Darknoc: Dashboard for Honeypot Management
Total Page:16
File Type:pdf, Size:1020Kb
DarkNOC: Dashboard for Honeypot Management Bertrand Sobesto, Michel Cukier Matti Hiltunen, Dave Kormann, Gregg Vesonder Clark School of Engineering AT&T Labs Research University of Maryland 180 Park Ave. College Park, MD, USA Florham Park, NJ, USA fbsobesto, [email protected] fhiltunen, davek, [email protected] Robin Berthier Coordinated Science Laboratory Information Trust Institute University of Illinois Urbana-Champaign, IL, USA [email protected] Abstract been used to conduct various studies of attackers [1, 9] and analysis of cyber crimes such as unsollicited elec- Protecting computer and information systems from secu- tronic mails, phishing [10], identity theft and denial of rity attacks is becoming an increasingly important task service. The computer security community has used hon- for system administrators. Honeypots are a technol- eypots to analyze different techniques deployed by the ogy often used to detect attacks and collect information attackers to reach their objectives. Attackers’ arsenal about techniques and targets (e.g., services, ports, oper- includes distributed denial of service [24], botnets [2], ating systems) of attacks. However, managing a large worms [11] or SPAM [15]. However few studies focus and complex network of honeypots becomes a challenge on the usage of honeypots data to help network adminis- given the amount of data collected as well as the risk that trators to better protect their production networks. Hon- the honeypots may become infected and start attacking eypot deployment is challenging and the architecture of other machines. In this paper, we present DarkNOC, a such networks is complex. For example, distributed hon- management and monitoring tool for complex honeynets eynets require secure tunnels and different levels of pro- consisting of different types of honeypots as well as other tection must be in place to ensure a total containment of data collection devices. DarkNOC has been actively used attacks targeting the honeypots. In addition, honeynets to manage a honeynet consisting of multiple subnets and require constant monitoring to guarantee that protection hundreds of IP addresses. This paper describes the archi- systems (for example firewalls, traffic shappers) and data tecture and a number of case studies demonstrating the collection are operating correctly. Depending on the size use of DarkNOC. of the honeynet, the volume of data collected can be im- portant and impacts significantly data processing and ex- 1 Introduction traction. To be integrated as a security tool, honeypots data must be presented and translated in meaningful way Because of the value of the data they store and the re- to network administrators. sources they provide, information systems become tar- In this paper, we introduce DarkNOC, a solution de- gets for attackers and must be protected. To better se- signed to efficiently process large amount of malicious cure computer systems from external threats, security traffic received by a large honeynet, and to provide a researchers aim to understand attackers and the differ- user-friendly Web interface to highlight potential com- ent techniques they use to compromise computers and promised hosts to security administrators, as well as to achieve their goals. One possible approach is to use a provide the overall network security status. DarkNOC is target computer, called a honeypot, which is not used used to manage the UMD honeynet, a network of 2,000 by normal users. Therefore, all the activity towards this honeypots from which information about attacks is con- computer can be considered malicious. tinuously extracted and provided to the security team to Individual honeypots or networks of honeypots have help them better protect the production network. The rest of the paper is organized as follows. In Sec- • Snort Events: Snort [20] is an Intrusion Detection tion 2, we provide an overview of the architecture and System (IDS) for detecting attacks and potential in- operation of DarkNOC. In Section 3, we describe the trusions. Snort provides information about the types outputs and views provided by the DarkNOC. We pro- of attacks used against the honeypots. vide a number of case studies using DarkNOC in Section 4. Finally we review the related work in Section 5, we • Malware Collection: Nepenthes acts as a passive provide some remarks on future work in Section 6 and malware collector by emulating common service conclude the paper in Section 7. vulnerabilities and allowing attackers to inject the malware binaries. Nepenthes provides a log of each malware submission containing information such as 2 DarkNOC Architecture the date and the vulnerability used but also the bi- nary injected. This allows DarkNOC to see what This section describes what DarkNOC does, how it col- kinds of malware are successfully uploaded, the se- lects data, and its internal structure. curity signatures, and port used. It also allows to measure the efficiency of the security solution pro- tecting the network. 2.1 System Architecture DarkNOC manages multiple types of honeypots and in- 2.2 DarkNOC Software Architecture formation sources as illustrated in Figure 1. The UMD The design of the DarkNOC software architecture was honeynet consists of low interaction honeypots (LIHs) driven by the following constraints: such as Nepenthes [3] as well as high-interaction honey- pots (HIHs) consisting of virtual or physical machines • The aesthetics from the user’s point of view: The running real operating systems, applications, and ser- user interface should be easy to access and the im- vices [5]. The UMD honeynet supports multiple sub- portant data should be automatically highlighted. nets consisting of IP addresses contributed by different This interface should be highly portable so that organizations participating in the research. DarkNOC users can use different operating systems and access collects multiple sources of information from different the system from different geographic locations (i.e., devices (e.g., NetFlow from Gateway, Snort events from not tied to one dedicated machine). Snort Sensors [20], and malware from Nepenthes), an- alyzes the data, and presents it to users in an efficient • Speed: The user interface must be fast and the user and actionable manner. The details of the data views and should not have to wait for the results to be dis- their use in analyzing security incidents are discussed in played. Processing high volumes of data can be Sections 3 and 4. time consuming and if the processing is started only The current information sources consist of the follow- when the user requests a data view, the response ing: time may not be satisfactory. Therefore, our sys- tem uses data pre-processing when possible to en- sure fast response. • NetFlow Data: DarkNOC uses nfdump1 to extract NetFlow data collected on the main gateway of the • Data validity: The data displayed should be reason- honeypots. The flow data provides enough infor- ably up to date and reflect the current activity. mation to determine the number of attackers, the different source and destination IP addresses, and To meet these requirements, the application software the different source and destination ports. Specifi- has been divided into three different parts: 1) a graphical cally, each NetFlow record summarizes communi- Web front-end, 2) back-end, and 3) alerting module. The cation between two network end points (defined by front-end generates a Web page displaying the different the IP addresses and port numbers of the end points) information. The back-end extracts the necessary data including the time, duration, and numbers of bytes from the flows and creates the different graphs. and packets (see example below), but does not con- tain any payload information (i.e., content of the Back-end Module: Written in Perl, the back-end mod- messages transmitted). ule is a background process that updates the information Date flow start Duration Port Src IP:Port -> Dst IP:Port Packets Bytes Flows displayed by the front-end every 5 minutes based on the 2010-02-09 06:43:... 4294966.937 TCP 218.8.251.187:20347 -> x.x.x.x:80 2 94 1 2010-02-09 06:43:... 4294966.977 TCP 218.8.251.187:20347 -> x.x.x.x:80 2 94 1 NetFlow data. The separation of flow processing from the display was necessary to guarantee a fast response 1http://nfdump.sourceforge.net/ time at the user interface, because the extraction of flow 2 Figure 1: System architecture data can be time consuming. Since the flow data is up- A lock file prevents multiple executions of this process at dated every 5 minutes by the flow collector, a continu- the same time. For each subnet and the global view, the ous live update of the displayed views is unnecessary. back-end generates the different graphs, the list of desti- However it requires the tool to process the new flow files nation ports, the list of attackers and the list of targeted within 5 minutes. DarkNOC provides information for honeypots. The graphs are created using RRDTool2, an the last 24 hours and the last 5 minutes. Two different open source tool for storage and retrieval of time series. processes generate the 24 hours and 5 minutes statistics. For about 2,000 IP addresses, an average of 15,995 flows Graphical User Interface: The graphical user inter- are generated every 5 minutes representing about 5 mil- face organizes the different data necessary to present a lion flows per day. It takes an average of 7.4 seconds summary of the honeypots activity. Web technologies to process a newly created flow file. Given this num- such as the PHP language and Cascading Style Sheets ber, DarkNOC is able to process almost a hundred times are used. A Web page is extremely portable and requires more flows within 5 minutes. Generating the statistics on no configuration on the client side. Figure 2 shows the the last 24 hours is computationally more expensive and homepage of DarkNOC.