Julian B. Grizzard

HoneyStat: Local Worm Detection Using Honeypots

Worm detection systems have traditionally used global strategies and focused on scan rates. The noise associated with this approach requires statistical techniques and large data sets (e.g., 220 monitored machines) to yield timely alerts and avoid false positives. Worm detection techniques for smaller local networks have not been fully explored.

Real-time and forensic network data analysis using animated and coordinated visualization

Rapidly detecting and classifying malicious activity contained within network traffic is a challenging problem exacerbated by large datasets and functionally limited manual analysis tools. Even on a small network, manual analysis of network traffic is inefficient and extremely time consuming. Current machine processing techniques, while fast, suffer from an unacceptable percentage of false positives and false negatives. To complement both manual and automated analysis of network traffic, we applied information visualization techniques to appropriately and effectively bring the human into the analytic loop. This paper describes the implementation and lessons learned from the creation of a novel network traffic visualization system capable of both realtime and forensic data analysis. Combining the strength of link analysis using parallel coordinate plots with the time-sequence animation of scatter plots, we examine a 2D and 3D coordinated display that provides insight into both legitimate and malicious network activity. Our results indicate that analysts can rapidly examine network traffic and detect anomalies far more quickly than with manual tools.

Using honeynets to protect large enterprise networks

Network administrators use several methods to protect their network. Installing a honeynet within large enterprise networks provides an additional security tool. Honeynets complement the use of firewalls and IDS and help overcome some of the shortcomings inherent in those systems. In addition, honeynets can also serve as platforms for conducting computer security research and education.

Countering security information overload through alert and packet visualization

This article presents a framework for designing network security visualization systems as well as results from the end-to-end design and implementation of two highly interactive systems. In this article, we provide multiple contributions: we present the results of our survey of security professionals, the design framework, and lessons learned from the design of our systems as well as an evaluation of their effectiveness. Our results indicate that both systems effectively present significantly more information when compared to traditional textual approaches. We believe that the interactive, graphical techniques that we present will have broad applications in other domains seeking to deal with information overload.

Visual exploration of malicious network objects using semantic zoom, interactive encoding and dynamic queries

This paper explores the application of visualization techniques to aid in the analysis of malicious and non-malicious binary objects. These objects may include any logically distinct chunks of binary data such as image files, word processing documents and network packets. To facilitate this analysis, we present a novel visualization technique for comparing and navigating among 600-1000+ such objects at one time. While the visualization technique alone has powerful application for both directed and undirected exploration of many classes of binary objects, we chose to study network packets. To increase effectiveness, we strengthened the visualization technique with novel, domain-specific semantic zooming, interactive encoding and dynamic querying capabilities. We present results and lessons learned from implementing these techniques and from studying both malicious and non-malicious network packets. Our results indicate that the information visualization system we present is an efficient and effective way to compare large numbers of network packets, visually examine their payloads and navigate to areas of interest within large network datasets.

A methodology to detect and characterize Kernel level rootkit exploits involving redirection of the system call table

There is no standardized methodology at present to characterize rootkits that compromise the security of computer systems. The ability to characterize rootkits will provide system administrators with information so that they can take the best possible recovery actions and may also help to detect additional instances and prevent the further installation of the rootkit allowing the security community to react faster to new rootkit exploits. There are limited capabilities at present to detect rootkits, but in most cases these capabilities only indicate that a system is infected without identifying the specific rootkit. We propose a mathematical framework for classifying rootkit exploits as existing, modifications to existing, or entirely new. An indepth analysis of a particular type of kernel rootkit is conducted in order to develop a characterization. As a result of this characterization and analysis, we propose some new methods to detect this particular class of rootkit exploit.

The Use of Honeynets to Increase Computer Network Security and User Awareness

Abstract In this paper, we address how honeynets, networks of computers intended to be compromised, can be used to increase network security in a large organizational environment. We outline the current threats Internet security is facing at present and show how honeynets can be used to learn about those threats for the future. We investigate issues researchers have to take into account before deploying or while running a honeynet. Moreover, we describe how we tied honeynet research into computer security classes at Georgia Tech to successfully train students and spark interest in computer security.

Re-establishing trust in compromised systems: Recovering from rootkits that trojan the system call table

We introduce the notion of re-establishing trust in compromised systems, specifically looking at recovering from kernel-level rootkits. An attacker that has compromised a system will often install a set of tools, known as a rootkit, which will break trust in the system as well as serve the attacker with other functionalities. One type of rootkit is a kernel-level rootkit, which will patch running kernel code with untrusted kernel code. Specifically, current kernel-level rootkits replace trusted system calls with trojaned system calls. Our approach to recover from these type of rootkits is to extract the system call table from a known-good kernel image and reinstall the system call table into the running kernel. Building on our approach to current generation rootkits, we discuss future generation rootkits and address how to recover from them.

A Methodology to Characterize Kernel Level Rootkit Exploits that Overwrite the System Call Table

A cracker who gains access to a computer system will normally install some method, for use at a later time that allows the cracker to come back onto the system with root privilege. One method that a cracker may use is the installation of a rootkit on the compromised system. A kernel level rootkit will modify the underlying kernel of the installed operating system. The kernel controls everything that happens on a computer. We are developing a standardized methodology to characterize rootkits. The ability to characterize rootkits will provide system administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions. This may also help to detect and fingerprint additional instances and prevent further security instances involving rootkits. We propose new methods for characterizing kernel level rootkits. These methods may also be used in the detection of kernel rootkits.

An investigation of a compromised host on a honeynet being used to increase the security of a large enterprise network

The growth of network intrusions on large enterprise networks continues to increase, creating an epidemic of compromised hosts. The deployment of firewalls and intrusion detection systems has not slowed the growth of intrusions to an acceptable rate. Investigating the compromise of a production machine is both difficult and time-consuming due to the mixing of attack and production traffic, while similar investigations of compromised machines on honeynets are much less complex since there is no real production traffic. We discuss why these investigations are easier on a honeynet and how honeynets may be used to make investigations of compromised production machines faster and recovery easier. We include a description of an attack and the analysis that was conducted.