1 / 22

Topics

Enhancing the Experience in Network Incident Investigations Dr. Jianming Cai (j.cai@londonmet.ac.uk), Ms. Angeliki Parianou (ANP0774@londonmet.ac.uk), and Ms. Bo Li (b.li@londonmet.ac.uk) Faculty of Computing London Metropolitan University. Topics. Network incident investigation

misu
Télécharger la présentation

Topics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enhancing the Experience in Network Incident Investigations Dr. Jianming Cai (j.cai@londonmet.ac.uk), Ms. Angeliki Parianou (ANP0774@londonmet.ac.uk), andMs. Bo Li (b.li@londonmet.ac.uk)Faculty of Computing London Metropolitan University

  2. Topics • Network incident investigation • Experiment in real world • The experimental platform • Platform test • Forensic evidence collected/analysis • Summary

  3. Network Incident Investigation • Network Forensics: • network-centric for computing • growing popularity of the Internet at home • data available outside of the disk-based digital evidence • Standalone investigation or alongside a computer forensics analysis (to reveal links between digital devices or to reconstruct how a crime was committed). • Investigators have often to rely on packet filters, firewalls, and intrusion detection systems which were set up to anticipate breaches of security. Data is now more volatile and unpredictable. • When investigating network intrusion the investigator and the attacker are often of similar skill level, compared with other areas of digital forensics where the investigator often is higher skilled.

  4. Experiment in Real World • There is therefore an increasing demand for the graduates from Computer Forensics to enhance their experience in network incident investigations. • Institution’s security policies restrict students from practising Network Forensics in real world. • The experiment of Network Forensics has often to reply on the case studies extracted from textbooks. • A platform, which enables students to practise network incident investigation in real-life case studies, is desirable.

  5. The Experimental Platform • The platform we developed is composed of a low-interaction honeypot and a rule-based IDS. • The software packages, namely Honeyd and Snort, are employed. • Based on this platform, students can analyze malicious activities, collect evidence, and launch incident investigations.

  6. Network Topology of the Platform The “Network Forensics” Lab The Institutional Network

  7. Advantages of the Platform • Relatively independent of institution’s network server, which does not have issues with institution’s network security and admin policies. • Gathering network forensic information, investigating into real life cases, and collecting the evidence needed for apprehension and prosecution of network intruders. • The software employed in this platform are freely available for student’s home use, i.e. it is low cost and flexible in practice.

  8. The Deployed Honeyd(witheight virtual honeypots) Arpd: adaemonthat listens to ARP (Address Resolution Protocol) requests and answers for IP addresses that are unallocated.

  9. The Deployed Honeyd (Cont.) • The virtual honeypots deployed includes: • A Linux honeypot with the personality “Linux kernel 2.4.20” • A Windows honeypot with the personality “Microsoft XP Pro SP1” • A Router honeypot with the personality of “ Cisco IOS11.3-12.0(11)” • A Server honeypot with the personality of “ Microsoft Server 2003” • A Mydoom Vulnerable honeypot with the personality of “Microsoft XP Pro SP1” • A Mail Relay Server honeypot with the personality of “Sun Solaris 9”

  10. The Deployed Honeyd (Cont.) • It creates various virtual hosts with different operating systems in order to attract a wider range of suspicious activity. • In addition a NIDS, namely Snort, is employed to monitor the network traffic for any known attacks and vulnerabilities. • Malicious network traffic are being monitored, recorded, and analysed. • The output of the Snort is sent to a Mysql database. • The traffic captured by Snort tool is then presented by BASE (Basic Analysis and Security Engine) version 1.4.5.

  11. Platform Test • The implemented Honeyd was put on the Internet for about one month, which recorded every piece of traffic targeted at those eight virtual honeypots. • The results of the experiment were recorded in various log files, generated by the Honeyd and the logs of Snort retained in the Mysql database. • In addition, the web.log was also used to record connection attempts towards these emulated Web services.

  12. Part of the Test Results Packet Protocol Types

  13. Part of the Test Results (Cont.) Top 10 IP Addresses/Countries Attempted Connections

  14. Part of the Test Results (Cont.) The List of Packet Destination IP Address

  15. Part of the Test Results (Cont.) The List of Packet Destination Ports

  16. Part of the Test Results (Cont.) Source Countries of the Relay Virtual Server

  17. Part of the Test Results (Cont.) Destination IPs Attacked and Detected by the Snort

  18. Part of the Test Results (Cont.) Top 10 Source IPs Attempted Connection and Detected by the Snort

  19. Part of the Test Results (Cont.) Unique Alerts Generated by the Snort

  20. Part of the Test Results (Cont.) Cross-referenced Source IP Addresses by Virtual Honeypots and the Snort

  21. Summary • An increasing demand for the graduates from Computer Forensics to enhance their experience in network incident investigations. • The platform developed to enable students to practise network incident investigation in real-life case studies. • Although the evidence collected from the honeypot system may or may not be deemed admissible in court, the platform is intended for students to enhance the skills of Network Forensics.

  22. Reference • Casey, Eoghan, Digital Evidence and Computer Crime, 2nd Edition. Elsevier. ISBN 0-12-163104-4, 2004 • A. Obied, “Honeypots and Spam, Available online at: ahmed.obied.net/research/papers/honeypots_spam.pdf, [Accessed:3/7/2010] • J. Kloet, “A Honeypot Based Worm Alerting System”, SANS Institute, 2005, Available online at: http://www.sans.org/reading_room/whitepapers/detection/honeypot-based-worm-alerting-system_1563, [Accessed: 3/6/2010] • Lai-Ming Shiue and Shang-Juh Kao. Countermeasure for detection of honeypot deployment. In ICCCE 2008: International Conference on Computer and Communication Engineering, pages 595–599, May 2008. • The honeynet project, http://www.honeynet.org, [Accessed: 28/6/2010] • HoneyTrap, http://honeytrap.carnivore.it, [Accessed: 29/6/2010] • Intrusion Detection, Honeypots and Incident Handling Resources http://www.honeypots.net/honeypots/products, [Accessed: 29/6/2010] • L. Spitzner, Honeypots: Tracking Hackers. Pearson Education Inc, 2002 • Intrusion Detection, Honeypots and Incident Handling Resources, http://www.honeypots.net, [Accessed: 20/7/2010] • P. Defibaugh-Chavez, R. Veeraghattam, M. Kannappa, S. Mukkamala, and A. Sung, “Network Based Detection of Virtual Environments and Low Interaction Honeypots,” 2006 IEEE Information Assurance Workshop, West Point, NY: , pp. 283-289.

More Related