honeypot data analysis final presentation
DESCRIPTION
Honeypot Data Analysis Final presentation. By: Michael Kuritzky and Guy Cepelevich Supervisor: Amichai Shulman. What is a Honeypot ?. - PowerPoint PPT PresentationTRANSCRIPT
HONEYPOT DATA ANALYSIS
FINAL PRESENTATION
By: Michael Kuritzky and Guy Cepelevich
Supervisor: Amichai Shulman
M. Kuritzky & G. Cepelevich, Technion
2
What is a Honeypot?
Wikipedia: “In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers.”
2010
M. Kuritzky & G. Cepelevich, Technion
3
Project Goals
Deploy a honeypot on the web. Gather information about the usage of
the deployed honeypot (requests and replies).
Store the data for future use. Devise a tool to conveniently review and
manually analyze the info gathered from the honeypot in order to create automatic “rules” that will categorize and filter the existing, and new information.
2010
M. Kuritzky & G. Cepelevich, Technion
4
Implementing our goals 1/4
Deploy a honeypot on the web: In order to entice possible attackers into using
our Honeypot, we “offered” them a service – an anonymizing proxy server, a very popular “tool” in the “scene”.
We used Amazon’s EC2 (Elastic Compute Cloud) machine to run the anonymizing proxy.
2010
M. Kuritzky & G. Cepelevich, Technion
5
Implementing our goals 2/4
Gather information about the usage of the deployed honeypot (requests and replies): We used Privoxy (available from
sourceforge.net) to monitor the traffic and record&store the raw traffic logs in an Amazon EBS (Elastic Block Storage) volume.
2010
M. Kuritzky & G. Cepelevich, Technion
6
Implementing our goals 3/4
Store the data for future use: We wrote a parser to parse the raw privoxy
logs. The parser goes over the logs, one line at a time
(to avoid memory problems), and parses it using several Regular Expressions (a.k.a Voodoo ).
We also wrote a listener which registers with the parser, and is called whenever the parser finishes parsing an entry. The listener inputs the parsed entry into a
MySQL database for future analysis.
2010
M. Kuritzky & G. Cepelevich, Technion
7
DataBase Schema
We use the following tables to store the entries in the DB:
2010
M. Kuritzky & G. Cepelevich, Technion
8
Implementing our goals 4/4
Devise a tool to conveniently review and manually analyze the info gathered from the honeypot in order to create automatic “rules” that will categorize and filter the existing, and new information: This is the largest part in the system and will
be covered in the next couple of slides.
2010
M. Kuritzky & G. Cepelevich, Technion
9
Display&Rule System 1/3
The system consists of 3 panels: Entries Panel:
Convenient display of entries from the DB (all entries, or entries matching a certain rule).
Allows on-the-spot manipulation on the entries.
2010
M. Kuritzky & G. Cepelevich, Technion
10
Display&Rule System 2/3
The system consists of 3 panels: Rule Editing Panel:
Interface for creating “rules” for automatic data manipulation.
2010
M. Kuritzky & G. Cepelevich, Technion
11
Display&Rule System 3/3
The system consists of 3 panels: Rule Management Panel:
Interface for activating and deactivating existing rules.
2010
M. Kuritzky & G. Cepelevich, Technion
12
Classification options
Interest level Many entries result from regular internet usage;
those can often be automatically marked as uninteresting using our rule system.
Some entries, on the other hand, entail potential attacks (sql injection, automation, etc.). those can be marked as interesting, and then manually processed.
Tags Using our rule system, the user can
automatically assign tags to entries that match certain patterns (e.g. suspicious user-agents).
2010
M. Kuritzky & G. Cepelevich, Technion
13
Sample results(from analysing about 90,000 entries, which are about 1.5
days of traffic)
A simple rule to catch porn
And the results: ~1000 entriesMost requests come from the 78.159.125.0 subnet
2010
M. Kuritzky & G. Cepelevich, Technion
14
Sample results(from analysing about 90,000 entries, which are about 1.5
days of traffic)
Suspicious user-agents: users who claim to use Windows 98
And the results: ~9000 entries
2010
M. Kuritzky & G. Cepelevich, Technion
15
Implementation notes
The project was written fully in Java, for the following reasons: Developers’ experience. Extensive integrated and third-party library support (i.e. JDBC
for database connections). In order to organize and save all the information
gathered from our Honeypot, we used a MySQL database. This platform was chosen due to several reasons: Very common Free Easy to access Existing management tools Easy to write rules on the entries Developers’ experience
2010
M. Kuritzky & G. Cepelevich, Technion
16
Future Work
Make the SQL queries more efficient (currently we have a problem dealing with databases with a large number of entries).
Make the user defined queries more structured and guided.
Support for creating automatic queries from multiple selection from the entries table.
Support for reconstruction and “replay” of requests.
2010
M. Kuritzky & G. Cepelevich, Technion
17
Questions?
2010