Data Capture and Analysis
C-DAC Mohali

Honeynet/Honeypot Technology
◦ Honeypot/Honeynet Backgroud
◦ Type of Honeypots
◦ Deployment of Honeypots



Data Collection
Data Control
Data Analysis
◦ A honeypot is an information system resource
whose value lies in unauthorized or illicit use of
that resource
◦ Has no production value, anything going to or from
a honeypot is likely a probe, attack or compromise
◦ A highly controlled network where every packet
entering or leaving the honeypot system and
related system activities are monitored, captured
and analyzed.
◦ Primary value to most organizations is information”





Fidelity – Information of high value
Reduced false positives
Reduced false negatives
Simple concept
Not resource intensive
Detection Techniques
Proactive Techniques
Honeynets
4/13/2015
Defensive Techniques
Anomaly-based
CDAC-Mohali "NETWORK PACKET
CAPTURING & ANALYSIS"
Signature-based
Monitor
Detect
Response
Attackers
Attack Data
HoneyPot A
Gateway
4/13/2015
CDAC-Mohali "NETWORK PACKET
CAPTURING & ANALYSIS"

Data Control: Contain the attack activity and ensure that

Data Capture: Capture all activity within the Honeynet and

Data Collection: captured data is to be Securely forwarded

Attacker Luring: Generating interest of attacker to attack
the compromised honeypots do not further harm other
systems.Out bound control without blackhats detecting
control activities.
the information that enters and leaves the Honeynet, without
blackhats knowing they are being watched.
to a centralized data collection point for analysis and
archiving.
the honeynet
 Static : web server deployment, making it vulnerable
 Dynamic : IRC, Chat servers,Hackers forums
4/13/2015
CDAC-Mohali "NETWORK PACKET
CAPTURING & ANALYSIS"

By level of interaction
 High
 Low
 Middle?

By Implementation
 Virtual
 Physical

By purpose
 Production
 Research
4/13/2015
CDAC-Mohali "NETWORK PACKET
CAPTURING & ANALYSIS"

Low-interaction
◦ Emulates services and operating systems.
◦ Easy to deploy, minimal risk
◦ Captures limited information

High Interaction
◦ Provide real operating systems and services, no
emulation.
◦ Complex to deploy, greater risk.
◦ Capture extensive information.



Diverts attacker’s attention from the real
network in a way that the main information
resources are not compromised.
Captures samples of new viruses and worms
for future study
Helps to build attacker’s profile in order to
identify their preferred attack targets,
methods.
4/13/2015
CDAC-Mohali "NETWORK PACKET
CAPTURING & ANALYSIS"



Prevention of attacks
 through deception and deterrence
Detection of attacks
 By acting as a alarm
Response of attacks
 By collecting data and evidence of an
attacker’s activity
4/13/2015
CDAC-Mohali "NETWORK PACKET
CAPTURING & ANALYSIS"
GEN III
A highly controlled network where every packet entering
or leaving is monitored, captured, and analyzed.
Data Capture
Data Control
Data Analysis
4/13/2015
CDAC-Mohali "NETWORK PACKET
CAPTURING & ANALYSIS"
4/13/2015
CDAC-Mohali "NETWORK PACKET
CAPTURING & ANALYSIS"
ETH0
APP LOGS
IPTABLES
HIDS
AISD
ARGUS
SNORT
HFLOWD
POF
CONVERT INTO
UNIFIED FORMAT
SEBEKD
ETH2
SYS LOGS
TCPDUMP
ETH1
(0.0.0.0)
SEBEK CLIENT
4/13/2015
HONEYPOT
HFLOW
DB
PCAP DATA
CDAC-Mohali "NETWORK PACKET
(203.100.79.122)
CAPTURING
& ANALYSIS"
WALLEYE
GUI
WEB INTERFACE
(192.168.2.2)
Network Level Data Capture
Raw Packet
Capture
Tcpdump
Analyzed Packet
Capture
Argus
System Level Data Capture
System Logs
Syslogd
Kernel Level
Logs
Sebek
Client-Server
P0F
Snort
HONEYWALL
HONEYPOT
DATA CAPTURE TOOLS IN GEN 3 HONEYNET
4/13/2015
CDAC-Mohali "NETWORK PACKET
CAPTURING & ANALYSIS"
DATA CONTROL
PURPOSE:
Mitigate risk of COMPROMISED Honeypot being used to harm nonhoneynet systems
Count
outbound connections (Reverse Firewall)
IPS (Snort-Inline)
Bandwidth Throttling (Reverse Firewall)
FORWARD
CHAIN
INPUT
CHAIN
OUTPUT
CHAIN
IPTABLES FIREWALL
### Set the connection outbound limits for different protocols.
SCALE="day"
TCPRATE=“20"
UDPRATE="20"
ICMPRATE="50"
OTHERRATE="5“



iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW
-m limit --limit ${TCPRATE}/${SCALE} --limit-burst
${TCPRATE} -s ${host} -j tcpHandler
iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW
-m limit --limit 1/${SCALE} --limit-burst 1 -s ${host}
-j LOG --log-prefix "Drop TCP after ${TCPRATE} attempts“
iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW
-s ${host} -j DROP

Distributed sensor Honeynet
◦ Configuration/
reconfiguration
◦ Central Logging & Alerting
◦ Honeypot management & analysis (forensics take
time!)
/28
BSNL N/W
Honeypot1
CONNECT N/W
Honeypot2
Honeypot1
Honeypot2
Software Bridge
Software Bridge
Honeywall
Virtual Switch
Host machine
Nepenthes
Honeywall
Host machine
Router
Virtual Switch
Nepenthes
Router
In te rn e t
Router
Router
Central Database Server
Honeypot1
Router
Honeypot1
Honeypot2
Honeypot2
Software Bridge
Software Bridge
Honeywall
Host machine
Honeywall
Host machine
Virtual Switch
Virtual Switch
Nepenthes
Nepenthes
Airtel N/W /29
Network Diagram of Distributed Honeynet System


Large Enterprise Network (STPI)
/27
Broadband Providers (BSNL,CONNECT,AIRTEL) /28,/28/29
STPI N/W /28
/27
Life Cycle of Distributed
HoneyNet System
Remote Node Architecture
2
1
Malware Collection
Module
3
Malware Analysis Module
Botnet Tracking
Remote Node of DHS
LowInteraction
Honeypot
High
Interaction
Honeynet
Malware collection
Data Base
Bot
Detection
Engine
Anti
virus
Bot
hunter
Botnet Tracking
engine
Sandbox
(Bot
Execution)
Bot Binary database
Central server
Botnet Tracking
database
DATA ANALYSIS STEPS
HONEYWALL
REVERSE FIREWALL RULES
(CONTROL OUTBOUND TRAFFIC)
ETH0
IPTABLES
Collect & Merge
ARGUS
SNORT
POF
HFLOWD
SEBEKD
CONVERT INTO
UNIFIED FORMAT
HFLOW
DB
ETH2
ETH1
(0.0.0.0)
TCPDUMP
SEBEK CLIENT
HONEYPOT
PCAP DATA
WALLEYE
GUI
WEB INTERFACE

“Eye on the Honeywall” is a web based
interface for Honeywall Configuration,
Administration and Data analysis
Introduction
 Botnet Problem
 Typical Botnet Life Cycle
 How Botnet Grows
 Challenges for Botnet detection
 Roadmap to Detection system
 Botnet Detection Approaches
 Our Implemented Approach
 Experiments and results
What Is a Bot/Botnet?
 Bot
 A malware instance that runs autonomously and
automatically on a compromised computer (zombie)
without owner’s consent
 Profit-driven, professionally written, widely
propagated
 Botnet (Bot Army): network of bots controlled by
criminals
 Definition: “A coordinated group of malware
instances that are controlled by a botmaster via
some C&C channel”
 Architecture: centralized (e.g., IRC,HTTP),
distributed (e.g., P2P)
Botnets are used for …
 All DDoS attacks
 Spam
 Click fraud
 Information theft
 Phishing attacks
 Distributing other malware, e.g., spywarePCs
are part of a botnet!”
Typical Botnet Life Cycle
How the Botnet Grows
How the Botnet Grows
How the Botnet Grows
How the Botnet Grows
IRC Botnet Life Cycle
Challenges for Botnet Detection
 Bots are stealthy on the infected machines
–We focus on a network-based solution
 Bot infection is usually a multi-faceted and
multiphase process
– Only looking at one specific aspect likely to fail
 Bots are dynamically evolving
 Botnets can have very flexible design of C&C
channels
–A solution very specific to a botnet instance is not
desirable

Network Level
◦ G. Gu, J. Zhang, andW. Lee. BotSniffer: Detecting
botnet command and control channels in network
traffic
◦ J. R. Binkley and S. Singh. An algorithm for anomalybased botnet detection
◦ J. Goebel and T. Holz. Rishi: Identify bot contaminated
hosts by irc nickname evaluation
◦ C. Livadas, R. Walsh, D. Lapsley, and W. Strayer.
Using machine learning technliques to identify botnet
traffic


Host Level
◦ E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R.
Kemmerer. Behavior-based spyware detection
◦ R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati. A
fast automaton-based method for detecting anomalous
program behaviors.
Hybrid
◦ BotMiner: Clustering analysis of network traffic for
protocol- and structure independent botnet detection
Botnet Detection Approaches
 Setting up Honeynets (Honeynet Based Solutions)
 Network Traffic Monitoring:
– Signature Based
– Anomaly Based
– DNS Based
– Mining Based
Honeynet Based Solution
 It enable us to isolate the bot from network and
monitor its traffic in more controlled way, instead
of waiting to be infected and then monitor the t
traffic
– Bot execution in Honeynet test bed
– Monitor the traffic generated by bots
 Open Analysis :
– Provides connection to Internet
– More flexible than closed analysis.
l
Our Implemented Approach
•
Honeynet Based Solution
–
Achievements
•
•
•
•
Approach Implemented
Honeynet Based Bot Analysis
Architecture
Payload Parser
Web GUI and report generation
Flowchart
Features
 Systematically collect and analyze
bot traffic over internet
 Provides controlled connection to
Internet: rate limit the outbound
connections.
 It uses network-based anomaly
detection to identify C & C command
sequences
Principal Mechanism for Botnet
Detection

Bot Execution
- Bot Execution in Honeynet Based Environment
- Collection of Execution traces to extract C & C server
information.
- Complete payload sent to central server.

Payload Parser
- Extraction of IRC,HTTP command signatures

Botnet Observation
- extraction of attack,propagation scan or other attack
commands
- extraction of specific network patterns,secondary
injections attempts

Output
- List of unique C & C server
- Command exchanged between bot client & bot server
Botname : B14 , MD5 : a4dde6f9e4feb8a539974022cff5f92c
Symantec : W32.IRCBot, Microsoft : Backdoor:Win32/Poebot
PASS 146751dhzx
:ftpelite.mine.nu
NICK kcrbhf8wlzo
USER XPUSA6059014236 0 0 :o4dfmj2ctyc
:ftpelite.mine.nu
PING :AE645AF3
PONG AE645AF3
:ftpelite.mine.nu 332 kcrbhf8wlzo #100+ :| .vscan netapi 50 5 9999 216.x.x.x | .sbk
windows-krb.exe | .sbk crscs.exe | .sbk msdrive32.exe | .sbk woot.exe | .sbk dn.exe |
.sbk Zsnkstm.exe | .sbk cndrive32.exe |
PRIVMSG #100+ :.4[SC]: Random Port Scan started on 216.x.x.x:445 with a delay
of 5 seconds for 9999 minutes using 50 threads.
Experimental Results: IRC
Bot Family
Number of Samples
Percentage
Rbot
70
6.28%
Poebot.gen
32
2.87
Rbot.gen
30
2.69
IRCbot.genK
22
1.99
Poebot.BT
12
1.08
IRCbot
8
0.71
Poebot.BI
6
0.54
IRCbot.genS
4
0.35
Poebot
4
0.35
Poebot.T
4
0.35

In total we could identify 99 IRC-based bot
binaries ,a rate of 8.25% of the overall
binaries in 12 months
Botnet C&C Server Info
Sno
1
2
3
4
5
6
7
8
9
10
Sno
1
2
3
4
5
6
7
8
9
Source IP
122.160.115.76
122.160.76.92
122.160.42.85
122.160.1.248
122.160.74.180
61.142.12.86
122.160.136.220
122.160.154.222
122.161.16.82
122.160.75.115
Ports
445
135
1434
139
80
25
3306
705
161
count
191
91
79
66
60
54
49
48
48
48
count
2571
139
111
42
35
12
7
6
1