IPS

Document Sample
IPS Powered By Docstoc
					      TECHNION – ISRAEL INSTITUE OF TECHNOLOGY
 DEPARTEMENT OF ELECTRICAL ENINEERING – SOFTWARE LAB



INTRUSION PREVENTION SYSTEM
          DYNAMIC HONEYNET




by: Rosenfeld Asaf
advisor: Uritzky Max


                        1
1.           ABSTRACT .............................................................................................................................. 4
2.           INTRODUCTION ..................................................................................................................... 5
     2.1            CRAWLER ........................................................................................................................ 5
     2.2            IPS ...................................................................................................................................... 6
     2.3            HONEY TRAP....................................................................................................................... 8
     2.4            HONEY NET ......................................................................................................................... 9
3.           CONCEPT .............................................................................................................................. 10
     3.1            CLIENT .............................................................................................................................. 10
     3.2            SERVER ............................................................................................................................. 11
     3.3            DEPLOYMENT .................................................................................................................... 12
4.           DESIGN .................................................................................................................................. 13
     4.1            ASSUMPTIONS................................................................................................................... 13
     4.2            ARCHITECTURE ................................................................................................................. 14
     4.3            CLIENT CLASSES OVERVIEW ........................................................................................... 15
        4.3.1           IE_Interface ............................................................................................................. 15
        4.3.2           Diagnosers .............................................................................................................. 16
        4.3.3           Client_Remote_Interface ..................................................................................... 17
        4.3.4           Dispatcher ............................................................................................................... 18
        4.3.5           GUI ............................................................................................................................ 18
     4.4            SERVER CLASSES OVERVIEW .......................................................................................... 19
        4.4.1           Database_Interface ............................................................................................... 19
        4.4.2           Data_Export ............................................................................................................ 20
        4.4.3           Server_Remote_Interface ................................................................................... 21
        4.4.4           Dispatcher ............................................................................................................... 22
        4.4.5           GUI ............................................................................................................................ 22
     4.5            SEQUENCE DIAGRAMS ..................................................................................................... 23
        4.5.1           Client Registration ................................................................................................ 23
        4.5.2           Client Report .......................................................................................................... 24
        4.5.3           Client Work ............................................................................................................. 25
        4.5.4           Server Work ............................................................................................................ 26
     4.6            CLIENT RELATIONS DIAGRAM .......................................................................................... 27
     4.7            SERVER RELATIONS DIAGRAM ........................................................................................ 28
     4.8            CLIENT GUI ...................................................................................................................... 29
     4.9            SERVER GUI ..................................................................................................................... 30
5.           IMPLEMENTATION .............................................................................................................. 31
     5.1      USING IE ........................................................................................................................... 31
     5.2      USING SQL SERVER ........................................................................................................ 32
     5.3      DIAGNOSTICS MODULE .................................................................................................... 33
        5.3.1     CPU Usage .............................................................................................................. 33
        5.3.2     Memory Utilization ................................................................................................ 34
        5.3.3     File System Changes ........................................................................................... 35
        5.3.4     Registry Corruption .............................................................................................. 36
6.           DEPLOYMENT HOWTO ...................................................................................................... 37
     6.1            SETTING THE SERVER ....................................................................................................... 37
     6.2            SETTING THE CLIENT......................................................................................................... 38
7.           UNIT TESTING ...................................................................................................................... 39
     7.1            CPU ERROR SIMULATION ................................................................................................ 39
     7.2            MEMORY ERROR SIMULATION ....................................................................................... 39
     7.3            FILE SYSTEM ERROR SIMULATION ................................................................................... 39
     7.4            FAULTY IE SIMULATION .................................................................................................... 39
8.           CONCLUSIONS AND PROBLEMS ................................................................................... 40



                                                                              2
9.    POSSIBLE FUTURE WORK ............................................................................................... 41
10.   THANKS ................................................................................................................................. 42




                                                                   3
1. Abstract
An Intrusion Prevention System (IPS) is a computer security device that monitors
network and/or system activity for malicious or unwanted behavior and can react,
in real time, to block or prevent those activities.
This project demonstrates an active and distributed approach towards IPS.


Short Description:
The purpose of the project was to create a distributed honey pot (honeynet) in a
client-server model. Each client acts as a crawler and traverses the internet, trying
to imitate a real-user behavior. Upon the completion of a web-page, the client runs
a self-diagnosis and reports to the server.
The server maintains a database (remote SQL) of the clients, has a control over
them, and can also export reports as a web-page (HTML).


Motivation:
The Keywords of this project are Prevention, Active and Distributed:
-   Prevention: the system is able detects threats it does not know about, since it
    monitors the targets of such attacks, and can tell when something is out of line.
-   Active: instead of the conventional approach of detecting threats as they come
    by your door, Prevention system can find a malicious web-page and report it
    before a user might attempt to access it.
-   Distributed: the server is aided by an external database that maintains a list of
    all the clients and all the know threats. The number of active clients, that
    function as individual honey-pot is limited only to the SQL-server limitations,
    and even if number of clients are hit and down, the system as whole still works
    and can recover itself.




                                         4
2. Introduction
2.1        CRAWLER
A crawler is a program mostly uses by search engines to "crawl" links on the
internet and index content. Sometimes they are also referred to as robot or spider.




Crawlers are the backbone of search engines, mostly implemented as scripts that
run on the search engine's servers, they crawl the internet following links to web
pages and archiving them within the search engines index (database). A crawler
will usually follow links from pages it has discovered. This project has
implemented a kind of crawler, that indexes web sites that were found malicious.




Our crawler uses a proprietary reporting system to tell it's server of those site, and
they are indexed in a SQL server.




                                        5
2.2          IPS
An Intrusion Detection System (IPS) is a computer security device that monitors
network and/or system activities for malicious or wanted behavior and can react,
in real-time, to prevent those activities. Network-based IPS, for example, will
operate in-line to monitor all network traffic for malicious code or attacks, when
an attack is detected, it can drop the offending packets while still allowing all
other traffic to pass.
The origin of IPS systems are Intrusion Detection Systems. Those also located in
line with the network resources, but they can identify threat only once inside the
network.




An IPS would like to detect those threats before they enter the resources
perimeter.




                                        6
In this project, the IPS system keeps the threats out of the resource-at-risk by
searching for threats rather than inspecting incoming traffic.
We monitor system activities such as CPU and Memory in accordance to web
browsing, and by that, trying to detect malicious web pages. By being dynamic
(not waiting to naïve user to surf this page), the server can learn of these pages
and prevent users from going there.
This IPS strength comes from its being deployed in big numbers, thus giving it a
fair chance to cover larger portions of the internet and finding malicious pages.




                                        7
2.3         Honey Trap

In computer terminology, a honeypot is a trap set to detect, deflect or in some
manner counteract attempts at unauthorized use of information systems. Generally
it consists of a computer, data or a network site that appears to be part of a
network but which is actually isolated, (un)protected and monitored, and which
seems to contain information or a resource that would be of value to attackers. A
honeypot that masquerades as an open proxy is known as a sugarcane.

A honeypot is valuable as a surveillance and early-warning tool. While often a
computer, a honeypot can take on other forms, such as files or data records, or
even unused IP address space. Honeypots should have no production value and
hence should not see any legitimate traffic or activity. Whatever they capture can
then be surmised as malicious or unauthorized. One very practical implication of
this is that honeypots designed to thwart spam by masquerading as systems of the
types abused by spammers to send spam can categorize the material they trap
100% accurately: it is all illicit. A honeypot needs no spam-recognition capability,
no filter to separate ordinary e-mail from spam. Ordinary e-mail never comes to a
honeypot.

The client in this project acts as a honeypot, and the resources he puts at risk are
itself




                                        8
2.4          Honey Net
The Honeynet is a network of real systems. This network is reachable thru the
gateway, and is inline with the rest of the network.




         `            `            `               `                     INTERNET

 SLAB-W01      SLAB-W02     SLAB-W03        SLAB-W04




                                                                     SLAB-ROUTER
                                                       SLAB-SWITCH




         `            `            `               `

 HONEYPOT     HONEYPOT     HONEYPOT         HONEYPOT
 SLAB-W10     SLAB-W11     SLAB-W12         SLAB-W12




Since our basic honey trap is a crawler, by using a honey net, we can use several
indexing servers, and make the system more secure. A keep-alive mechanism
might also by applied to make the system more immune to threats.
Because of the unique nature of the IPS, there is no real need for the system to be
inline with the source at risk, since on a large scale many clients can work to find
threats, and naïve users around the world will check that the site they want to go
to is safe




                                        9
3. Concept
3.1                   Client
The client in our IPS system acts as a honeypot. The bounty he offers is itself, by
using real Internet Explorer. This is integration between a honeypot and a crawler.
The dispatching module of the client searches a dictionary module for a word
inside a google query, or a URL. It than travel to that URL using the IE and wait
for the IE to signal the page has been fully loaded. Once the page has been loaded,
the dispatcher runs a self diagnosis according to what was configured before it
was started. The report is sent to the remote server using Remoting mechanism.




                                                                        r
                                                     to      serve
                                                port
                                          4. re




                                                             3
                                                        d i a . se l
                                                             gn f
                                                                os
                               2.




                                                                   is
                                tel
                                    l
                                    IE dic
           to go ary where




                                      to
                                         go ionar
                                           tar y
                                            t
                                              ge
                  n
           dictio




                                                 tU
                                                  LfR
        arch




                                                    rom
      1 . se




                                             10
3.2         Server
The server in our IPS system serves as an administration layer which logs the
events and supply control over the clients. The purpose of the server is, at the end
of the day, when the security expert wishes to see what has the IPS system
achieved, he can generate a report of todays activity, reset the DB if needed, and if
hew sees a jammed client, he can turn it off. The server logs the event he gets on a
remote SQL server, and when asked to report the events to the security expert, he
does that in HTML format. The server has no limit for the amount of clients it can
support, and this is determined by the power of the platform it is run upon. As will
be described later on, a future task for such a server can be to synchronize the
search of the client crawlers in order to achieve a better coverage of the web.




                                        2. wr
                                             ite m
                                                   e   ssa g
                                                               e in D
                                                                        B
                        ent
                     m cl i
                    e fro
               ssa g
             t me
           1 . ge




                                       11
3.3         Deployment
The system in it current form can support many ways deployment. One aspect
refers to the topology, and another refers to when and where will the client be ran
from.
The topology issue is discussed later on, but in general, it is possible to put the
clients in line, or outside the resource at risk network.
As for the when and where there are some options:
           dedicated farm
            a network administrator might want to use a rack mounted group of
            PCs for the task of a honeypot. The advantage of such a method is that
            no real resources are at risk, and controlling the network is fairly easy.
           idle time
            a network administrator might want to use his users farm for the task.
            If the farm is being used for example by students, then during the
            night, the farm should be quite empty, and the computers can be used
            in this idle time for this task. This is also correct in case of operation
            mode like screen saver. After some time when a PC is not touched, it
            can start run the client task and report to the server. The advantage of
            this method, is that no extra resources are used, but the downside is
            that real PC that should serve the users are exposed.
           Application
            Today the client is an application with a GUI, and controlled by a user
            who operated the computer. This method is very easy is configure and
            friendly, but will not work in large scale deployment.
           Service
            Modifying the system to work as a service which can be triggered and
            configured by a remote server, while not so user friendly, give a
            system administrator better tools to manage large scale deployments,
            and should be considered as a future work.




                                         12
4. Design
4.1        Assumptions
The project is designed as a proof of concept, and this derives some working
assumptions:
      The clients use fixed vocabulary, user can not added what he believes are
       interesting key words.
      The clients don't check how much resources they use, but assume they are
       the only running application in the host. For example, any sudden
       extensive memory usage must be from the IE.
      The time clients are configured to spend in a web page, depends on the
       amount of hyperlinks in that page. In production system a different model
       should be used in order to better imitate user behavior( take into account
       pictures, words, applets and so on).




                                      13
4.2         Architecture
The project is designed as a honeynet, when one of the computers serve as a
server, which can reside not inline with the rest of the network. The system is
based upon an external SQL server which will register the honeynet activity and
help the security expert to tune his real network.


                                                                                          IPS-SERVER
                                                                                            (optinal)




                `            `            `            `                       INTERNET

         SLAB-W01    SLAB-W02     SLAB-W03      SLAB-W04



                                                                      SLAB-ROUTER



                                                                                          IPS-SERVER
                                                            SLAB-SWITCH                     (optinal)




                `            `            `

        IPS-CLIENT   IPS-CLIENT   IPS-CLIENT   IPS-SERVER
         SLAB-W10     SLAB-W11     SLAB-W12     SLAB-W12                            SLAB-SQL




                                                 14
4.3        Client Classes Overview
4.3.1      IE_Interface


                         IE_interface
               -run_sites_in_bank
               -page_done_event
               +choose_where_to_go()
               +goto_url()
               +get_current_url()


This class manages the MS Internet Explorer web browser. It contains the
vocabulary module, and chooses autonomously where to go. The inter
communication with this class is done via its API and is event driven. It can detect
when the IE is stuck and start a new instance. Each time it has a destination; it
randomly generates a google query from the vocabulary, or a link from the former
loaded page.
By using this interface, we enabled the freedom to change the implementation of
the browser to something other than IE, or even an IE object rather than the actual
application.




                                       15
4.3.2      Diagnosers

                            «interface»
                            Diagnoser
                        +get_stat_string()
                        +is_ok()
                        +get_value()
                        +reset()
                        +get_reason()




  fs_checker               cpu_checker              mem_checker




The Diagnoser is an interface which every diagnostics class has to implement. The
project houses 3 such these class: CPU, Memory and the Window Directory. The
CPU detects a sudden jump in CPU utilization, the Memory detects a sudden grow
in memory usage, and the Windows diagnoser detect if files were added or
removed from the windows directory. The interface a textual (String) error
message, and the system uses these messages to generate its report regarding the
current browsed site.




                                      16
4.3.3       Client_Remote_Interface


              ClientRemoteIF
           -kill_client_event
           +kill_client()

This class contains an event which can be triggered by remote applications. It is
used in order to signal to the client application to shut itself down.
Understanding where this class should go was one of the projects biggest efforts.
The original idea was to use a single object (instance) in order to send events to
both the client and the server. What I came up with, was that the application that
should listen to the event must the object instance inside it, and the remote user of
the application, in this case the server who actually wants to shut the application
off, just trigger this event thru a function.




                                         17
4.3.4      Dispatcher




                     Dispatcher
  -cpu_checker
  -mem_checker
  -fs_checker
  -diag_string_ready_event
  -terminate_gui_event
  -client_IP
  -IE_changed
  +main()
  +start_IE_thred()
  +stop_IE()
  +subscribe_on_events()

This class handles all the inter communication inside the application. It contains
some events which other class are registered with, and in return is registered with
other classes events. This form an event driven application which is very fast an
comes cheap resources-wise.


4.3.5      GUI


This class gets the ser inputs such as which diagnostics should operate, and what
is the address of the server. It communicates only with the Dispatcher, and is also
event driven.




                                       18
4.4        Server Classes Overview
4.4.1      Database_Interface




                           DBIF


        +add_entry()
        +remove_entry()
        +remove_all_entries()
        +get_OK_entries()
        +get_error_entries()
        +get_all_entries()
        +DBIF()
        +~DBIF()

This class communicates with the remote SQL server. It enables to SET/GET new
entry in the database while checking the syntax. It also gives some administrative
capabilities over the database such as erase all the database, and get all its content
in a single container.




                                        19
4.4.2      Data_Export



                DataExport
        -ips_report_page
        +add_entry()
        +save_to_file()

This class generates a file in HTML format that summarizes the database content.
After creating the file, this class opens an Ie instance to show the file.
We added this class as a management tool to the security expert, which is the main
client for this application. This is just a demonstration of capabilities, but
generating a more specific reports, or even a dynamic reporting tool is a very easy
task with the services the database interface provides.




                                        20
4.4.3       Server_Remote_Interface




         ServerRemoteIF
    -add_report_event
    -user_leave_event
    -remote_joint_event
    +add_report()
    +user_leave()
    +register_client()

This class exports the user (client) the ability to register itself and it events in the
server. It contains event which the dispatcher listens to, and thus communicates to
the rest of the system on new activities.




                                         21
4.4.4      Dispatcher




                     Dispatcher
 -cpu_checker
 -mem_checker
 -fs_checker
 -diag_string_ready_event
 -terminate_gui_event
 -client_IP
 -IE_changed
 +main()
 +start_IE_thred()
 +stop_IE()
 +subscribe_on_events()


This class handles all the inter communication inside the application. It contains
some events which other class are registered with, and in return is registered with
other classes events. This form an event driven application which is very fast an
comes cheap resources-wise.


4.4.5      GUI
This class gets the ser inputs such as which diagnostics should operate, and what
is the address of the server. It communicates only with the Dispatcher, and is also
event driven.




                                       22
4.5         Sequence Diagrams
4.5.1       Client Registration
After the user has configured it's client to its proper diagnostics and server, the
client, through remoting, sends event that it has joined. The Server in his turn
writes an entry in the remote SQL database.



                        Client               Server                 DBIF




         Start Client




 User

                                 Send Join




                                                      Write Entry




                                               23
4.5.2      Client Report
The client is triggered by finish of loading a page and waiting for "enough" time,
or timeout has passed for IE reply. The client than chooses a URL randomly and
browses there, checks its status and send to the server. The server registers the
report in the database.



                       Client                  Server                 DBIF




             Timeout




                                Send Report




                                                        Write Entry




                                              24
4.5.3              Client Work
The dispatcher listens to the GO event which is driven by the GUI. Once it is set,
the dispatcher starts an IE_Interface task which will start a new IE instance and
will browse the web. Once a page has been completely loaded, the IE_Interface
signals the dispatcher, and the dispatcher uses the diagnosers in his container to
check its status. After it is done constructing a status string it sends it to the server
thru the Server_Remote_Interface.


                    GUI                Dispatcher                  IE_interface                     IE           a Diagnoser   Remote_IF

        Press GO



                           go event

 User
                                                    Start thread


                                                                                    goto url


                                                                 page done event



                                                                                  get diagnostics



                                                                                            send status report

                          update GUI
                                                      goto url


                                                                                    goto url


                                                                 page done event




                                                                   25
4.5.4         Server Work
The server work is initiated by events generated by the client. When the dispatcher
is notified on such event, it checks the string that is carried with the event and
parse to see if its status is BAD or GOOD. According to the status it than
generates a query to the SQL server and send it thru the database interface
(DBIF). The last phase is getting a complete log from the database and displaying
it in the GUI.



                       Remote_IF             Dispatcher                 DBIF          GUI




          Report (remoting)




 IPS_Client

                              Add Report (event)


                                                          Log Report



                                                          Requset Log

                                                             Log


                                                                   Update GUI (log)




                                               26
4.6         Client Relations Diagram
The dispatcher class get services from all the other classes, and communicates
with another thread of the IE interface. It holds a container of classes that
implement the Diagnoser interface, and uses them to diagnose the system that runs
the application. The GUI is another thread which is part of the application, and all
the inter-thread communication is event driven, which is faster and lighter than
poling on semaphores.



                            Dispatcher

                                                                    IE_interface
                                                       1
               1
                                                  1         1
                            1         1

      1
                        1         1
                                                             1..*
      GUI
               ServerRemoteIF      ClientRemoteIF               «interface»
                                                                Diagnoser




                                          fs_checker       cpu_checker        mem_checker




                                             27
4.7          Server Relations Diagram
The dispatcher class get services from all the other classes. The only other thread
in the system is the GUI, and the inter-thread communication is done via events.
The DBIF class controls the connection with the SQL server whose address is
hard coded. The dataExport class is nothing more than a parser that saves it result
in an external file and shows it in an the default device to showing html files in the
system.


                                 Dispatcher
                  1

                                                       1
                                                   1
                           1              1

         1             1               0..*                1

   GUI          ServerRemoteIF       ClientRemoteIF               DBIF            1   DataExport


                                                           +addClientEntry()
                                                           +removeClientEntry()
                                                           +getOKClients()
                                                           +getErrorClients()
                                                           +getAllClients()




                                              28
4.8              Client GUI
The client GUI is an interface we devised as means of controlling the application,
although in real life scenario, this GUI might be useless, since it makes controlling
large deployments a big mess.
In the GUI tit is possible to insert all the parameters a command line application
might have asked for, which includes what diagnosers the system will use, and
where is the server.
A real production system should also support the dictionary and some controls
over the crawler behavior.
This GUI implementation is a good example of breaking the application into parts,
since while other threads in the application might be stuck, and the dispatcher
might wait for a signal which is a blocking operation, the GUI is always alive, and
the buttons are working.


    Display
     client
 current site,
  status and
   statistics

                                                                            End button
   Server
   name
    input




 Diagnosers
    check
   boxes




                                                    Start button




                                       29
4.9           Server GUI
Unlike the client GUI, I believe that the for the server, a GUI control is essential
management tool. This GUI gives control over everything which can be managed
in the project: it can control the clients, the SQL server, the reporting system and
more.
Another function of this GUI is to give real time data of what is happening in the
system, without the need of creating a status file, it is actually like giving a
window to the system, which the administrator can look into and observe the
system, without really having to open the door.



        Client with
        OK status




      Clients with
       ERROR
         status
                                                                                 Export
                                                                              database as
                                                                                html file
  START/END
  server work
                                                                              Clear the
                                                                              database


      Kills client by
           name




                                        30
5. Implementation
5.1        Using IE
The IPS client application manages an Internet Explorer instance. This is done
using the shared library SHDocVw.dll. in order for the application to be able to
use this library we need to follow these steps:
      in windows terminal, go to the project directory.
      Type the following command:
           "c:\Program Files\Microsoft Visual Studio .NET
           2003\SDK\v1.1\Bin\aximp" c:\WINDOWS\system32\shdocvw.dll


       when the aximp finishes, it reports:


           Generated Assembly: E:\technion\IPS_Client\SHDocVw.dll
           Generated Assembly: E:\technion\IPS_Client\AxSHDocVw.dll

      Add SHDocVw.dll to the project:
   a. Under Solution explorer - right click References -> Add
         Reference
   b. click browse
   c. choose SHDocVw.dll
   d. OK

      In the relevant class, add "using SHDocVw;"
using the IE in the code is now quite simple and straight forward:
private static SHDocVw.InternetExplorer ie = null;


ie = new SHDocVw.InternetExplorerClass();
ie.Visible = true;.



target =   "www.technion.ac.il";


ie.Navigate( url, ref dummy, ref dummy, ref dummy, ref dummy );




                                       31
5.2           Using SQL Server
In order to use a remote SQL server, the first this is to add "using
System.Data.SqlClient;"       to the class that will handle this connection.


The next thing to do is connect to the server:
string user = "uid=ips; ";
                   string pass = "password=ips; ";
                   string server = "server=softlab-dev-web\\SQL2005;";
                   string db = "database=IPS; ";
// create connection with all params
myConnection = new SqlConnection( user + pass +
                                                   server + db );


// open the connection
try
{
      myConnection.Open();
}
catch(Exception e)
{
      Console.WriteLine(e.ToString());
}


After the connection is open, the next thing is to format a legal SQL query and
execute it:
SqlCommand myCommand =
                           new SqlCommand(        "INSERT into IPS_clients
                                  VALUES('" + client_addr + "','" +
                                  status + "','" + site + "')",
                                  myConnection);


int num_rows_effected = 0;
try
{
      num_rows_effected = myCommand.ExecuteNonQuery();
}
catch(Exception e)
{
}



                                       32
5.3         Diagnostics Module
5.3.1 CPU Usage
The CPU usage diagnostic object is based on the .Net class Performance monitor.
In order to use this monitor the further decleration must be made:
PerformanceCounter cpuCounter = new PerformanceCounter();

cpuCounter.CategoryName = "Processor";
cpuCounter.CounterName = "% Processor Time";
cpuCounter.InstanceName = "_Total";



In order to get the value of the cpu usage, the following command must be called
several times:

float cpu = cpuCounter.NextValue();



When its result is different than zero, than its value is right.


In this project, I have decided that a jump of more than 50 percent indicates a
malicious site, and this triggers an error event.




                                         33
5.3.2        Memory Utilization
In order to get the value of the amount of used memory, like the CPU usage, we
again need to use the PerformanCounter .NET class:


private int get_mem_usage()
{
   PerformanceCounter ramCounter = new
           PerformanceCounter("Memory", "Available MBytes");

    return (int)ramCounter.NextValue();
}



For this diagnoser, we have decided that when there is a jump in memory
utilization of 250MB, the last visited site is malicious one and an error event is
generated.




                                       34
5.3.3       File System Changes
This diagnosis class is trickier to implement since there is direct way of telling the
amount of files in a directory.
For this diagnoser I have first created a sub-class that can iterate folders. The I let
him iterate all the folders under the windows directory and count the files.
This diagnoser need a high privilege to run, since a normal user can not access
most of the directories under the windows directory, so it can not always be used.
We created this class as a compromise, since the original intention was to check
the registry file for changes, but we have discovered that checking the registry
demanded very high privileges, and was very much time consuming.
Another option was to check the integrity of the cookies.




                                        35
5.3.4       Registry Corruption
The first version of the client contained a diagnoser module that was able to track
changes in the registry file of the windows system. There is much logic in tracking
these changes since they affect the behavior of every aspect of the system, and are
very difficult to see.
Getting information regarding the registry file is done using the .net class of
RegisterKey. This class can be used both to monitor or modify the registry.
We observed that even when the permission level is sufficient, this diagnoser class
is only useful for the first couple of runs, afterwards, the check is sow slow and
resource consuming, that the client might decide the site was malicious, and in
any case the client appears stuck for long periods of time.
The implementation of the class remained in the project code, but it is not called
in any case.
In our research, we have found that there are some commercial tools that might
supply information regarding the registry file in a way that is not time consuming,
but because of lack of documentation we have decided to abandon this path.




                                       36
6. Deployment HOWTO
This section describes how to deploy the HoneyNet
6.1         Setting the server
Requirements:
   A running and reachable SQL server
 Valid Database (format) in the SQL server

The Server does not require any installation, just double-click the server icon and
the GUI will appear.




   The address of the SQL server is hard coded in the IPS server.
   Press start.




                                       37
6.2        Setting the client
Requirements:
   Admin privileges in order to check windows FS or registry.


The IPS Client does require any installation, just click the icon and thje
application appears.




The first thing to do is fill the name of the IPS Server. Than check the boxes of the
desired checks, it recommended to check all boxes. The last this to do is press the
GO button, and let the Crawler work!




                                       38
7. Unit Testing
7.1        CPU Error simulation
In order to check the client detection of CPU utilization jump, I have generated
graphical activity which caused more than 50 percent utilization jump, that was
detected by the client.


7.2        MEMORY Error simulation
In order to check the client detection of MEMORY usage jump, I have generated
application memory usage activity which caused more than 100 MB jump, that
was detected by the client.


7.3        File System Error simulation
In order to check the client detection of windows directory structure change, I
have once created a new file in this directory while the client was running, which
detected by the client, and once erased a file which was also detected


7.4        Faulty IE simulation
Faulty IE is easily simulated by closing the running instance of the IE. The system
detected this when timeout occurred, and launched a new instance of IE.




                                      39
8. Conclusions and Problems
   Gathering information regarding the topics covered in this project are hard to
    come by, and was mostly achieved by trial and error.
   It is wiser to modify the protocol between the clients and the server in a way
    that will enable the server to know where the client is heading, and than if it
    succeeded. In this way, if the client found a malicious page that caused him to
    crash, the server will also know about it. This change requires a change in the
    server architecture (work with threadpool and negotiate session with each
    client).
   Using IPS system is very effective and easy o deploy. A model in which IPS is
    run in idle time should be considered in any computer farm, since the
    computing power is handy.
   Having a main server which will give the client dictionaries and starting point
    might be a good idea, since it will avoid checking same places twice, and give
    a more flexible approach to the security expert managing the system.
   If the system (client) were to be distributed on a livecd, it would be safer to
    deploy in working networks, since it guards their actual data and OS.
 Another option is using virtual machines like VMWARE Images, that can be
    freely handed in ordered to be used for this target.




                                        40
9. Possible future work


   Change the protocol between the clients and the server, so a client may tell
    where he intends to go, and than report if he got there. Some sites may be so
    dangerous, that the client will not have sufficient resources to tell it has a
    problem. This method changes the whole way the server is built since we need
    active inspection for all clients activities. The server will have to get a report,
    remember he got this report and manage a timeout. An efficient way to do this
    will be to manage a threadpool and assign each client a thread which will
    collect better data of the client behavior.


   URL management – in the current configuration, each client decides for itself
    where it should go. If we modify the system to work more like a search
    engine, each client will report to server of the page it found and what it
    stripped off of him. The server will maintain a database (also in an SQL
    server), and will tell the client where should it go. In this way, we solve the
    problem of two clients going to the same page, and have better utilization of
    our honeynet resources.


   In the pursuit of safer networks, it is possible to combine the data collected
    from such a project with a DNS server, and give each site a grade that tells
    how safe it is, or how safe it domain is, new versions of Internet Explorer can
    have a gauge that can be set to the amount of security the user wishes to have,
    and in this way we can block whole segments of malicious networks.


   It is possible to add a new diagnoser to the system, that checks the validity of
    the cookie requests made by the site. Site that planet cookies may be marked
    as unsafe (according to user specifications), and sites that request cookies they
    didn't plant, are also of malicious type. For example, a site that requests a
    cookie of some bank, or the google cookie, should also be considered
    dangerous.




                                         41
10.        Thanks
First and foremost I would like to thank my wife for withstanding the long hours
this project required me to work in the lab. Without the assistance of my advisor
Max Uritzky from Microsoft IL, who originally came up with the idea for this
project, none of this would have happened. Final thanks to great team at the
softlab, who helped me unleash this project on many resources at once, granting
me admin privileges for my experiments, and letting me use the SQL server.




                     "Friends applaud, the comedy is over."




                                      42

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:78
posted:8/19/2011
language:Dutch
pages:42