Abstract- The last few years have seen a steady rise in the occurrence of large scale automated attacks. A large number of zombie computers which are part of a single botnet which has a number of compromised hosts can be utilized to launch attacks against specific class of Internet users such as enterprises, academic campuses, web servers, and home users. In this paper, we focus on detection of large scale automated attacks .Honey nets can become a great tool for detection of automatically spreading malwares.
The current experimental setup was deployed with three windows machines to study the methodology of large scale automated attacks performed by malwares which can be executed automatically in a particular scenario. We deployed three machines one with a web server and a hosted website and two windows XP machines with similar configurations so as to simulate a small network.
Automated attack includes an intelligent and autonomous programs or code, which can run on a computer and spread through networks without user intervention. Automated attacks usually spread to other networks with the help of worms. Worms are similar to biological virus in self replicating and propagation behaviours
Signs of an automated attack are as follows:
Get your grade
or your money back
using our Essay Writing Service!
• Several different types of attack, in quick succession
• Exploits not designed specifically for the platform attacked
• The same attack tried over and over again in quick succession, without changing any parameters
• Typing too fast to be done by person, without any typos
• Exploit code used is specific for the platform attacked
Signs of a Manual attack:
• Random typos in commands, with a lot of retyping
• Random periods of time between different mechanisms of attack
• Signs of prior intelligence gathering (such as pinging or port scans)
There are number of methods used by malware to propagate further, e.g. usb devices other propagation strategies like e-mail. Therefore, we can only give a lower bound for the amount of autonomous spreading malware in our environment.
The usage of honey pots allows us to carry out a study like this without privacy issues: since the honey pot is just a network decoy which should not receive any network connections at all, any interaction with the honey pot is malicious by definition.
Fig1 shows the flow of our detection model, Data from various honeypots is captured on a honeywall ,The data includes two main components Network Activity and Host Activity, We segregated Scanning activity and Download activity, Data from both the activities are correlated ,For correlation we use time window ,After the attack profiles are extracted we categorize them into automated and manual attacks.
Honey net Flow Data + Sebek Data
Scanning Download Sebek Logs
Network Activity Host Activity
Fig:1 Detection Model Flow
Management Interface (walleye)
WINDOWS 2003 ADVANCED SERVER
Fig:2 Experimental Setup
We have used three virtual honey pots based honey net tested system which has following main components:
A Honey wall is the honey net gateway used to implement data control and data capture. Normally it operates as a layer two bridge between the honey pots in your honey net, and your production network. This is one of the most critical elements of a honey net.
Honey wall management interface is a web interface and has all the functionality of the Dialog Menu and more. Not only can it be used for administration, but for full system data analysis Walleye means the web based user interface that is used for Honey wall administration, configuration, and data analysis
Three system virtual Honey pots
Three Virtual Honey pots are deployed which are connected through a virtual switch to honey wall and Management interface .Two Windows XP machines with similar configuration and one windows 2003 Advanced Server machine.
Always on Time
Marked to Standard
Fig:3 Sudden Rise In Number of Connection after
system gets infected
Our analysis process starts form Management interface, Once the system gets infected huge activity is reported from the IP xxx.129.220.204 as the machine gets infected starting from thousands of connection per hour, Activity increases to lakhs of connections per hour this acts as a triggering point for our analysis.
From the triggering point we started inspecting the alerts through our Management interface and found the IP xxx.129.140.142 tries to infect our three honeypots at same time 14:43:42 this also points to the fact that it is automated attack.
Fig:4 Single IP Trying to infect three honeypots at same time
As such a huge number of connections are made to our honeypots to and fro and xxx.129.220.204 is also performing a large number of scans to other pc we assumed that some malware is downloaded as huge activity is reported on ports 135,445, 139 etc and as these are ports which are most commonly exploited by the automated malwares, which was shown in my previous case study.
Total No of connections
From no of connections we observed that infected honeypot is xxx.129.220.204
Ports on which maximum communication took place: 135, 445,139
Honeypot Infected :xxx.129.220.204
Forensic analysis of infected machine is performed
1 Malware binary found
Name : : unwise_.exe
Size: 139 KB
Ports on which maximum communication 135,445,139
Port on which most outbound scanning is performed 445
The system gets attacks, scans and probes on following ports just before it gets infected.
Top Attacked Ports
Fig:5 Top Attacked Ports
Activity Performed by honeynet after it gets infected
Fig:6 Outward Scans performed by the system after getting infected
Validation of Results is done as we installed Bothunter which confirms that two windows XP Machines gets infected by
To study behavior of malware infected machine we used BOTHUNTER
Bot Hunter shows the malware download source IP(egg Source IP) and some activity performed by Infected machine(xxx.129.220.204) It Became infected and become BOT it try to infect other machines
After some time all our three machines got infected and become bot
Above stated malicious IP xx.21.41.66 is egg source IP found by bot hunter
Machines gets request from automated malware infected PC's in the network and this continues until the machine gets infected.
Two windows xp machines gets infected at same time if there were 10 machines in network they would also get infected at same time and large army of zombie machines is ready to attack other system.
A huge traffic is generated when one machine gets infected, if a number of machines get infected at same time it can easily choke the network.
This experiment also gives insight to large scale coordinated attacks on a network.