A SSH honeypot ● Emulates an OpenSSH server ● Written in Python ● Possible to implement new commands ● Full interaction with virtual filesystem ○ Medium-interaction honeypot

  10. Related research ● Tools to visualize attacks on your network ○ (but most often IDS logs and NetFlow data)

  11. Related research ● NFlowVis Fischer et al., 2008

  12. Related research ● Malware collected with Nepenthes Blasco et al., 2005

  13. Related research ● IDS logs with NetFlow ● No SSH visualizations ● No in-depth analysis of attacks ● No relations between attacks

  14. Analysis of attacks on Kippo ● SURFcert IDS reporting ● Kippo-graph

  15. SURFcert IDS Reporting

  16. SURFcert IDS Reporting

  17. Kippo-graph

  18. Kippo-graph

  19. Existing reporting limitations ● Attack source IP != attacker IP ○ Geolocation can be misleading ● Unable to view actual session ● No relations between attacks ● Unable to identify attackers ● No interaction with the visualizations

  20. Dataset ● SURFcert IDS database ○ Distributed Intrusion Detection System ○ Passive sensors running multiple honeypots ○ Central logging database ● 6,5 million attacks in the last 20 months ○ 6.273 SSH sessions ○ 56.607 commands

  21. Attack information ● Source IP address ● IP of the honeypot ● Timestamp of the attack ● All commands sent to the honeypot

  22. Visual analytics Visual analytics is an iterative process that involves information gathering, data preprocessing, knowledge representation, interaction and decision making Keim, 2008

  23. Visual analytics Keim, 2008

  24. Visual analytics ● Computationally Enhanced Visualization (V++) ○ Main focus on visualization ○ Supported by automatic computations

  25. Visual analytics mantra Analyse first Show the important Zoom, filter and analyse further Details on demand Keim, 2008

  26. Our approach Analyse first Show the important Details on demand Zoom, filter and analyse further Lelie & Breuk, 2012

  27. Analyse first

  28. Show the important

  29. Details on demand

  30. Details on demand

  31. Zoom, filter and analyse further

  32. Zoom, filter and analyse further

  33. Dashboard

  34. Demo

  35. Conclusion ● Assist the expert in exploring the dataset ● Can find related sessions independent of the IP address ● Browse data without reading all sessions ● Identify servers that host malware ● Identify attackers and groups

  36. Further research ● Integration in SURFcert IDS ● Direct use of Kippo data ● Additions to Kippo ○ Relate brute force login attempts to a session

  37. Questions? {jop.vanderlelie|rory.breuk}@os3.nl

Recommend

Rapid Analytics A visual, live approach to requirements gathering and business analytic

Rapid Analytics A visual, live approach to requirements gathering and business analytic

Rapid Analytics A visual, live approach to requirements gathering and business analytic development Mark Marinelli, VP of Product Management Brought to you by: Agenda Why Do Traditional Analytics Projects Fail? What Is Rapid Analytics?

364 views • 17 slides
Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Overview Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots What can you do with them? Claire OShea Problems with honeypots COMP 290 Spring 2005 Overview Motivation Examples of

645 views • 15 slides
Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter

Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter

Metasploit- able Honeypots Wouter Katz Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter Katz Results wouter.katz@os3.nl Conclusions References University of Amsterdam July 4th 2013 Wouter

623 views • 30 slides
A Decision A Decision A Decision-Analytic Approach for A Decision Analytic Approach for

A Decision A Decision A Decision-Analytic Approach for A Decision Analytic Approach for

A Decision A Decision A Decision-Analytic Approach for A Decision Analytic Approach for Analytic Approach for Analytic Approach for P2 2P Cooperation Policy Setting P Cooperation Policy Setting p p y y g g G G. V k l 1 Th G P Vakili

368 views • 18 slides
Visual Litter Surveys Where we came from where we are now and a new approach to Visual Litter

Visual Litter Surveys Where we came from where we are now and a new approach to Visual Litter

Visual Litter Surveys Where we came from where we are now and a new approach to Visual Litter Surveys Morris A. Enyeart, Ed.D. Digital Drifting LLC January 30, 2018 Trad aditions A Are C Chan anging Visual Litter Survey walking

750 views • 27 slides
Weierstras approach to analytic function theory Umberto Bottazzini Dipartimento di

Weierstras approach to analytic function theory Umberto Bottazzini Dipartimento di

Weierstras approach to analytic function theory Umberto Bottazzini Dipartimento di Matematica F. Enriques, Universit` a degli Studi di Milano Berlin, 31 Oktober 2015 Umberto Bottazzini Weierstras approach to analytic function

558 views • 35 slides
Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and Collin Mulliner Security in Telecommunications Technische Universit at Berlin, Germany { steffen,mlange } @sec.t-labs.tu-berlin.de Northeastern

713 views • 11 slides
Independent Parallel Runway Visual Approach in Beijing Capital Airport SUMMARY Basic

Independent Parallel Runway Visual Approach in Beijing Capital Airport SUMMARY Basic

Independent Parallel Runway Visual Approach in Beijing Capital Airport SUMMARY Basic Concepts of Visual Approach The Promoting Process Of Visual Approach (including The Preparation) The Implementation Process Of Visual Approach

368 views • 16 slides
A Decision Analytic Approach for Measuring the Value of Counter-IED Solutions at the Joint

A Decision Analytic Approach for Measuring the Value of Counter-IED Solutions at the Joint

A Decision Analytic Approach for Measuring the Value of Counter-IED Solutions at the Joint Improvised Explosive Device Defeat Organization Presentation to AFCEA-GMU 18-19 May 2010 Ronald Woodaman*, Andrew Loerch**, Kathryn Laskey** *C4I

501 views • 37 slides
Plya Urns An analytic combinatorics approach Basile Morcrette Algorithms project, INRIA

Plya Urns An analytic combinatorics approach Basile Morcrette Algorithms project, INRIA

Plya Urns An analytic combinatorics approach Basile Morcrette Algorithms project, INRIA Rocquencourt. LIP6, UPMC CALIN Seminar 07/02/2012 1/35 Outline 1. Urn model 2. An exact approach boolean formulas 3. Singularity analysis family of

985 views • 63 slides
Designing, Understanding, 1st Approach: Need . . . Interval Computations and Analyzing Proof

Designing, Understanding, 1st Approach: Need . . . Interval Computations and Analyzing Proof

Main Problem: . . . Our Main Claim: Use . . . Why Logic? 1st Approach: . . . Designing, Understanding, 1st Approach: Need . . . Interval Computations and Analyzing Proof Mining 2nd Approach: . . . Potential Use of . . . Unconventional

606 views • 22 slides
INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS JOSH PYORRE Security Researcher Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre HONEYPOTS CURRENTLY IN USE

1.25k views • 96 slides
Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 1 / 28 Outline Introduction 1 History 2 Types of honeypots 3 Deception techniques using Honeypots

632 views • 61 slides
Analyzing the Relationship Between Head Pose and Gaze to Model Driver Visual Attention Sumit Jha

Analyzing the Relationship Between Head Pose and Gaze to Model Driver Visual Attention Sumit Jha

Analyzing the Relationship Between Head Pose and Gaze to Model Driver Visual Attention Sumit Jha and Carlos Busso Multimodal Signal Processing (MSP) Laboratory Department of Electrical Engineering, The University of Texas at Dallas,

453 views • 24 slides
Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project & Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers & Co- author, Know Your Enemy ! Work

676 views • 52 slides
ConVis: A Visual Text Analytic System for Exploring Blog Conversations Enamul Hoque, Giuseppe

ConVis: A Visual Text Analytic System for Exploring Blog Conversations Enamul Hoque, Giuseppe

Department of Computer Science University of British Columbia ConVis: A Visual Text Analytic System for Exploring Blog Conversations Enamul Hoque, Giuseppe Carenini {enamul, carenini}@cs.ubc.ca NLP group @ UBC Rise of Text Conversations

423 views • 28 slides
A new functional analytic approach to robust utility maximization in the dominated case Julio

A new functional analytic approach to robust utility maximization in the dominated case Julio

A new functional analytic approach to robust utility maximization in the dominated case Julio Daniel Backhoff Humboldt-Universit at zu Berlin Universit at Wien Joint work with Joaqu n Fontbona of Universidad de Chile I thank the

738 views • 36 slides
Hierarchy-of-Visual-Words: a Learning-based Approach for Trademark Image Retrieval Vtor

Hierarchy-of-Visual-Words: a Learning-based Approach for Trademark Image Retrieval Vtor

Introduction and Motivation Related Work Contributions Universidade Federal Fluminense The Hierarchy-of-Visual-Words Framework Experiments and Results Conclusion and Future Work Hierarchy-of-Visual-Words: a Learning-based Approach for

422 views • 20 slides
On a New Approach for Analyzing and Managing Macrofinancial Risks Robert C. Merton, PhD, School

On a New Approach for Analyzing and Managing Macrofinancial Risks Robert C. Merton, PhD, School

On a New Approach for Analyzing and Managing Macrofinancial Risks Robert C. Merton, PhD, School of Management Distinguished Professor of Finance, Massachusetts Institute of Technology, and Resident Scientist, Dimensional Holdings, Inc.

568 views • 22 slides
Exploiting Heterogeneity in Mobile Opportunistic Netw orks: An Analytic Approach 7 th Annual IEEE

Exploiting Heterogeneity in Mobile Opportunistic Netw orks: An Analytic Approach 7 th Annual IEEE

Exploiting Heterogeneity in Mobile Opportunistic Netw orks: An Analytic Approach 7 th Annual IEEE Communication Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks (IEEE SECON10) June 23, 2010 Chul-Ho Lee and Do Young Eun

1.02k views • 38 slides
Interactive Model Learning from High-Dimensional Data: A Visual Analytics Approach Klaus

Interactive Model Learning from High-Dimensional Data: A Visual Analytics Approach Klaus

Interactive Model Learning from High-Dimensional Data: A Visual Analytics Approach Klaus Mueller Klaus Mueller Computer Science Lab for Visual Analytics and Imaging (VAI) Stony Brook University Visual Analytics Visual Analytics (Laymans

1.18k views • 97 slides
Semi-Analytic Approach to Light Simulation Diego Garcia-Gamez & Andrzej Szelc The University

Semi-Analytic Approach to Light Simulation Diego Garcia-Gamez & Andrzej Szelc The University

Semi-Analytic Approach to Light Simulation Diego Garcia-Gamez & Andrzej Szelc The University of Manchester 1 Introduction Optical simulation in LAr detectors is very hard: huge time and memory consuming This issue is even worse in

329 views • 22 slides
Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

CPS-SPC 16 @ Vienna AU Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O. T IPPENHAUER daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box 1 Overview In this

922 views • 25 slides
TOWARD A NON-VISUAL IMAGE (an artistic approach) Olivier Perriquet IMAGE IS AN AMBIGUOUS CONCEPT

TOWARD A NON-VISUAL IMAGE (an artistic approach) Olivier Perriquet IMAGE IS AN AMBIGUOUS CONCEPT

TOWARD A NON-VISUAL IMAGE (an artistic approach) Olivier Perriquet IMAGE IS AN AMBIGUOUS CONCEPT THE POWER AND LIMITS OF IMAGES AND METAPHORS VISUAL MODELS IN SCIENCE IMPOSE A CONCEPTUAL FRAMING THE IMAGE SPARKS THE IDEA = DISCOVERY OF DNA

662 views • 18 slides

More recommend