Jacob Zimmermann

A Technique for Detecting New Attacks in Low-Interaction Honeypot Traffic

Honeypots are flexible security tools for gathering artefacts associated with a variety of Internet attack activities. While existing work on honeypot traffic analysis focuses mainly on identifying existing attacks, this paper describes a technique for detecting new attacks based on principal component analysis. The proposed technique requires no prior knowledge of attack types and has low computational requirements that makes it suitable for online detection systems. Our method of detecting new attacks is based on measuring changes in the residual space using square prediction error (SPE) statistics. When attack vectors are projected onto the residual space, attacks that are not presented by the main hyperspace will create new directions with high SPE values. We demonstrate the usefulness of our technique by using real traffic data from the Leurré.com project, a world-wide deployment of low-interaction honeypots, where several examples of new traffic detected by the system are illustrated.

Characterization of Attackers' Activities in Honeypot Traffic Using Principal Component Analysis

Monitoring Internet traffic is critical in order to acquire a good understanding of threats and in designing efficient security systems. While honeypots are flexible security tools for gathering intelligence of Internet attacks, traffic collected by honeypots is of high dimensionality that makes it difficult to characterize. In this paper, we propose the use of principal component analysis, a multivariate analysis technique, for characterizing honeypot traffic and separating latent groups of activities. In addition, we show the usefulness of principal component plots in visualizing the interrelationships between the detected groups of activities and in finding outliers. This work is demonstrated through the use of low interaction honeypot traffic data from the Leurre.com project, a world wide deployment of low interaction honeypots.

The use of packet inter-arrival times for investigating unsolicited Internet traffic

Monitoring the Internet reveals incessant activity, that has been referred to as background radiation. In this paper, we propose an original approach that makes use of packet inter-arrival times, or IATs, to analyse and identify such abnormal or unexpected network activity. Our study exploits a large set of data collected on a distributed network of honeypots during more than six months. Our main contribution in this paper is to demonstrate the usefulness of IAT analysis for network forensic purposes, and we illustrate this with examples in which we analyse particular IAT peak values. In addition, we pinpoint some network anomalies that we have been able to determine through such analysis.

Experimenting with an Intrusion Detection System for Encrypted Networks

Network-based Intrusion Detection Systems (NIDSs) analyse network traffic to detect instances of malicious activity. Typically, this is only possible when the network traffic is accessible for analysis. With the growing use of Virtual Private Networks (VPNs) that encrypt network traffic, the NIDS can no longer access this crucial audit data. In this paper, we present an implementation and evaluation of our approach proposed in Goh et al. (2009). It is based on Shamirs secret-sharing scheme and allows a NIDS to function normally in a VPN without any modifications and without compromising the confidentiality afforded by the VPN.

Towards Intrusion Detection for Encrypted Networks

Traditionally, network-based Intrusion Detection Systems (NIDS) monitor network traffic for signs of malicious activities. However, with the growing use of Virtual Private Networks (VPNs) that encrypt network traffic, the NIDS can no longer analyse the encrypted data. This essentially negates any protection offered by the NIDS. Although the encrypted traffic can be decrypted at a network gateway for analysis, this compromises on data confidentiality. In this paper, we propose a detection framework which allows a traditional NIDS to continue functioning, without compromising the confidentiality afforded by the VPN. Our approach uses Shamirs secret-sharing scheme and randomised network proxies to enable detection of malicious activities in encrypted channels. Additionally, this approach is able to detect any malicious attempts to forge network traffic with the intention of evading detection. Our experiments show that the probability of a successful evasion is low, at about 0.98% in the worst case. We implement our approach in a prototype and present some preliminary results. Overall, the proposed approach is able to consistently detect intrusions and does not introduce any additional false positives.

Automatic Generation of Assertions to Detect Potential Security Vulnerabilities in C Programs That Use Union and Pointer Types

Type unions, pointer variables and function pointers are a long standing source of subtle security bugs in C program code. Their use can lead to hard-to-diagnose crashes or exploitable vulnerabilities that allow an attacker to attain privileged access over classified data. This paper describes an automatable framework for detecting such weaknesses in C programs statically, where possible, and for generating assertions that will detect them dynamically, in other cases. Exclusively based on analysis of the source code, it identifies required assertions using a type inference system supported by a custom made symbol table. In our preliminary findings, our type system was able to infer the correct type of unions in different scopes, without manual code annotations or rewriting. Whenever an evaluation is not possible or is difficult to resolve, appropriate runtime assertions are formed and inserted into the source code. The approach is demonstrated via a prototype C analysis tool.