Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm

Similar documents
Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm

Internet Outbreaks Epidemiology and Defenses

Virtualization as a Defense. Issues raised. Encapsulation for Protection. Motivation 3/18/2009

LaBrea p. 74 Installation and Setup p. 75 Observations p. 81 Tiny Honeypot p. 81 Installation p. 82 Capture Logs p. 83 Session Logs p.

Virtual Machine Monitors (VMMs) are a hot topic in

3-2 GHOST Sensor: Development of a Proactive Cyber-attack Observation Platform

Key Features. DATA SHEET

Malware Research at SMU. Tom Chen SMU

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

Active defence through deceptive IPS

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Fast and Evasive Attacks: Highlighting the Challenges Ahead

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Usage of Honeypot to Secure datacenter in Infrastructure as a Service data

CE Advanced Network Security Honeypots

Symantec Endpoint Protection

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Internet Security Threat Report Volume XIII. Patrick Martin Senior Product Manager Symantec Security Response October, 2008

Securing Today s Mobile Workforce

Assessing Global Security Threat Levels Bryan Lu, Project Manager / Researcher

The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discovery

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Honeypot-Aware Advanced Botnet Construction and Maintenance

Extensible Network Security Services on Software Programmable Router OS. David Yau, Prem Gopalan, Seung Chul Han, Feng Liang

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

Boundary detection and containment of local worm infections

Chapter 1 B: Exploring the Network

NetDefend Firewall UTM Services

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

WatchGuard XTMv Setup Guide Fireware XTM v11.8

Anti-DDoS. User Guide. Issue 05 Date

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

FP7 NEMESYS Project: Advances on Mobile Network Security

Cisco Systems Korea

A Unified Threat Defense: The Need for Security Convergence

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Automating Security Response based on Internet Reputation

Presentation by Brett Meyer

Gladiator Incident Alert

Huawei Cloud Fabric Data Center Security and Application Optimization Solution

USG2110 Unified Security Gateways

CSE 120 Principles of Operating Systems

Sizing and Scoping ecrime

Epidemiology and Defenses. Internet Outbreaks: Internet Outbreaks: Department of Computer Science & Engineering. University of California at San Diego

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

CloudAV. Malware Analysis in the Network Cloud. Jon Oberheide. University of Michigan. June 12, 2008 MMC '08

Basic Concepts in Intrusion Detection

GQ: Building a Large-Scale Honeyfarm

McAfee Endpoint Security

Symantec Protection Suite Add-On for Hosted Security

MONITORING AND MANAGING NETWORK FLOWS IN VMWARE ENVIRONMENTS

Service Provider View of Cyber Security. July 2017

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

WatchGuard XTMv Setup Guide

The YAKSHA Cybersecurity Solution and the Ambassadors Programme. Alessandro Guarino YAKSHA Innovation Manager CEO, StudioAG

Maximum Security with Minimum Impact : Going Beyond Next Gen

AutoFocus: A Tool for Automatic Traffic Analysis. Cristian Estan, University of California, San Diego

Cisco IOS Inline Intrusion Prevention System (IPS)

Network Security Protection Alternatives for the Cloud

How To Remove A Virus Manually Windows 7 Without Antivirus Security Pro

Cisco Incident Control System

Prevx 3.0 v Product Overview - Core Functionality. April, includes overviews of. MyPrevx, Prevx 3.0 Enterprise,

Seqrite Endpoint Security

Darknet Traffic Monitoring using Honeypot

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

ISA 564 SECURITY LAB. Introduction & Class Mechanics. Angelos Stavrou, George Mason University


A Honeyfarm Data Control Mechanism: Design, Implementation, Evaluation and Forensic Study

SaaS Flyer for Trend Micro

A Modular Approach for Implementation of Honeypots in Cyber Security

The emerging battle between Cyber Defense and Cybercrime: How Technology is changing to keep Company and HR data safe

DOCUMENT* PRESENTED BY

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Barracuda Advanced Threat Protection. Bringing a New Layer of Security for . White Paper

Unit 2 Assignment 2. Software Utilities?

Firewall Identification: Banner Grabbing

Stakeholders Analysis

Advanced Malware Protection. Dan Gavojdea, Security Sales, Account Manager, Cisco South East Europe

Intelligent and Secure Network

ARAKIS An Early Warning and Attack Identification System

HYBRID HONEYPOT -SYSTEM FOR PRESERVING PRIVACY IN NETWORKS

Rob Sherwood Bobby Bhattacharjee Ryan Braud. University of Maryland. Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.

OS Security IV: Virtualization and Trusted Computing

An Efficient and Practical Defense Method Against DDoS Attack at the Source-End

Internet Outbreaks: Epidemiology and Defenses

Check Point Threat Prevention Appliance With SandBlast Threat Emulation Cloud Service 2015 SWG Industry Assessment

The Threats of Internet Worms. Based on Addressing the Threat of Internet Worms Vern Paxson UCB/ICSI

DoS Cyber Attack on a Government Agency in South America- February 2012 Anonymous Mobile LOIC in Action

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

CSE Computer Security

Symantec Endpoint Protection 14

Deploying File Based Security on Dynamic Honeypot Enabled Infrastructure as a Service Data Centre

Comparative Study of Different Honeypots System

UTM 5000 WannaCry Technote

Honey Pot Be afraid Be very afraid

Transcription:

Scalability, Fidelity, and in the Potemkin Virtual Honeyfarm Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, Stefan Savage Collaborative Center for Internet Epidemiology and Defenses (CCIED) University of California, San Diego The Potemkin Virtual Honeyfarm 1 / 20

Background Large-scale host exploitation a serious problem Worms, viruses, bots, spyware... Supports an emerging economic criminal enterprise SPAM, DDoS, phishing, piracy, ID theft... Two weeks ago, one group arrested controlled 1.5 M hosts! Quality and sophistication of malware increasing rapidly The Potemkin Virtual Honeyfarm 2 / 20

Motivation Intelligence about new threats is critical for defenders Principal tool is the network honeypot Monitored system deployed for the purpose of being attacked Honeyfarm: Collection of honeypots Provide early warning, accurate inference of global activity, cover wide range of software issues Scalability: How many honeypots can be deployed Fidelity: How accurately systems are emulated : How well innocent third parties are protected Challenge: tension between scalability and fidelity The Potemkin Virtual Honeyfarm 3 / 20

Honeyfarm Scalability/Fidelity Tradeoff High Scalability High Fidelity The Potemkin Virtual Honeyfarm 4 / 20

Honeyfarm Scalability/Fidelity Tradeoff Physical Honeypots (Honeynet Project) VM-based Honeyfarms (Collapsar, Symantec) High Scalability High Fidelity Execute real code The Potemkin Virtual Honeyfarm 4 / 20

Honeyfarm Scalability/Fidelity Tradeoff Lightweight Responders (isink, IMS, honeyd) Physical Honeypots (Honeynet Project) Network Telescopes VM-based Honeyfarms (Collapsar, Symantec) High Scalability Millions of addresses High Fidelity Execute real code The Potemkin Virtual Honeyfarm 4 / 20

Honeyfarm Scalability/Fidelity Tradeoff Lightweight Responders (isink, IMS, honeyd) Physical Honeypots (Honeynet Project) Network Telescopes VM-based Honeyfarms (Collapsar, Symantec) High Scalability Millions of addresses Our Goal: Both High Fidelity Execute real code The Potemkin Virtual Honeyfarm 4 / 20

Approach Approach Network-Level Multiplexing Host-Level Multiplexing Dedicated honeypot systems are overkill Can provide the illusion of dedicated systems via aggressive resource multiplexing at network and host levels The Potemkin Virtual Honeyfarm 5 / 20

Network-Level Multiplexing Approach Network-Level Multiplexing Host-Level Multiplexing Most addresses don t receive traffic most of the time Apply late binding of IP addresses to honeypots Most traffic that is received causes no interesting effects Allocate honeypots only long enough to identify interesting behavior Recycle honeypots as soon as possible How many honeypots are required? For a given request rate, depends upon recycling rate The Potemkin Virtual Honeyfarm 6 / 20

Approach Network-Level Multiplexing Host-Level Multiplexing Effectiveness of Network-Level Multiplexing 1 Active Machines / Total Addresses 0.1 0.01 0.001 1 10 100 Recycling Time (s) The Potemkin Virtual Honeyfarm 7 / 20

Approach Network-Level Multiplexing Host-Level Multiplexing Effectiveness of Network-Level Multiplexing 1 Active Machines / Total Addresses 0.1 0.01 0.001 1 10 100 Recycling Time (s) 2 3 orders of magnitude improvement! The Potemkin Virtual Honeyfarm 7 / 20

Host-Level Multiplexing Approach Network-Level Multiplexing Host-Level Multiplexing CPU utilization in each honeypot quite low (milliseconds to process traffic) Use VMM to multiplex honeypots on a single physical machine Few memory pages actually modified when handling network data Share unmodified pages among honeypots within a machine How many virtual machines can we support? Limited by unique memory required per VM The Potemkin Virtual Honeyfarm 8 / 20

Approach Network-Level Multiplexing Host-Level Multiplexing Effectiveness of Host-Level Multiplexing 4 3.5 Telnet Memory Pages Modified (MB) 3 2.5 2 1.5 1 0.5 HTTP Ping 0 0 20 40 60 80 100 Time (s) The Potemkin Virtual Honeyfarm 9 / 20

Approach Network-Level Multiplexing Host-Level Multiplexing Effectiveness of Host-Level Multiplexing 4 3.5 Telnet Memory Pages Modified (MB) 3 2.5 2 1.5 1 0.5 HTTP Ping 0 0 20 40 60 80 100 Time (s) Further 2 3 orders of magnitude improvement The Potemkin Virtual Honeyfarm 9 / 20

The Potemkin Honeyfarm Architecture Two components: Gateway VMM The Potemkin Virtual Honeyfarm 10 / 20

The Potemkin Honeyfarm Architecture Two components: Gateway VMM Basic operation: Packet received by gateway The Potemkin Virtual Honeyfarm 10 / 20

The Potemkin Honeyfarm Architecture Two components: Gateway VMM Basic operation: Packet received by gateway Dispatched to honeyfarm server The Potemkin Virtual Honeyfarm 10 / 20

The Potemkin Honeyfarm Architecture Two components: Gateway VMM Basic operation: Packet received by gateway Dispatched to honeyfarm server VM instantiated Adopts IP address The Potemkin Virtual Honeyfarm 10 / 20

Requirements VMs created on demand VM creation must be fast enough to maintain illusion The Potemkin Virtual Honeyfarm 11 / 20

Requirements VMs created on demand VM creation must be fast enough to maintain illusion Many VMs created Must be resource-efficient The Potemkin Virtual Honeyfarm 11 / 20

Modified version of Xen 3.0 (pre-release) Flash cloning Fork copies from a reference honeypot VM Reduces VM creation time no need to boot Applications all ready to run Delta virtualization Copy-on-write sharing (between VMs) Reduces per-vm state only stores unique data Further reduces VM creation time The Potemkin Virtual Honeyfarm 12 / 20

Flash Cloning Performance Time required to clone a 128 MB honeypot: Control tools overhead Low-level clone Device setup Other management overhead Networking setup & overhead Total 124 ms 11 ms 149 ms 79 ms 158 ms 521 ms 0.5 s already imperceptible to external observers unless looking for delay, but we can do even better The Potemkin Virtual Honeyfarm 13 / 20

Flash Cloning Performance Time required to clone a 128 MB honeypot: Control tools overhead Low-level clone Device setup Other management overhead Networking setup & overhead Total 124 ms 11 ms 149 ms 79 ms 158 ms 521 ms 0.5 s already imperceptible to external observers unless looking for delay, but we can do even better The Potemkin Virtual Honeyfarm 13 / 20

Delta Virtualization Performance Deployed using 128 MB Linux honeypots Using servers with 2 GB RAM, have memory available to support 1000 VMs per physical host Currently tested with 100 VMs per host Hits artificial resource limit in Xen, but this can be fixed The Potemkin Virtual Honeyfarm 14 / 20

Policies Must also care about traffic going out We deliberately run unpatched, insecure software in honeypots : Should not permit attacks on third parties As with scalability, there is a tension between containment and fidelity Various containment policies we support: Allow no traffic out Allow traffic over established connections Allow traffic back to original host... The Potemkin Virtual Honeyfarm 15 / 20

Implementation in Gateway policies implemented in network gateway Tracks mappings between IP addresses, honeypots, and past connections Modular implementation in Click Gateway adds insignificant overhead ( 1 ms) The Potemkin Virtual Honeyfarm 16 / 20

Traffic Reflection Example gateway policy: Redirect traffic back to honeyfarm The Potemkin Virtual Honeyfarm 17 / 20

Traffic Reflection Example gateway policy: Redirect traffic back to honeyfarm Packets sent out to third parties... The Potemkin Virtual Honeyfarm 17 / 20

Traffic Reflection Example gateway policy: Redirect traffic back to honeyfarm Packets sent out to third parties...... may be redirected back into honeyfarm Reuses honeypot creation functionality The Potemkin Virtual Honeyfarm 17 / 20

Honeypot detection If malware detects it is in a honeypot, may act differently How easy it is to detect virtualization? VMware detection code used in the wild Open arms race between honeypot detection and camouflage Resource exhaustion Under high load, difficult to maintain accurate illusion Large-scale outbreak Honeypot denial-of-service Challenge is intelligently shedding load The Potemkin Virtual Honeyfarm 18 / 20

Summary Can achieve both high fidelity and scalability Sufficient to provide the illusion of scale Potemkin prototype: 65k addresses 10 physical hosts Largest high-fidelity honeypot that we are aware of Provides important tool for study of and defenses against malware The Potemkin Virtual Honeyfarm 19 / 20

For more information: http://www.ccied.org/ The Potemkin Virtual Honeyfarm 20 / 20

Windows on Xen Windows on Xen Camouflage Honeypot Monitoring The Potemkin Virtual Honeyfarm 21 / 20

Camouflage Windows on Xen Camouflage Honeypot Monitoring Malware may detect honeypot environment in various ways: Detect virtualization Via incomplete x86 virtualization Searching for characteristic hardware configurations More complete virtualization can mitigate these leaks Detect monitoring tools Network, VM-instrospection tools harder to detect Detect network environment requirement places some limits on camouflage effectiveness Network security trends may be in our favor here The Potemkin Virtual Honeyfarm 22 / 20

Honeypot Monitoring Windows on Xen Camouflage Honeypot Monitoring Various means to monitor honeypots for interesting activity Network-level monitoring: Network intrusion detection systems, Earlybird-like detectors,... Host-level intrusion detection Virtual machine introspection The Potemkin Virtual Honeyfarm 23 / 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback