MISC #3: How Leurré.com Observes the Internet

Thursday, March 30. 2006
If you speak French or German, you should take a look at the issue 23 or 3 of MISC, the magazine on computer security. There is an interesting article by Jacob Zimmermann about Leurré.com. He focuses on the measurement of "Inter-Arrival Times" (IAT) between packets to find anomalies.

There is also a conference paper by Zimmermann et al. that deals with the same topic. It is entitled "The use of packet inter-arrival times for investigating unsolicited Internet traffic" and was presented at SADFE'05, the 1rst International Workshop on Sytematic Approaches to Digital Forensic Engineering in November 2005. Unfortunately, this paper is as far as I see only available via IEEE Xplore.

Abstract:
Monitoring the Internet reveals incessant activity, that has been referred to as background radiation. In this paper, we propose an original approach that makes use of packet inter-arrival times, or IATs, to analyse and identify such abnormal or unexpected network activity. Our study exploits a large set of data collected on a distributed network of honeypots during more than six months. Our main contribution in this paper is to demonstrate the usefulness of IAT analysis for network forensic purposes, and we illustrate this with examples in which we analyse particular IAT peak values. In addition, we pinpoint some network anomalies that we have been able to determine through such analysis.

Continue reading "MISC #3: How Leurré.com Observes the Internet"

Posted by Thorsten Holz in paper at 17:31 | Comment (1) | Trackbacks (0)

SweetBait: Zero-Hour Worm Detection and Containment Using Honeypots

Thursday, March 30. 2006
Long-distance flights have the advantage that you have lots of time to read papers. On the other hand, the drawback of such a trip is that you have to take some time in order to catch up on the work at home... In the next few days I will present a couple of papers I read on my last trip, most of them focussing on bots/botnets and worm detection.

The technical report "SweetBait: Zero-Hour Worm Detection and Containment Using Honeypots" by Portokalidis and Bos from Vrije Universiteit, Amsterdam, describes a system to automatically generate worm signatures. The system uses some well-known tools:

  • honeyd to emulate hosts

  • honeycomb to automatically generate NID signatures (paper on honeycomb)

  • honeybounce, a honeyd plugin to whitelist traffic

  • netfilter, the Linux netfilter/iptables subsystem, to react on the traffic and a Linux kernel module called CBFilter to perform content based filtering

  • A Control Center (CC) based on PostgreSQl to correlate signatures and alerts


All individual pieces are already there and by interconnecting them (together with some new tools like honeybounce and CBFilter), the system is capable of automatically generating and distributing worm signatures. So nothing really new, but a nice engineering solution. Be sure to also take a look at "Autograph: Toward Automated, Distributed Worm Signature Detection", one of the state of the art systems in worm detection.

A complete write-up of SweetBait is also available as the M.Sc. thesis of Georgios Portokalidis entitled "Zero-Hour Worm Detection And Containment Using Honeypots"

Abstract:
As next-generation computer worms may spread within minutes to million of hosts, protection via human intervention is no longer an option. We discuss the implementation of SweetBait, an automated protection system that employs low-interaction honeypots to capture suspicious trafic. After discarding whitelisted patterns, it automatically generates worm signatures. To provide a low response time, the signatures may be immediately distributed to network intrusion detection and prevention systems. At the same time the signatures are continuously refined for increased accuracy and lower false identification rates. By monitoring signature activity and predicting ascending or descending trends in worm virulence, we are able to sort signatures in order of urgency. As a result, the set of signatures to be monitored or filtered is managed in such a way that new and very active worms are always included in the set, while the size of the set is bounded. SweetBait is deployed on medium sized academic networks across the world and is able to react to zero-day worms within minutes. Furthermore, we demonstrate how globally sharing signatures can help immunise parts of the Internet.

Continue reading "SweetBait: Zero-Hour Worm Detection and Containment Using Honeypots"

Posted by Thorsten Holz in paper at 07:01 | Comments (0) | Trackback (1)
(Page 1 of 1, totaling 2 entries)