Você está na página 1de 7

The Honeynet Quarantine: Reducing Collateral

Damage Caused by Early Intrusion Response


Birger Tödtmann, Stephan Riebach, Erwin P. Rathgeb
Computer Networking Technology Group
Institute for Experimental Mathematics
University of Duisburg-Essen, Germany
{btoedtmann,riebach,erwin.rathgeb}@iem.uni-due.de

Anomaly based intrusion detection is inherently subject to false active, automated Intrusion Response Systems trying to
alarms. Fast and automated intrusion response based on this protect the network by e.g. shutting down suspicious
type of intrusion detection will cause significant usage processes or disabling network connections on affected
restrictions for falsely suspected systems. To avoid these negative systems. In case of a false positive IRSs will cause
effects without sacrificing detection sensitivity or increasing the “collateral damage” by impairing or even deactivating
risk for the production network inadequately, we propose a
scheme combining anomaly-based IDS with Honeynet concepts
“innocent” hosts. For example the peer-to-peer based voice-
and link layer based VLANs. In addition to introducing the over-IP Software Skype [see http://www.skype.com]
concept, we will describe a proof-of-concept implementation and performs regular peer lookups by scanning IP addresses. An
report results from some lab tests confirming the benefits of this IDS will typically rate this as viral or worm-like behavior
approach. unless there is a specific rule set for Skype. Therefore, a
tightly configured IRS would deactivate this
I. INTRODUCTION communication or even disconnect the offending system
Over the last few years mobile computing and wireless from the network.
access has significantly changed the situation in corporate To avoid these negative effects without sacrificing
networks. While some years ago the single entry point, i.e. detection sensitivity, we propose to combine intrusion
the router attaching the network to the public internet, could detection and response with mechanisms known from
be appropriately secured by firewalls, nowadays there are Honeynets [4]. In our approach, suspicious systems are not
multiple, often hard to control entry points to the LAN. disconnected totally but automatically quarantined in a
Moreover, internet worms and viruses [3] have “learned” to special network section – which basically is a Honeynet –
spread over networks within a few minutes. If notebooks, by using VLAN technology. There they can be observed in
tablet PCs, handhelds and smartphones are used in non- a controlled environment before making a final decision.
secured areas, e.g. in home networks or in public networks During quarantine, the suspicious systems are allowed some
on the road, their security cannot be fully controlled by the limited, tightly controlled access to the production network.
corporate system administrator. When exposed to the By defining the allowed level of access to the network, the
internet without tight protection, these systems can be restrictions for falsely suspected systems can be balanced
infected with worms within a couple of minutes [4] [5]. out with the risk generated for the network by quarantined
Attaching an infected device to the corporate network can systems. Our proposed solution thus offers a differentiated
cause rapid spreading of the worm inside the LAN. defense against rapid worm propagation inside local
Therefore, the application of Intrusion Detection (IDS) [1] networks.
and Intrusion Response systems (IRS) in addition to In section II of this paper, this concept is introduced more
classical firewalls has become more and more crucial. detailed. Section III presents a first prototype
IDSs are per definition passive systems. Their task is alarm implementation which demonstrates the feasibility of the
generation rather than system protection by data filtering or concept while section IV provides first results from lab tests
by repairing the file system. Hence, human intervention is and measurements.
required to reinstate network integrity. IDSs either use rule
based detection approaches (misuse detection) or they try to II. THE HONEYNET QUARANTINE
detect deviations from normal operation, also known as
''anomaly detection'' [6]. While the first approach only Typical production networks are not protected by
detects well known attacks based on predefined signatures, sophisticated HIDS installed on every workstation attached
the latter one is also able to detect previously unknown to them – due to the effort that has to be spent and the
attack patterns based on deviations from “normal” system expertise that is required – and therefore intrusions on these
and network behavior. However, as “normal” behavior is end systems will not be detected at first. As a consequence,
not fully defined – and may change dynamically – false autonomous malware may spread without control if a
alarms (false positives) are generated at a certain, mobile, infected system is reconnected to the production
sometimes significant, rate. This limits the usefulness of

Proceedings of the Sixth International Conference on Networking (ICN'07)


0-7695-2805-8/07 $20.00 © 2007
network and it is necessary to identify and disconnect such probability P(x) of its occurrence. After these
a system as soon as possible. measurements, which are sampled during a training phase,
Our approach is to reliably identify compromised systems an activity is assumed to be an “anomaly” if its occurrence
by automatically connecting them to a Honeynet with its deviates too much from the normal frequency. Therefore, a
sophisticated HIDS sensors – autonomous malware that definition of a threshold by the IDS administrator is
infects a Honeypot is far easier to detect than doing so in a necessary – this threshold is consequently also responsible
noisy production environment. However, this automated for the rate of false positives and false negatives.. In order
investigation takes time. In order to provide the user of the to allow for a more sophisticated, two-phased intrusion
system with some basic service during the investigation but detection scheme as outlined above, we modify the
at the same time shielding the production network from anomaly assessment of the detectors to supply two
further infection, our concept is to isolate a computer thresholds that distinguish three areas:
system fast and automatically when an anomaly-based
NIDS reports suspicious activity, but in a soft manner, i.e. ƒ Normal: Anomaly indicator below lower threshold,
without completely disconnecting it from the production event is definitely rated as normal activity
network. This reduces the damage incurred if the system ƒ Suspicious: Anomaly indicator between lower and
was falsely reported. When quarantined in such a way, the upper threshold, further observation in the quarantine
Honeypots exposed to the system will either confirm or network is initiated.
deny a successful attack such as a viral infection after a ƒ Alarm: Anomaly indicator above upper threshold,
predefined holding time. As a result, the restrictions for the event is definitely rated as dangerous; countermeasures
user of the potentially compromised system are kept (e.g. shutdown of the switch port) are immediately
tolerable while an in-depth evaluation of the incident is initiated.
undertaken and the production network remains protected. 1
C. Attachment point map
Our solution is thus twofold: in the first part, the incident To perform a fast isolation of suspicious systems and (as far
report of an anomaly-based NIDS is used to trigger an as possible) transparent for running applications there, we
isolation procedure that partly removes the offending propose to use Virtual LANs (VLANs) which is most
system from the production network, still allowing convenient as our concept so far only covers Ethernet
harmless, preconfigured traffic back into it while diverting networks. VLANs can be maintained in complex,
all other traffic to the quarantine network. The second part hierarchical switched-LAN topologies if IEEE standard
is to expose (one or more) Honeypots that have been 802.1q is applied. Now, as a prerequisite for rapid isolation
configured like a typical production system – and are thus using VLANs, the switch port to which the suspicious
vulnerable to the same exploits – directly to the suspected system is attached has to be identified. We do this by
machine. If one of the Honeypots is then being utilizing the Simple Network Management Protocol
compromised successfully, its HIDS will report it and the (SNMP, [11]) to reliably extract the physical access port
isolation procedure is triggered again, this time to entirely from the switch topology. However, as the query and
remove the compromised system from the network. If, on response processes as well as the correlation of the resulting
the other hand, no further attack attempts are being reported data takes some time, we use a proactive approach where
from the Honeypots, the isolated system is released back all systems are mapped from their respective IP and MAC
into the production network. addresses to ports when the initially connect to the
network.2
A. Central monitor and investigation system
We start with a NIDS that is enhanced to provide a more D. Isolation and rehabilitation
sophisticated monitoring and incident investigation system. As mentioned before, we put suspicious systems into
It contains a modified NIDS sensor, an attachment point quarantine by moving them into a special preconfigured
mapper and a configuration function to isolate, disconnect quarantine VLAN. A prerequisite is that all switches are
or rehabilitate systems in the production network. IEEE 802.1q enabled, i.e. the switches are able to recognize
Furthermore, it connects to a Honeynet where quarantined the VLAN tags and will process them accordingly. The
systems are moved into. This could even be implemented quarantine VLAN ensures that all data packets from an
on the monitor and investigation system itself by using isolated system are tagged accordingly and are forwarded
virtualization software such as VMware [23]. based on these VLAN tags to the central monitoring
system. From there they are relayed either to the quarantine
B. Anomaly detection sensor with two thresholds network or the production network, depending on
A commonly used scheme for anomaly based intrusion preconfigured forwarding and filtering rules.
detection is to measure the relative frequency by which a
specific activity x occurs and use it as an estimate for the
2
In case several systems are connected to the same port via a hub, the
whole segment attached to the port is isolated if necessary. If
1
The principle of isolation and verification of an initial suspicion is also authentication mechanisms on the link layer are used in the network, e.g.
well known from controlling epidemics and identifying criminals, where it IEEE 802.1x [13] and EAP [14], locating the systems is even simpler
is quite successfully applied. because the relevant information is explicitly exchanged in these protocols.

Proceedings of the Sixth International Conference on Networking (ICN'07)


0-7695-2805-8/07 $20.00 © 2007
Depending on the result of the investigations carried out quarantine network and its Honeypots with examination
during the confinement, the isolation/rehabilitation function and observation capabilities way beyond those feasible in
is instructed to either finally disconnect the suspicious the production network. Compromised Honeypots should
system completely from the production network by shutting be automatically restarted with a clean configuration once
down the physical switch port, or to reconnect it to the the isolated system has been removed from the Honeynet.
production network by moving it to back the default
VLAN. G. Quarantine timer
The partial isolation of suspicious systems is controlled by
E. User-friendly traffic switch a timer which is preconfigured by the network administrator
As a result, we have established three distinct network to balance out the detection accuracy and the restrictions
partitions which are connected to the central monitoring imposed on the isolated systems. If no attack activities are
system: The production network (default VLAN), a detected on the Honeypots during this time period, it is
segment which contains suspicious systems separated from assumed that the suspicion was unsubstantiated. The system
the production network (quarantine VLAN) and the is moved back to the production network in this case and,
Honeynet. thus, fully rehabilitated.

A filter logic within the monitoring system now defines III. PROTOTYPE IMPLEMENTATION
how the packets are forwarded in a user-friendly, but
protective manner: Whereas the conceptual approach is quite straight-forward,
ƒ All 3 network partitions belong to a common bridge the technical details are more complicated, as first lab trials
ƒ Traffic originating from the suspicious system that has demonstrate. In order to show the feasibility of the ideas
been classified as harmless based on predefined rules is that have been outlined above, we set up a small test
allowed back into the production network scenario. There, we attached a first prototype of our
ƒ All other (potentially dangerous) traffic generated by the monitoring system and conducted several tests that
suspicious system is diverted to the Honeynet demonstrate that the basic functionality is available and also
ƒ Traffic from both production network and Honeynet yielded measurements on the performance of the solution.
destined to the suspicious system is delivered there We used Cisco switch equipment to provide the link layer
ƒ All traffic between the production network and the network infrastructure, WindowsXP systems for the clients
Honeynet is blocked. and a Linux system as central monitoring and investigation
system for IDS, rapid isolation and Honeynet quarantine.
In such a scenario, a basic service can be provided to the As illustrated by Figure 1, the production Ethernet network
isolated system during the quarantine period. The potential is in VLAN 2,4 whereas the quarantine VLAN has been
risk for the production network emanating from the given the ID 3.
applications classified as harmless can be further minimized suspicious
quarantine
by using a local Intrusion Prevention System, e.g. network system
snort_inline [15]. With this extension, Snort can modify the monitor & (VLAN3)
investigation
monitored traffic in such a way that specific attack patterns system
are normalized.3 (bridge) trunk
production
F. Quarantine investigation honeypot network
trunk
(VMware) (VLAN2)
The quarantine VLAN is, through the rules described
above, directly connected to the Honeynet, where the
Fig. 1: User-friendly system isolation and intrusion
Honeypots represent typical systems similar to those found
investigation by Honeypot exposure – topological view
in the production network. This reflects the actual threat
level for the production network.
The switches were configured such that trunk ports use
Due to their HIDS sensors which can safely report almost
802.1q VLAN tagging. The monitoring system was also
any activity going beyond the usual internal system
attached to a trunk port, there we set up two pseudo-
maintenance as an intrusion, the Honeypots are able to
interfaces, one belonging to VLAN 2 (eth0.2), the other to
verify the intrusion of the suspicious system quickly and
reliably (as it is the only source of an attack) and will report VLAN 3 (eth0.3). Under normal operation, VLAN 3 is
it to the central monitoring system. It is crucial for the rather inactive as the only system participating in this
effectiveness of the overall concept here that the HIDS VLAN is the monitoring system itself.
should operate with a low latency, i.e. rather than only
performing periodic checks of MD5 checksums [8], tighter
monitoring of local process activity, disk and (system) file
access is necessary. These techniques provide the
4
The reason to use VLAN id 2 instead of the default VLAN (untagged) is
that Linux is not able to bridge between a non-VLAN interface and a
3
This makes sense especially if email is still allowed, to avoid spreading VLAN pseudo-interface if it has the non-VLAN interface as physical
of viruses that use this as transport mechanism. parent.

Proceedings of the Sixth International Conference on Networking (ICN'07)


0-7695-2805-8/07 $20.00 © 2007
A. Snort/Spade configuration MAC table of the switch.8 The performance of this
As NIDS to look out for anomalies occurring within the operation depends on the speed of the network and is
network we used the toolset Snort/Spade. Spade is an usually completed within a second as it takes almost no
anomaly-based detection plugin for Snort that can be given time at the switch.
an anomaly score threshold and will report an incident if it
qtimer
observes network activity whose anomaly score exceeds ×
this threshold [10]. For the first prototype, we did not /hq/snortreport Ö honidsctl Ö snmpset
×
enhance the Spade engine to offer a two-threshold reporting /hq/<ipaddr>
scheme but simply used it with one threshold set at its
default value. Thus we had no upper bound which could We thus ensured that upon Snort issuing the first alert
indicate a “definite incident” but had rather a huge margin (under slight network load this is done between 1-2 seconds
of suspicion (the other threshold then being, by definition, after observing the suspicious activity), our mechanism
infinite).5 The Snort process was then set up to report isolated the corresponding system very fast and efficiently.
incidents via the syslog mechanism available in Linux, Furthermore, the control program fires up a timer
which in turn was configured to deliver alert messages from (“qtimer”) that will trigger the rehabilitation function after
Snort to a named pipe “/hq/snortreport” to which our 20 minutes by using a named pipe called “notguilty”:
monitoring and investigation procedure “honidsctl” was
attached: qtimer Ö /hq/notguilty Ö honidsctl Ö snmpset

eth0.2 Ö snort Ö sysklogd Ö /hq/snortreport Ö honidsctl The control program will then, with similar SNMP
messages as used for isolation, move the port back into
B. Arpwatch combination with SNMP VLAN 2. A third named pipe, called “guilty”, will inform
We used the program arpwatch to detect newly activated the control program to shut down the offending system in
systems within the network [20]. When arpwatch sees a case of a confirmed compromise – it is used by the HIDS
new station, we call a script “mac2port” (this is done by observing the Honeypot (see below):
using the “-s” switch available in the Debian version of
grep Ö /hq/guilty Ö honidsctl Ö snmpset
arpwatch) that then automatically extracts the attachment Ø
point, i.e. the port to which the new system has been VMware reboot
attached, by use of SNMP requests to all switches.6 At
worst we have to issue three requests and wait for three D. VMware-based Honeypot and HIDS setup
responses for all switches in the network to obtain a valid Whereas a full-fledged, non-virtualized Honeynet may have
result. We then save the information <MAC-Addr>:<Switch- its benefits, we decided to use a simple VMware Honeypot
IP>:<ifIndex> in a file with the IP address of the system as for our prototype which had the same WindowsXP version
filename for later use by the isolation/rehabilitation installed as our production clients had. Besides simplicity,
function:7 VMware and Usermode Linux provide efficient ways to re-
eth0.2 Ö arpwatch Ö mac2port Ö /hq/<ipaddr> initialize Honeypots after they have been compromised
which was of more importance than forensic investigations
C. Isolation/rehabilitation control with SNMP on the inner workings of a caught virus. We thus used
VMware’s methods to make the working disk of the guest
When Snort/Spade flags a suspicious system, our control
system non-persistent, which means that changes to the disk
procedure can thus look up the switch and the port of the
image made by the guest operation system will not be
offender and move the system into the quarantine VLAN by
written to the original file but to a so-called REDO file.
sending a SNMPv3 “set” request to the switch which
This not only provided us with a mechanism to clean a
contains vmVlan.<ifIndex> as OID and the new VLAN id
compromised Honeypot very easily (by simply rebooting it
“3” as value. A second message has to ensure that the
from the original, write-protected image file), it also made
corresponding MAC address is cleared from the internal
finding unauthorized file access much faster because only
the REDO file had to be investigated for filesystem
5
changes. In order to accomplish this, we had to install the
One could also get a two-threshold Snort system by setting up two WindowsXP that serves as the guest system into a FAT32
Snort/Spade processes with differing threshold configuration: if only one
of them reports an incident, the “suspicious” area is flagged.
filesystem because the NTFS filesystem is not very suitable
6
This is accomplished by issuing three SNMPv3 requests obtaining OIDs for finding differences. In fact VMware writes single
from the Bridge- and Interface-MIBs: the dot1dTpFdbPort.<MAC-Addr> OID sectors that have been changed by the guest to the REDO
will contain the bridge port of the system with the observed MAC address; file, thus it contains not a filesystem but only small parts of
the corresponding ifIndex of the Interface-MIB can be mapped from the it. However, with FAT32 it is possible to observe the
dot1dBasePortIfIndex.<Bridge-Port> and by reading vmVlan.<ifIndex>
from Cisco’s VLAN-MEMBETSHIP-MIB we can assess whether the
names of newly created files within the guest system. We
found port is a trunk port (which is then not the attachment point because it
will never be on a trunk). 8
Many switching products cannot handle the same MAC address in
7
This procedure will have to be refined in the future as spoofing IP and different VLANs because they don’t maintain separate MAC address
MAC addresses by an attacker may currently result in huge file system tables per VLAN. This has to be considered when building such a link
bloat. layer based isolation system.

Proceedings of the Sixth International Conference on Networking (ICN'07)


0-7695-2805-8/07 $20.00 © 2007
implemented this by periodically making a copy of the suspicious
system
REDO file and letting the utility xdelta compare both files
after 10 seconds:
/hq/vmpot.vmdk-s001.REDO_7JhTOS.10s-ago harmless
Ø traffic production
vmware Ö /hq/vmpot.vmdk-s001.REDO_7JhTOS Ö xdelta Ö network
honeypot
/hq/vmpot.vmdk-s001.REDO_7JhT.delta Ö grep Ö /hq/guilty
(VMware) monitor & (VLAN2)
investigation
This very simple HIDS running on the VMware host (our system
(bridge)
Linux system) was able to detect several different virus
infections by observing new .DLL and .EXE files written to Fig. 3: Step 2a – bridge harmless traffic to production
the REDO log via the simple grep utility. network (VLAN2)
The redirection of traffic towards the Honeypot has to be
E. Bridge and filter configuration done in a bit more sophisticated way as we need to
In order to transparently forward traffic on the link layer exchange the destination IP and MAC addresses of packets
between the three network partitions, we enabled bridging coming from the suspicious system to be forwarded to the
within the Linux system and attached the three interfaces Honeypot system with IP address 10.0.0.1 and MAC
eth0.2, eth0.3 and vmnet1 to the bridge interface br0 address 00:0c:29:a2:e3:63 (which is a WindowsXP system
using the brctl program. Now, to enforce the confinement and has no Honeyd functionality to attract all traffic to it):
of a system that has been moved to the quarantine VLAN3, # DNAT all other traffic to Honeypot (IP & MAC)
we configured the Linux packet filtering software netfilter ebtables -t nat -A PREROUTING -j dnat --in-if eth0.3
--to-destination 00:0c:29:a2:e3:63
via utilities iptables and ebtables [21, 22] in such a way that iptables -t nat -A PREROUTING -j DNAT -m physdev --physdev-in
eth0.3 --to-destination 10.0.0.100
only DNS, WWW and SMB traffic is allowed to pass from
eth0.3 to eth0.2, thus leaving the quarantine network and This allowed us to safely bridge all traffic from eth0.3 to
entering the production network: vmnet1, through which the Honeypot is connected with the
Linux VMware host, without reconfiguring the network of
# allow arp
ebtables -t nat -A PREROUTING -j ACCEPT --in-if eth0.3 --protocol the Honeypot all the time. On the other hand, when the
arp --arp-opcode Request
ebtables -t nat -A PREROUTING -j ACCEPT --in-if eth0.3 --protocol Honeypot now sends response packets back to the
arp --arp-opcode Reply suspicious system, we can switch the source IP addresses
suspicious back by using Linux’ connection tracking mechanism.
system However, the source MAC addresses cannot be reinstated
monitor & as the Linux’ netfilter system currently does not support
investigation
system
connection tracking on the link layer. This will not affect
(bridge) the applications running on the systems but may serve
production malicious code to detect our detour to the Honeypot.
honeypot network
(VMware) ARP requests (VLAN2) suspicious
and replies system
monitor &
Fig. 2: Step 1 - bridge ARP packets transparently to investigation
enable MAC address lookup system
(bridge)
production
This allows all systems to look up each others MAC honeypot network
address transparently without further interference. When in (VMware) (VLAN2)
the next step the suspicious system wants to connect to a
production system, our traffic switch differentiates between Fig. 4: Step 2b – packets not matching the “harmless”
harmless traffic and all other redirected to the Honeypot (as filter specification are redirected towards the Honeypot
illustrated by Figures 2 and 3): using DNAT on the link and network layers
# allow certain production services (dns, shares, web) to be
reached
ebtables -t nat -A PREROUTING -j ACCEPT --in-if eth0.3 --protocol The last matching rule in our filter setup was then to drop
ip --ip-destination 0.0.0.0 --ip-protocol 17 --ip-destination-port
53
all other packets, this in fact prohibits any traffic to be
iptables -t nat -A PREROUTING -j ACCEPT -m physdev --physdev-in forwarded between vmnet1 and eth0.2.
eth0.3 --destination 0.0.0.0 --protocol udp --destination-port 53
ebtables -t nat -A PREROUTING -j ACCEPT --in-if eth0.3 --protocol
ip --ip-destination 0.0.0.0 --ip-protocol 6 --ip-destination-port
139
The bridge and filter configuration for the prototype is set
iptables -t nat -A PREROUTING -j ACCEPT -m physdev --physdev-in up when the enhanced monitoring system boots up, together
eth0.3 --destination 0.0.0.0 --protocol tcp --destination-port 139
ebtables -t nat -A PREROUTING -j ACCEPT --in-if eth0.3 --protocol with Snort and the VMware guest system that is also
ip --ip-destination 0.0.0.0 --ip-protocol 6 --ip-destination-port
80
automatically started.
iptables -t nat -A PREROUTING -j ACCEPT -m physdev --physdev-in
eth0.3 --destination 0.0.0.0 --protocol tcp --destination-port 80

Proceedings of the Sixth International Conference on Networking (ICN'07)


0-7695-2805-8/07 $20.00 © 2007
IV. EVALUATION Sasser.A 5 sec. 4 6
In first tests we were able to validate the basic functionality Sasser.B 9 sec. 8 7
which served the user reduced but tolerable access when Welchia
After activation all variants were
being quarantined after firing up Skype. As Skype was A,E,G,H
inactive for at least 5 minutes
started on a client system, it began to scan for peer nodes. Randex.I
The Snort/Spade engine flagged this activity within 2-3 Table 1: Spreading time of well-known worms
seconds and the “honidsctl” program subsequently moved
the client system into VLAN3 within a second. We were This indicates that if a virus were to target an adjacent
thus able to react within at least 5 seconds to shield the system in the same network, a response system aimed at
production network from further activity of a suspicious effectively quarantining the virus’ host must do so in at
system.9 However, the client was still able to successfully least 4-5 seconds. Our prototype currently suggests that this
access shares on a file server as well as webpages from the may be achievable, especially when the network is not
Internet. As the periodically executed xdelta and grep did loaded as this affects Snort performance. Note that viruses
not report newly created .DLL and .EXE files within the right now do not target systems in the same network but
disk of the VMware Honeypot, the “honidsctl” program rather spread randomly, which gives a quarantining
moved the system back into the production network after 20 function a lot of more time than this lower bound suggests.
minutes. We have for now skipped virus behavior where the
We then set up a client system that contained an active malware is rather quiet and only goes active from time to
Lovesan.A virus and connected it to our test network. Snort time, this will be covered in a long-term study.
this time also detected the infection attempts of the virus Furthermore, we did not consider the fastest worm seen
and the corresponding system was isolated from the ever, the SQL slammer, as it for now exceeds the
production network. As the virus continued its spreading performance capabilities of our detection and isolation
attempts, we could observe the creation of the file system.
“MSBLAST.EXE” within the REDO file of the VMware
guest. Consequently, the compromise had been confirmed B. Limitations
and the client was entirely disconnected by “honidsctl” via
Currently our prototype is supporting one broadcast domain
SNMP, administratively shutting down its access port. This
as VLANs cannot spread beyond a subnet. The VLAN
was a successful proof that an unconfirmed anomaly
switching with SNMP is working, but this confines the
observed in a noisy environment could be investigated more
solution to special switch equipment offering VLAN-
thoroughly in a controlled, clean environment while at the
specific MIBs. Furthermore, the anomaly detection within
same time not impairing the usability too much.
the VMware host is still sketchy, from time to time, the
.EXE and .DLL extensions of newly created files could not
A. Timing considerations be found in the REDO file reliably (maybe because the file
To find a lower bound for the performance of the system name resides in more than one disk sector). The HIDS also
that has to be reached in order to reliably contain viral is solely based on manipulations happening in the
spread, we measured the time a typical worm needs to Honeypot’s filesystem, a process monitoring mechanism
infect another system. Therefore we placed two non- would be suitable as well.
persistent VMware guests (Windows XP) in a LAN and Our control procedure currently supports the isolation and
started different internet worms on one of them. To cope investigation of only one suspicious system at a time.
with the fact that most worms attack randomly generated Multiple incident handling while maintaining the Honeynet
addresses we used DNAT to directly forward attack packets functionality of a controlled, clean environment is non-
to the victim host, not depending on the actual destination trivial, as for each suspicious activity separate VLANs and
IP address the virus calculated. We activated different Honeypots then have to be set up to avoid interference.
internet worms with some variants10 and monitored their Another open issue is the yet missing integration of users
behavior with a packet tracing program. By measuring the and administrators. As users might start offending (but
time from the first packet observed from the infected harmless) applications frequently, quarantine and
system destined to the victim system until this was rehabilitation of their systems will happen again and again
successfully compromised and started to spread the worm until an administrator can provide the triggering NIDS with
itself, we established some estimates for fast viral infection the signatures needed to suppress the corresponding alerts.
(each sample was taken three times):

Test 1 Test 2 Test 3 V. FUTURE WORK


Lovesan.A 13 sec. 16 15
As the proof of work presented here suggests that using
Lovesan.F 14 sec. 11 16
Honeynet functionality to enhance IDS accuracy is a
promising approach, we will address some of the issues
9
This performance, however, depends largely on the network load as outlined above. Namely a notification mechanism for the
Snort is much slower when it needs to monitor a large amount of traffic. users will be integrated into the system as they can help to
10
The viruses were obtained from http://vx.netlux.org, which is well increase the detection quality quite significantly – only
known as a virus repository.

Proceedings of the Sixth International Conference on Networking (ICN'07)


0-7695-2805-8/07 $20.00 © 2007
users can observe the causal connection between their [9] S. Riebach, B. Tödtmann, Erwin P. Rathgeb:
activity and the quarantining process: “Whenever I click on ”Efficient deployment of Honeynets for statistical and
this icon, I get a message saying that my system is now forensic analysis of attacks from the Internet'',
quarantined and I will only be allowed to access the internal proceedings for Networking 2005 conference,
web pages”. Further working items are to stretch the Waterloo Ontario, Canada, 02.-06. May 2005
isolation procedure over subnet boundaries by using
[10] Biles, S.: ,,The SPADE Project'', last seen: 11. Oct.
techniques such as L2TP or Ethernet over MPLS, and the
2004, http://www.bleedingsnort.com/article.php?
implementation of investigative “threads” enabling multiple
story=20041011095505501
incident handling.
[11] Zeltserman, D.: ,,A practical guide to SNMPv3 and
VI. CONCLUSIONS network management'', New Jersey 1999
In this paper we have demonstrated a way to improve LAN [12] Decker E., Langille P., Rijsinghani A., McCloghrie
security, especially to contain the spreading of worms, by K.: ,,RFC 1493 - Definitions of Managed Objects for
implementing an enhanced two-phased anomaly-based Bridges'', Internet Standard, 1993
intrusion detection and response system using Honeynet
technology to validate malicious intent. The system is user- [13] IEEE: ,,Port-Based Network Access Control'', New
friendly as it still offers a reduced but tolerable connectivity York 2001
to the network while the second-stage investigation is [14] Blunk L., Vollbrecht J.: ,,RFC 2284 - PPP Extensible
undertaken. This has the potential to increase both Authentication Protocol (EAP)'', Internet Standard,
acceptance for IDS deployment and detection accuracy. 1998
While the IDS and Honeynet communities are still
somewhat disjoint because of the diverging areas of interest [15] Metcalf, W.: ,,Snort\_inline Projekt Homepage'',
of those groups (Honeynets are still mainly used for http://snort-inline.sourceforge.net/, last seen: 2. Feb.
forensics and hacker behavior studies whereas IDS/IRS are 2005
used to actively make networks more secure), we believe [16] Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel,
that the core features of Honeynet technology, namely J. and Stoner, E.: ”State of the Practice of Intrusion
controlled isolation and exposure to artificial Detection Technologies'', CMU/SEI-99-TR-028
vulnerabilities, can be quite successfully used to actively (2000)
increase the security of networks when integrated into IDS
mechanisms. [17] E., Cloete, E., Venter, L.M.: ,,A comparison of
Intrusion Detection systems'', Computers and Security,
VII. REFERENCES 20 (2001), S. 676-683
[1] Stefan Axelsson :”Intrusion Detection Systems: A [18] Lazarevic A., Ozgur A., Ertoz L., Srivastava J., Kumar
Survey and Taxonomy”, Chalmers University of V.: ,,A comparative study of anomaly detection
Technology, Goeteborg, Sweden, 14 March 2000 schemes in network intrusion detection'', in: SIAM
International Conference on Data Mining (2003)
[2] Stuart Staniford: “Containment of Scanning Worms in
Enterprise Networks”, Silicon Defense, 7 Oct. 2003 [19] Kruegel, C., Toth, T., Kerer, C.: ,,Decentralized event
correlation for intrusion detection'',
[3] N.Weaver, V. Paxson, S.Staniford, R. Cunningham: http://www.infosys.tuwien.ac.at/Staff/tt/publications/
”A Taxonomy of Computer Worms”, Proceedings of Decentralized\_Event\_Correlation\_for\_Intrusion\_d
the 2003 ACM workshop on Rapid Malcode, etection.pdf, April 2002
Washington, DC, USA
[20] LBNL's Network Research Group: ,,arpwatch'',
[4] The Honeynet-Project: ,”Know Your Enemy: http://www-nrg.ee.lbl.gov/, last seen: 2. February
Learning about Security Threats'', Indianapolis: 2005
Addison-Wesley, 2004, http://www.Honeynet.org/
[21] Linux netfilter project: ,,netfilter/iptables'',
[5] S. Riebach, B. Tödtmann, Erwin P. Rathgeb: ,”Risk http://www.netfilter.org/, last seen: 2. Febraury 2005
assessment of production networks using Honeynets -
some practical experience'', proceedings of ISPEC05 [22] Schuymer, Fedchik, Borowiak: ,,ebtables'',
conference, Singapore, 12.-14. April 2005 http://ebtables.sourceforge.net/, last seen: 2. February
2005
[6] Debar H., Dacier M., Wespi A.: ,,Towards a
Taxonomy of Intrusion-Detection Systems'', Computer [23] VMware, Inc.: ,,VMware Workstation 4'',
Networks, 31(8): S. 805--822, April 1999 http://www.vmware.com/, last seen: 2. February 2005
[7] Roesch, Marty; Caswell, Brian: ,”Snort's official
homepage'', http://www.snort.org, 2. Feb. 2005
[8] Rami Lehti: “AIDE official homepage”:
http://www.cs.tut.fi/~rammer/aide.html, 2005

Proceedings of the Sixth International Conference on Networking (ICN'07)


0-7695-2805-8/07 $20.00 © 2007