Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms (and other random stuff) Wormholes and a Honeyfarm: Automatically Detecting New Worms Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR ICIR Silicon Defense 1 Problem: Automatically Detecting New Worms Wormholes and a Honeyfarm: Automatically Detecting Novel Worms • Detect a new worm on the Internet before many machines are infected – Use this information to guide defenses – 30-60 seconds to detect (and stop) Slammer • Honeypots are accurate detectors – Monitor egress to detect worms – k vulnerable honeypots will detect a worm when ~1/k of the vulnerable machines are infected – But impractical • Cost: time, not machines • Trust: must trust all honeypots! 2 Idea: Split the Network Endpoints from the Honeypots Wormholes and a Honeyfarm: Automatically Detecting Novel Worms • Wormholes are traffic tunnels – Routes connections to a remote system – Untrusted endpoints • Honeyfarm consists of Virtual Machine honeypots – Create virtual honeypots on demand • See honeynet.org – Route internally generated traffic to other images • Classify based on what can be infected 3 How Wormholes Work Wormholes and a Honeyfarm: Automatically Detecting Novel Worms • Low cost “appliance”: – Plugs into network, obtains address through DHCP – Contacts the Honeyfarm – Reconfigures local network stack • fool nmap style detection – Forwards all traffic to/from the Honeyfarm • Clear Box: – Deployers have source code • Restrictions built into the wormhole code so it doesn't trust the honeyfarm, can't contact the local network! • Instead/addition to wormholes, one can... – Route small telescopes to the honeyfarm – Route ALL unused addresses in an institution... 4 How a Honeyfarm Works Wormholes and a Honeyfarm: Automatically Detecting Novel Worms • Creates Virtual Machine images to implement Honeypots – Using VMware or similar – Images exist "in potential" until traffic received • Niels Provos suggested: Use honeyd as a first pass filter – Completes the illusion that a honeypot exists at every wormhole location • Any traffic received from wormhole – Activate and configure a VM image – Forward traffic to VM image • Honeypot image generated traffic is monitored and redirected Wormhole IP: aa.bb.cc.dd Honeyfarm VM Image IP: IP: xx.xx.xx.xx aa.bb.cc.dd VM Image IP: IP: xx.xx.xx.xx aa.bb.cc.ee 5 What Could We Automatically Learn From a Honeyfarm? Wormholes and a Honeyfarm: Automatically Detecting Novel Worms • A new worm is in the Internet – Triggered based on ability to infect VMs • What the worm is capable of – Types of vulnerable configurations • Including patch level • Creates a “Vulnerability Signature” – Some overt, immediate malicious behavior • Immediate file erasers etc – Possible attack signatures • Works best for tracking: – Human attackers – Scanning worms • Slow enough to react effectively • Randomness hits wormholes 6 What Trust is Needed? Wormholes and a Honeyfarm: Automatically Detecting Novel Worms • Wormhole deployers: – Need to trust wormhole devices, not the honeyfarm operator • Honeyfarm operator: – Attackers know of some wormholes, but most are generally unknown • Wormhole locations are “open secrets” – Does not trust wormhole deployers • Detection is based on infected honeypots, not traffic from a wormhole • Dishonest wormholes are filtered out • Responding systems receiving an alert: – Either the honeyfarm and operator are honest and uncompromised – OR rely on multiple, independent honeyfarms all raising an alarm • "If CERT and DOD-CERT say..." 7 Status and Acknowledgements Wormholes and a Honeyfarm: Automatically Detecting Novel Worms • Status: Paper design – Idea, attacks, costs, development time • Lots of attacks on the honeyfarm system and possible defenses • Plan to build honeyfarm first, attached to a small telescope • Wormholes can be built for <$350, no moving parts, 50 Watts power, quantity 1 • Acknowledgements: – Honeypot technology: Honeynet project, honeyd, DTK – Feedback from many people: Stefan Savage, David Moore, David Wagner, Niels Provos, etc etc etc. 8 Random Slide: 1 Gb (ASAP), 10 Gb (+2-3 years) Wormholes and a Honeyfarm: Automatically Detecting Novel Worms • Need wiring-closet defenses: – As close to the endpoint as possible, need to be reprogrammable – <$1000 for GigE today (build for $500) • Optical ideal, +$100 for 1000-base-T – <$2000 for 10GigE in 2-3 years (build for $1000) – New FPGAs with SERDESes, embedded processors, massive parallelism and pipelining DIMM SX Transceiver SX Transceiver SX Transceiver FPGA DIMM 1000-BaseT PHY 1000-BaseT PHY 9 Random Slide: Colonel John R. Boyd’s OODA “Loop” Wormholes and a Honeyfarm: Automatically Detecting Novel Worms Observe Orient Implicit Guidance & Control Unfolding Circumstances Observations Feed Forward Genetic Heritage Unfolding Interaction With Environment Act Implicit Guidance & Control Cultural Traditions New Information Outside Information Decide Analyses & Synthesis Previous Experience Feedback Feed Forward Decision (Hypothesis) Feed Forward Action (Test) Unfolding Interaction With Environment Feedback Note how orientation shapes observation, shapes decision, shapes action, and in turn is shaped by the feedback and other phenomena coming into our sensing or observing window. Also note how the entire “loop” (not just orientation) is an ongoing many-sided implicit cross-referencing process of projection, empathy, correlation, and rejection. From “The Essence of Winning and Losing,” John R. Boyd, January 1996. From Defense and the National Interest, http://www.d-n-i.net, copyright 2001 the estate of John Boyd Used with permission 10 Ranom Slide: What is the OODA loop? Wormholes and a Honeyfarm: Automatically Detecting Novel Worms • The OODA (Observe, Orient, Decide, Act) cycle was designed as a semi-formal model of adversarial decision making – Really a complex nest of feedback loops – Originally designed to represent strategic and tactical decision-making • Implicit shortcuts are critical in human-based systems – Every participant or group has its own OODA loop • Attack the opponent’s decision making process – Avoid/confuse/manipulate the opponent’s observation/detection • Stealthy worms – Take advantage of errors in orientation/analysis • Not yet but will begin to happen! – Move faster than the opponent’s reaction time • Why autonomous worms outrace “human-in-the-loop” systems • Reactive worm defenses need fully-automated OODA loops • The fastest, accurate OODA loop usually wins 11 Random Slide: Automated OODA Loops Wormholes and a Honeyfarm: Automatically Detecting Novel Worms • Since both the worms and worm-defense routines are automatic while a fast worm is spreading, the OODA loops are much simpler – No implicit paths, everything is now explicit • Orientation and decision making are combined – Communication is also made explicit – The OODA loops are shaped by the designer’s goals, objectives, and skills • Observation is often critical for both sides Observe Orient/Decide Passive Local Active Automatic Decision Making Information Control Act Control Actions Feedback Interaction with Communication Environment 12