低対話型ハニーポットとダークネットの関連付けによる Title新たなスキャン活動の検知手法の検討 ( インターネットアーキテクチャ )

低対話型ハニーポットとダークネットの関連付けによる Title新たなスキャン活動の検知手法の検討 ( インターネットアーキテクチャ ) Author(s) 秋吉, 亮 ; 小谷, 大祐 ; 岡部, 寿男 Citation 電子情報通信学会技術研究報告 = IEICE technical re 信学技報 (2017), 117(294): 13-18 Issue Date 2017-11-10 URL http://hdl.handle.net/2433/232697 Right 2017 電子情報通信学会 Type Journal Article Textversion publisher Kyoto University

一般社団法人 電子情報通信学会 信学技報 THE INSTITUTE OF ELECTRONICS, IEICE Technical Report INFORMATION AND COMMUNICATION ENGINEERS IA2017-25 (2017-11) 606-8501 606-8501 E-mail: aky@net.ist.i.kyoto-u.ac.jp, {kotani,okabe}@media.kyoto-u.ac.jp Lurker,, Investigation of A Method for Detecting New Scanning Activities by Correlating Low-Interaction Honeypots with Darknet Ryoh AKIYOSHI, Daisuke KOTANI, and Yasuo OKABE Graduate School of Informatics, Kyoto University Yoshida-Honmachi, Sakyo-ku, Kyoto, 606-8501 JAPAN Academic Center for Computing and Media Studies, Kyoto University Yoshida-Honmachi, Sakyo-ku, Kyoto, 606-8501 JAPAN E-mail: aky@net.ist.i.kyoto-u.ac.jp, {kotani,okabe}@media.kyoto-u.ac.jp Abstract In this paper, we discuss a method for detecting new scanning activities by using low-interaction honeypots and darknet. High-interaction honeypot can obtain rich information, however there is a problem in implementation difficulty from a viewpoint of security. In contrast, although low-interaction honeypot can obsarve only limited attacks, that can be implemented relatively safely. Then we investigate a method to associate data obtained from low-interaction honeypot with those from darknet. With this, new scanning activities can be detected automatically, as it is possible to get rich information safely and efficiently. In this paper, we conducted the experimental tests which classify data obtained by Lurker based on the payloads and its consideration. Key words Darknet, Low-interaction honeypot, Classification 1. Web IDS (Intrusion detection system) Snort [1] Bro [2] IoT Mirai IDS IP IP [3] IP 13 This article is a technical report without peer review, and its polished and/or extended version may be published elsewhere. Copyright 2017 by IEICE

IP 1 TCP Honeynet Project [4] OS SSH Cowrie [5] (BLACKHOLE, EPMAP, FTP, HTTP, MEMCACHE, MIRROR, MQTT, MSSQL, MYSQL, PPTP, SIP, SMB, TFTP, UPNP) Dionaea [6], TCP SYN SYN + ACK ICMP Echo ICMP Reply Lurker [7] Lurker Lurker TCP SYN TCMP Echo 1 Cowrie Dionaea Lurker Lurker 2 3 4 5 2. Correlation Analysis System [8] Honeypot Darknet Macro analysis Sysmtem (MacS), Micro analysis System (MicS), Network and malware enchaining System (NemeSys), Incident Handling System (IHS) 4 MacS ICMP SYN MicS API URL API NemeSys MacS MicS IHS GUI Hoepers CSIRT [12] 1 Firewall Hogwash Forensics IDS 14

[byte] 1 [byte] 2 [byte] 1 3.5 [2] 2 3.5 [2, 3] 3 3.5 [2, 3, 4] 4 3.5 [3, 4, 5] 5 3.5 [4, 5] 6 3.5 [5] 9 9 [9] 1 1 PCNAD [11] PCNAD n-gram(n =1) l t m d m d m t Cowie [9] 2 [10] 3. 3. 1 1-gram 1-gram l t 1 l t =2 2 1 l t 1 6 l t 2 l t 2 (1) m d n m d (x, y) = x k y k (1) k=1 m d m t 3. 2 Lurker 15

ID TTL srcip, dstip ([TCP, UDP, ICMP]) srcport, dstport (TCP, UDP ) seqnum (TCP ) acknum (TCP ) flags (TCP ) win (TCP ) opts (TCP ) (TCP ) 3. 3 4. 4. 1 Lurker Lurker IP 1 12 /24 2016 12 14 2017 9 29 Lurker 2017 12 18 2017 9 29 4. 2 4. 2. 1 2, 3 2 SSH 3 HTTP 1 2 22 3 22 SSH PUTTY 3 SSH libssh 3 NULL 4. 2. 2 P d,l (d = 80) 80 1-gram P d,l l 5 m d m t m t = payload_length 0.2 (2) (m d! = 0)&&(m d <= m t) (2) 1, 2 1 19 HTTP 2 193 phpmyadmin phpmyadmin 80 5. (Lurker) Lurker [1] Snort - Network Intrusion Detection & Prevention System, https://www.snort.org/, (October, 2017) [2] The Bro Network Security Monitor, https://www.bro.org/, (October, 2017) [3] Harrop, Warren, and Grenville Armitage. "Defining and evaluating greynets (sparse darknets)." Local Computer Networks, 2005. 30th Anniversary. The IEEE Conference on. IEEE, 2005. [4] The Honeynet Project, https://www.honeynet.org/, (October, 2017) [5] micheloosterhof/cowrie: Cowrie SSH/Telnet Honeypot, https://github.com/micheloosterhof/cowrie, (October, 2017) [6] DinoTools/dionaea: Home of the dionaea honeypot, https://github.com/dinotools/dionaea, (October, 2017) [7] m-mizutani/lurker: Lurker monitors an incoming network TCP SYN packet to invalid port number, and will respond a TCP SYN-ACK packet to collect packet payload from attacker, https://github.com/m-mizutani/lurker [8] Nakao, Koji, et al. "Practical correlation analysis between scan and malware profiles against zero-day attacks based on darknet monitoring." IEICE TRANSACTIONS on Information and Systems 92.5 (2009): 787-798. 16

2 SSH 3 HTTP [9] Cowie, Bradley, and Barry Irwin. "Data classification for artificial intelligence construct training to aid in network incident identification using network telescope data."âăproceedings of the 2010 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists. ACM, 2010. [10], et al. "." 17

1 19 1 Length: 19.000000 2 Manhattan Distance: 2 3 -- 4 HEAD / HTTP/1.0 5 6 7 -- 8 HEAD / HTTP/1.1 9 10 11 ==== 2014 2014.2 (2014): 48-55. [11] Thorat, Sandeep A., et al. "Payload content based network anomaly detection." Applications of Digital Information and Web Technologies, 2008. ICADIWT 2008. First International Conference on the. IEEE, 2008. [12] Hoepers, Cristine, Klaus Steding-Jessen, and Antonio Montes. "Honeynets Applied to the CSIRT Scenario." Proceedings of the 15th Annual Computer Security Incident Handling Conference. 2003. 2 193 1 Length: 193.000000 2 Manhattan Distance: 9 3 -- 4 GET /phpmyadmin-2.11.1-all-languages/scripts/setup.php HTTP/1.1 5 Accept: */* 6 Accept-Language: en-us 7 Accept-Encoding: gzip, deflate 8 User-Agent: ZmEu 9 Host: 133.69.4.2 10 Connection: Close 11 12 13 -- 14 GET /phpmyadmin-3.0.0.0-all-languages/scripts/setup. php HTTP/1.1 15 Accept: */* 16 Accept-Language: en-us 17 Accept-Encoding: gzip, deflate 18 User-Agent: ZmEu 19 Host: 133.69.4.2 20 Connection: Close 21 22 23 ==== 18