slide background graphics by paul sagona. overview introduction related work proposed approach...
TRANSCRIPT
![Page 1: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/1.jpg)
Slide Background Graphics by Paul Sagona
![Page 2: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/2.jpg)
Overview• Introduction• Related Work• Proposed Approach• Experiment• Results• Conclusion
![Page 3: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/3.jpg)
Introduction: Honeypot• Etymology: Winnie-the-Pooh, who
was lured into various predicaments by his desire for pots of honey[1]
• A trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems[2]
![Page 4: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/4.jpg)
Introduction: Honeypots• Serve as decoys used to distract adversaries from
more valuable machines and resources on a network
• Valuable as a surveillance and early-warning tool• Coupled with IDS, can be effective in detecting
systems with Internet worms and random port scanners
• Personal experience with Offensive Security using Honeypots (IIS, SSH)
![Page 5: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/5.jpg)
Denial-of-Service (DoS) Attack• DoS attacks aim at disrupting the
legitimate utilization of network and server resources
• Threat to both high traffic public services, such as Google, and private services, i.e. subscription –based business services
![Page 6: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/6.jpg)
Denial-of-Service (DoS) Attack• Difficult to prevent due to inevitable software
vulnerabilities• Adversaries directly attack victim machine or
use zombies (any number of compromised machines used to attack a victim’s resources)
![Page 7: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/7.jpg)
Network level DoS Attack• Purpose of network DoS is to congest
network resources like router buffers and link capacity
• Good Defensives: – D-WARD[19]: detects and stops abnormal one-
way flows– Ingress Filtering [9] Stops most spoofed attacks
![Page 8: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/8.jpg)
Service-level DoS Attack• A large number of attack machines acquire
service from a victim server• Consumes server memory and processing, as
well as networking resources along the out path from server
• Not possible using a spoofed source address as a three-way handshake is required for the TCP service
• Honeypots can provide a way to mitigate these attacks by tricking adversaries
![Page 9: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/9.jpg)
Related Works Honeynet [4]• High-interaction honeypot designed to
capture extensive information on threats• Network that contains one or more honeypots• Network of real computers for attackers to
interact with• All captured activity is assumed to be
unauthorized or malicious
![Page 10: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/10.jpg)
Related Works
Honeynet Architecture[4]• Honeywall is the key to the honeynet
Archietecture• It’s a gateway device that separates
honeypots from the rest of the world• 2-layer bridging device
![Page 11: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/11.jpg)
Related Works Honeynet [4]: Basic Jobs• Data Control: Containment of risk, Safeguard
that non-honeynet systems are safe• Data Capture: detect and capture attackers
activities• Data Analysis: to analyze and thus prevent
further attacks
![Page 12: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/12.jpg)
Related Works Honeynet [4]: Risks• Harm when a honeynet system is used to
attack a non-honeynet system• If attackers detect that a system is used as
honeypot, this system’s value is dropped dramatically
• Risk of disabling honeynet functionality• System compromised to house illegal data
(anonymous FTP)
![Page 13: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/13.jpg)
Related Works Virtual Honeypots [5]• Deploying a physical honeypot can be intensive
and expensive • Different operating systems require specialized
hardware and every honeypot requires its own physical system
• Honeyd is a framework for virtual honeypots that simulates virtual computer systems at the network level
![Page 14: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/14.jpg)
Related Works Virtual Honeypots [5]• Require fewer computer systems, thus reducing
costs• Possible to populate a network with hosts
running numerous OS’s• Honeyd simulates virtual networks that consist of
arbitrary routing topologies• For example, if a networking mapping tool like
traceroute were used, it would only discover the topologies simulated by Honeyd
![Page 15: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/15.jpg)
Related Works Virtual Honeypots [5]• Honeyd is used for system security in detecting
and disabling worms, distracting adversaries, and/or preventing the spread of spam email
• Honeyd is a low-interaction virtual honeypot that only simulates the network layer
• Coupled with tools like Vmware, high-interaction can be simulated
![Page 16: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/16.jpg)
Related Works
Virtual Honeypots [5]• Honeyd mimics the network stack behavior of
operating systems to deceive fingerprinting tools like Nmap and Xprobe
• Honeyd’s personality engine can modify packets to match the fingerprints of other operating systems and creates arbitrary virtual routing topologies
![Page 17: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/17.jpg)
Related Works Server Roaming (Work from their previous paper)• Proactive server roaming to mitigate the
effects of Denial-of-Service (DoS) attacks• The active server changes its location within a
pool of servers to defend against unpredictable and undetectable attacks
• Only legitimate clients can follow the active server as it roams
![Page 18: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/18.jpg)
Related Works• Proactive Server Roaming Limitations– Handles only one server active at a time– Requires offline service subscription, which is not
a flexible service model– Servers must keep track of all subscribed client
addresses to send them roaming update messages(reduces flexibility)
– Requires changes in client software– Easy to compromise client and discover service
secrets or eavesdrop to find server address
![Page 19: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/19.jpg)
Problem with Honeypots
• Problem with standard honeypots is that they are deployed at fixed locations.
• Sophisticated attacks can avoid the decoys and thus focus back on legitimate servers
![Page 20: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/20.jpg)
Proposed Approach• Roaming Honeypots can mitigate service-level
DoS attacks against back-end private services• Achieved by a pool of back-end servers
unpredictably changing from service providers to acting as honeypots
• The service is subscription-based; that is, clients need subscribe through front-ends to gain access to the service
![Page 21: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/21.jpg)
Roaming Honeypots• Benefits against service-level: – Filtering effect: Detect attacker addresses so that
their future attempts are filtered out. Good for attacks outside the firewall.
– Connection-dropping: When server switches from idle to active, it drops all current (attack) connections, opening and window for legitimate users before attack build up. Good for attacks inside the firewall.
![Page 22: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/22.jpg)
Service Model• AGN (Access Gateways Network)– Keeps track of current active servers– Clients contact AG’s to subscribe and request
services– After the request is authenticated and authorized,
AG redirect the request to one of the active servers
– Also support dynamic-Load balancing
![Page 23: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/23.jpg)
Service Model• AGN
![Page 24: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/24.jpg)
Service Model• AGN Handles Spoofed Attacks– Legitimate requests are tunneled through the
AGN– For this attack to be successful an attacker needs
to spoof an AG’s address– An AG can easily detect that it is under such an
attack (all its requests are being dropped) and can respond by changing its IP address.
– The AG updates its address registration with the new IP address
![Page 25: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/25.jpg)
Attack Model• Two attack models types– Fixed-target attacks– Follower attacks
• Fixed-Target Attack– The attacker selects few servers and attacks them
continuously• Follower Attacks– The attacker tries to continuously direct the
attack into active servers
![Page 26: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/26.jpg)
Simulation• They used a ns-2(Network Simulator)• A ns is a discrete event simulator for doing
network research• Supports simulation of TCP, routing and
multicast protocols over both wired or wireless networks
![Page 27: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/27.jpg)
Simulation Model• Used FTP server and client modules to be used as
test bed application for simulation• Code works on top of socket layer, where
roaming and TCP agent management takes place• FTP connection stays active until FTP request is
filled or roaming occurs• If roaming is scheduled to cause server to be idle
during an active connection, client module will record current FTP state (remaining bytes) to resume state on new randomly selected server
![Page 28: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/28.jpg)
Simulation Topology
![Page 29: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/29.jpg)
Simulation• To study the connection-dropping effect
separately, they also modeled a roaming scheme in which no filtering takes place
• Roaming honeypots scheme as filter-roaming (or FR),
• The full replication scheme as non-roaming• The scheme with no filtering as roaming (or R). • They refer to the migration interval as M-interval
(or just M)
![Page 30: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/30.jpg)
Results
![Page 31: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/31.jpg)
Results
![Page 32: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/32.jpg)
Results: Mitigation Values• There exists a critical value of M• Below Critical Value– Roaming overhead is dominant– M increases -> frequency of connection re-
establishment decreases resulting in a decreased ART. • Beyond Critical Value– M increases -> ART increases.– Two reasons:
• Connection-dropping effect occurs less frequently• More client requests are issued to attacked server
![Page 33: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/33.jpg)
Results
![Page 34: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/34.jpg)
Results
![Page 35: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/35.jpg)
Results: Attack Load • Filter Roaming:– Keeps the ART stable with increasing attack loads
• Non-roaming:– ART is less for small loads– Art increases for large loads
• Roaming:– ART increases with increasing attack load
![Page 36: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/36.jpg)
Results
![Page 37: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/37.jpg)
Results
![Page 38: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/38.jpg)
Results: Follow Delay• FR:– ART decreases as follow delay increases
• R:– ART decreases as follow delay increases
• Non-roaming:– ART is same for follower and fixed-target attacks
![Page 39: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/39.jpg)
Conclusion: Limitations• This scheme has an overhead that causes
performance degradation • It occurs both in the absence of attacks and
under low attack.• This is mainly because the load is distributed
over k instead of all N servers• During Active to idle state switch, all the
active connections have to be re-established
![Page 40: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/40.jpg)
Conclusion: Future Work• The exact mitigation value depends on the
types of services• Authors see need for mechanism that
adaptively changes the number of concurrent active servers depending on attack loads and client loads
![Page 41: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/41.jpg)
Conclusion• This scheme is described as a subset of servers
that are active and providing service while rest are acting as honeypots, mitigating attacks
• All legitimate requests are directed by the Access Gateway Network
• Although the scheme requires an overhead time for connections, it shows a high performance gain during high attack loads
![Page 42: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/42.jpg)
Questions?• My opinion? Interesting idea, but I believe it is
pointless. Internal DoS attacks is a failure of proper security at an organization. IDS and Firewalls are the choke point of a DoS. Filtering would be done at this point. Honeypots could be used to find zombies?
• Forcing clients to drop connection and reinstate services is unacceptable, too much overhead.
• Honeypots are used for gathering information, not mitigating DoS.
![Page 43: Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion](https://reader034.vdocument.in/reader034/viewer/2022042822/5697bf7d1a28abf838c84682/html5/thumbnails/43.jpg)
References• [1] Wikipedia: Honeypot,
http://en.wikipedia.org/wiki/Honeypot_%28computing%292007
• [2] Mosse, http://oldwww.cs.pitt.edu/~mosse/courses/cs2001/melhem_fall06.ppt, 2006
• [3] Previous presentation by Nikhil Mahajan and Sriharsha Hammika
• [4] Honeynet, http://www.honeynet.org/papers/honeynet/• [5] Provos, Niels , A Virtual Honeypot Framework
http://www.citi.umich.edu/u/provos/papers/honeyd.pdf