honeyspider network
play

HoneySpider Network Fighting client side threats Piotr Kijewski - PowerPoint PPT Presentation

Dec 27, 2023 •133 likes •501 views

HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes (GOVCERT.NL) Rogier Spoor (SURFnet) 20th Annual FIRST Conference on Computer Security Incident Handling, June 22-27, Vancouver Goals

  1. HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes (GOVCERT.NL) Rogier Spoor (SURFnet) 20th Annual FIRST Conference on Computer Security Incident Handling, June 22-27, Vancouver

  2. Goals • Introduction honeyclients & malicious servers • Technical ins and outs HoneySpider Network The HoneySpider Network - Fighting client side threats 01-07-08

  3. Outline • Honeyclients • Malicious servers • HoneySpider Network – Why ? • Project status • Technical concept • Wrap up The HoneySpider Network - Fighting client side threats 01-07-08

  4. What is a Honeyclient ? (I) Definition: Honeyclients are active security devices in search of malicious servers that attack clients. The honeyclient poses as a client and interacts with the server to examine whether an attack has occurred. Source: http://en.wikipedia.org/wiki/Client_honeypot_/_honeyclient The HoneySpider Network - Fighting client side threats 01-07-08

  5. What is a Honeyclient ? (II) Different honeyclients depending on level of interaction: 4. Low interaction honeyclients 5. High interaction honeyclients The HoneySpider Network - Fighting client side threats 01-07-08

  6. Low Interaction Honeyclient • Light weight or simulated clients (web crawler) • Identifies known attacks based on: - Static analyses - Signatures • May fail to emulate vulnerabilities in client applications • Tools: - HoneyC - SpyBye - PhoneyC The HoneySpider Network - Fighting client side threats 01-07-08

  7. High Interaction Honeyclient • Fully functional operating system with vulnerable applications (browsers, plugins) • Detection of known/unknown attacks via comparison of different states (before and after visit of a server) • Slow & prone to detection evasion • Tools: - Capture-HPC - MITRE Honeyclient - HoneyMonkey The HoneySpider Network - Fighting client side threats 01-07-08

  8. Malicious servers (I) • Drive-by download - Download of malware without knowledge of the user - Malware offered and executed through exploitation of (multiple) vulnerabilities in a browser, plugin, etc - Specific targeted based on browser (IE/Firefox), JVM versions, patch level operating system The HoneySpider Network - Fighting client side threats 01-07-08

  9. Malicious servers (II) • Code obfuscation - Hide the exploit-vector - Evasion of signature-based detection (AV products, Intrusion Detection Systems) - Examples seen for Javascript, VBScript The HoneySpider Network - Fighting client side threats 01-07-08

  10. Malicious servers (III) Exploits imported from other servers via iframes, redirects, Javascript client side redirects Source: http://www.honeynet.org/papers/mws/KYE-Malicious_Web_Servers.htm The HoneySpider Network - Fighting client side threats 01-07-08

  11. Honeyclient project – Why? • Number of browser exploits increased last years • Better understanding client side threats • Existing tools lack in: - Integration & management - Stability & maturity - Limited heuristics - Stealth technology - Self-learning • Provide a service to constituents/customers The HoneySpider Network - Fighting client side threats 01-07-08

  12. Goal • Detect, identify and describe threats that infect computers through Web browser technology, such as: - Browser (0)-day exploits - Malware offered via drive-by-downloads The HoneySpider Network - Fighting client side threats 01-07-08

  13. Project status • Completed functional & technical requirements • Organized project management • Frequent meetings face-2-face & videoconference • Started software development September 2007 • 1 st Milestone of software developed & currently tested • Development 2 nd Milestone started • Project will be finished first quarter 2009 The HoneySpider Network - Fighting client side threats 01-07-08

  14. Architecture The HoneySpider Network - Fighting client side threats 01-07-08

  15. Technical concept The HoneySpider Network - Fighting client side threats 01-07-08

  16. Import layer The HoneySpider Network - Fighting client side threats 01-07-08

  17. Import layer • URLs (aka objects) report to the import layer via agents (scripts) • URLs prioritized depending on importance / origin (configurable) • Contracted URLs: - Important URLs which need to be checked frequently (sites of constituents / customers) • Web form: - Manual submission of URLs • Loose crawler: - URLs from {Google|Yahoo}-queries The HoneySpider Network - Fighting client side threats 01-07-08

  18. Filter layer The HoneySpider Network - Fighting client side threats 01-07-08

  19. Filter layer • Filter URLs which are: - Already analyzed - Not active (domain or IP unreachable) • Applies on URLs from every source, except contracted URLs • Black list filter: - URLs identified as malicious - Hit count & TTL on URL • White list filter: - URLs identified as benign - Hit count & TTL on URL (or permanent listed) The HoneySpider Network - Fighting client side threats 01-07-08

  20. Analysis layer The HoneySpider Network - Fighting client side threats 01-07-08

  21. Low interaction component (I) • Webcrawler (Heritrix) • Proxy (Spybye) with ClamAV • Snort IDS • Pcap dumps • Extensions: - Rhino (JavaScript engine) -> Javascript de-obfuscation - Heuristics -> Identify obfuscated & malicious JavaScripts The HoneySpider Network - Fighting client side threats 01-07-08

  22. Low interaction component (II) The HoneySpider Network - Fighting client side threats 01-07-08

  23. Low interaction component (III) • Heuristics Currently used to identify obfuscated JavaScripts. In the future also used to identify obfuscated VBScripts and to classify websites ( benign, suspicious, malicious ). • Current implemented heuristics – Weka Classifiers (machine learning techniques) – JSAdvancedEngineDetection – JSIterationCounter – JSExecutionTimeout – JSOutOfMemoryError The HoneySpider Network - Fighting client side threats 01-07-08

  24. Low interaction component (IV) • Heuristics under research Detect malicious web content the same way as detection of spam. • Most promising heuristics - Naïve Bayes (good test results, undergoing further testing ‘in the wild’) The HoneySpider Network - Fighting client side threats 01-07-08

  25. High interaction component (I) • Based on Capture-HPC • Multiple patch levels Microsoft Windows • IE / Firefox (possibly plugins, like QuickTime & Flash) • Checks for: - Started or terminated processes - Filesystem modifications - Registry modifications • Proxy (Spybye) with ClamAV • Snort IDS • Pcap dumps The HoneySpider Network - Fighting client side threats 01-07-08

  26. High interaction component (II) The HoneySpider Network - Fighting client side threats 01-07-08

  27. External analysis • Submission of a binary file or URL to external sources • Results are stored in a database • Plugins for: - VirusTotal - Anubis - Norman Sandbox - CW Sandbox - Stopbadware The HoneySpider Network - Fighting client side threats 01-07-08

  28. And more analysis… • URL Localizer - ASN - Name of the ISP - Country • Active checker - Check if domain still resolves - Check if server is active The HoneySpider Network - Fighting client side threats 01-07-08

  29. Management layer The HoneySpider Network - Fighting client side threats 01-07-08

  30. Management layer • Objects tagging - Confidence level - Priority level - Process classification - Alert classification • Queue manager - Manages the main object-queue • Signature manager - Generation of signatures - Judge quality of signatures - Distribute signatures to {Network|AV} monitor The HoneySpider Network - Fighting client side threats 01-07-08

  31. Presentation layer The HoneySpider Network - Fighting client side threats 01-07-08

  32. Presentation layer • Web-based GUI • Alerter plugin - Sends alerts via email, SMS • Reporter plugin - Creates reports (PDF) with graphical statistics and/or detailed information • External output plugin - External systems can fetch results of processed objects The HoneySpider Network - Fighting client side threats 01-07-08

  33. Wrap up (I) Honeyclients  Honeyclients are active security devices in search of malicious servers that attack clients  Low-interaction honeyclient currently used to detect known attacks  High-interaction honeyclient used to detect known & unknown attacks The HoneySpider Network - Fighting client side threats 01-07-08

  34. Wrap up (II) Honeyclient project  To identify suspicious and malicious URLs  A combination of low- & high-interaction honeyclients  Many URLs from multiple sources processed based on importance The HoneySpider Network - Fighting client side threats 01-07-08

  35. Links • HoneySpider Network http://www.honeyspider.org/ • Capture HPC https://projects.honeynet.org/capture-hpc/ • Heritrix http://crawler.archive.org/ • Weka http://www.cs.waikato.ac.nz/ml/weka/ The HoneySpider Network - Fighting client side threats 01-07-08

  36. Questions ? The HoneySpider Network - Fighting client side threats 01-07-08

Recommend

HoneySpider Network 2.0 detecting client-side attacks the easy way Pawe Pawli nski CERT

HoneySpider Network 2.0 detecting client-side attacks the easy way Pawe Pawli nski CERT

HoneySpider Network 2.0 detecting client-side attacks the easy way Pawe Pawli nski CERT Polska / NASK 24th Annual FIRST Conference 21 June 2012 Pawe Pawli nski (CERT Polska / NASK) HoneySpider Network 2.0 FIRST 2012 1 / 23

280 views • 27 slides
1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

Network Layer Network Layer Chapter 4: Network Layer Mobile network Chapter goals: Global ISP understand principles behind network layer Network Layer services: Home network network layer service models Regional ISP forwarding

550 views • 3 slides
5 Network Layer Network Layer Network Layer Network Layer Example: Choosing among multiple ASes

5 Network Layer Network Layer Network Layer Network Layer Example: Choosing among multiple ASes

Network Layer Network Layer Network Layer Network Layer Network Layer Comparison of LS and DV algorithms Message complexity Robustness: what happens 1 Introduction 5 Routing algorithms if router malfunctions? LS: with n nodes, E

325 views • 4 slides
7 Network Layer Network Layer Network Layer Network Layer Subnets Classful Address

7 Network Layer Network Layer Network Layer Network Layer Subnets Classful Address

Network Layer Network Layer Network Layer Network Layer IP Fragmentation & Reassembly IP Fragmentation and Reassembly network links have MTU length ID fragflag offset (max.transfer size) - largest possible link-level frame.

948 views • 5 slides
Network Coding Network Coding Jie Gao Existing network Existing network Independent data

Network Coding Network Coding Jie Gao Existing network Existing network Independent data

Network Coding Network Coding Jie Gao Existing network Existing network Independent data stream sharing the same network resources Packets over the Internet Signals in a phone network An analog: cars sharing a highway.

1.01k views • 46 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
1 Creating a network app application transport network data link write programs that

1 Creating a network app application transport network data link write programs that

Last time Mobile network Internet overview Global ISP whats a protocol? network edge, core, access network Home network Regional ISP Regional ISP packet-switching versus k t it hi circuit-switching Internet/ISP

524 views • 20 slides
Network Virtualization What is Network Virtualization? Abstraction of the physical network

Network Virtualization What is Network Virtualization? Abstraction of the physical network

Network Virtualization What is Network Virtualization? Abstraction of the physical network Support for multiple logical networks running on a common shared physical substrate A container of network services Aspects of the

589 views • 21 slides
4 Network Layer Network Layer Network Layer Network Layer Switching Via Memory Three types of

4 Network Layer Network Layer Network Layer Network Layer Switching Via Memory Three types of

Network Layer Network Layer Network Layer Network Layer Routing Table Aggregation - > 4 billion Forwarding table Longest prefix matching possible entries Prefix Match Link Interface Destination Address Range Link Interface 11001000

288 views • 3 slides
Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Topics Network service models Datagrams (packets), virtual circuits

840 views • 42 slides
Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Topics Network service models Datagrams (packets), virtual circuits

524 views • 28 slides
Network Layer (Routing) Where we are in the Course Moving on up to the Network Layer!

Network Layer (Routing) Where we are in the Course Moving on up to the Network Layer!

Network Layer (Routing) Where we are in the Course Moving on up to the Network Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Topics Network service models Datagrams (packets), virtual

757 views • 40 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Data Link Layer MAC address Protocol Network Layer address must identify the network

Data Link Layer MAC address Protocol Network Layer address must identify the network

Overview What is a computer network? CSCE 515: What is the Internet? Computer Network What are the popular network reference Programming model? -- Midterm Review OSI, TCP/IP Wenyuan Xu What is the main responsibilities and

339 views • 12 slides
Data Link Layer MAC address Protocol Network Layer address must identify the network

Data Link Layer MAC address Protocol Network Layer address must identify the network

Overview What is a computer network? CSCE 515: What is the Internet? Computer Network What are the popular network reference Programming model? -- Review (partial) OSI, TCP/IP Wenyuan Xu What is the main responsibilities

299 views • 13 slides
1 Connection-oriented service Connectionless service Goal: data transfer between end systems

1 Connection-oriented service Connectionless service Goal: data transfer between end systems

A closer look at network structure: network edge: applications and hosts network core: Network Overview routers network of networks access networks, physical media: communication links Introduction Introduction 1-1 1-2

543 views • 8 slides
Network Data Plane Network Data Plane Network Data Plane (S. S. Lam) 3/23/2017 1 Network layer

Network Data Plane Network Data Plane Network Data Plane (S. S. Lam) 3/23/2017 1 Network layer

Network Data Plane Network Data Plane Network Data Plane (S. S. Lam) 3/23/2017 1 Network layer d li delivers segments from s s ts f sending to receiving host application transport network sender encapsulates segments p g

912 views • 44 slides
Network Applications Network Applications There are many network applications Network

Network Applications Network Applications There are many network applications Network

Network Applications Network Applications There are many network applications Network applications involve the cooperation Client Server Programming Client Server Programming of processes running on different hosts connected by a

323 views • 7 slides
Access Network Access Network Access network: local loop infrastructure It is the last

Access Network Access Network Access network: local loop infrastructure It is the last

Access network and access service Access Network Access Network Access network: local loop infrastructure It is the last mile of the network Connects the user with the first network POP Can use different technologies

369 views • 11 slides
Assistance Network September 2014 Assistance Network Purpose The Assistance Network provides

Assistance Network September 2014 Assistance Network Purpose The Assistance Network provides

Assistance Network September 2014 Assistance Network Purpose The Assistance Network provides education, outreach and in-person assistance driving to enrollment Offers Statewide Coverage Leverages trust, relationships and community

367 views • 13 slides
v v 1 3 20 liquids through pipe 16 Vancouver parts through an assembly line s t 10

v v 1 3 20 liquids through pipe 16 Vancouver parts through an assembly line s t 10

4.2 Network Flows A directed graph can model a flow network where some material (e.g., widgets, current, . . . ) is produced or enters the network at Mat 3770 a source and is consumed at a sink . Network Flows Production and consumption

465 views • 11 slides
Fieldbus : : Fieldbus Industrial Network Industrial Network Real Time Network Real Time

Fieldbus : : Fieldbus Industrial Network Industrial Network Real Time Network Real Time

Fieldbus : : Fieldbus Industrial Network Industrial Network Real Time Network Real Time Network Jean-Pierre Thomesse Institut National Polytechnique de Lorraine Nancy, France ETR 2005 - Fieldbus - Industrial Network - Real Time Network

1.4k views • 71 slides
The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network

The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network

Chapter 4: The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network combines two types of domain knowledge to represent a joint probability distribution: qualitative knowledge: a (minimal) directed I-map

1.63k views • 134 slides
Introduction Introduction Srinidhi Varadarajan What is a network? What is a network?

Introduction Introduction Srinidhi Varadarajan What is a network? What is a network?

Introduction Introduction Srinidhi Varadarajan What is a network? What is a network? Carrier of information between connected entities What does a network consist of? End hosts connected to the network Routers/switches that move

690 views • 42 slides

More recommend