A Honeynet within the German Research Network – Experiences and Results

A honeynet is a special prepared network which is not used in normal business. It is a kind of playground to watch and learn the tactics of crackers. The only purpose of a honeynet is to be probed, attacked or compromised. During the operation other systems may not be harmed by an attack originated within the honeynet. In this paper the design, realization and operation of a honeynet built within the German Research Network (DFN) will be described. Concepts for continuously monitoring and securing the honeynet are introduced. A selection of the results of the operation phase will be presented as well

Honeypots and honeynets: issues of privacy

Honeypots and honeynets are popular tools in the area of network security and network forensics. The deployment and usage of these tools are influenced by a number of technical and legal issues, which need to be carefully considered. In this paper, we outline the privacy issues of honeypots and honeynets with respect to their technical aspects. The paper discusses the legal framework of privacy and legal grounds to data processing. We also discuss the IP address, because by EU law, it is considered personal data. The analysis of legal issues is based on EU law and is supported by discussions on privacy and related issues

Web attack risk awareness with lessons learned from high interaction honeypots

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Com a evolução da web 2.0, a maioria das empresas elabora negócios através da Internet usando aplicações web. Estas aplicações detêm dados importantes com requisitos cruciais como confidencialidade, integridade e disponibilidade. A perda destas propriedades influencia directamente o negócio colocando-o em risco. A percepção de risco providencia o necessário conhecimento de modo a agir para a sua mitigação. Nesta tese foi concretizada uma colecção de honeypots web de alta interacção utilizando diversas aplicações e sistemas operativos para analisar o comportamento do atacante. A utilização de ambientes de virtualização assim como ferramentas de monitorização de honeypots amplamente utilizadas providencia a informação forense necessária para ajudar a comunidade de investigação no estudo do modus operandi do atacante, armazenando os últimos exploits e ferramentas maliciosas, e a desenvolver as necessárias medidas de protecção que lidam com a maioria das técnicas de ataque. Utilizando a informação detalhada de ataque obtida com os honeypots web, o comportamento do atacante é classificado entre diferentes perfis de ataque para poderem ser analisadas as medidas de mitigação de risco que lidam com as perdas de negócio. Diferentes frameworks de segurança são analisadas para avaliar os benefícios que os conceitos básicos de segurança dos honeypots podem trazer na resposta aos requisitos de cada uma e a consequente mitigação de risco.With the evolution of web 2.0, the majority of enterprises deploy their business over the Internet using web applications. These applications carry important data with crucial requirements such as confidentiality, integrity and availability. The loss of those properties influences directly the business putting it at risk. Risk awareness provides the necessary know-how on how to act to achieve its mitigation. In this thesis a collection of high interaction web honeypots is deployed using multiple applications and diverse operating systems in order to analyse the attacker behaviour. The use of virtualization environments along with widely used honeypot monitoring tools provide the necessary forensic information that helps the research community to study the modus operandi of the attacker gathering the latest exploits and malicious tools and to develop adequate safeguards that deal with the majority of attacking techniques. Using the detailed attacking information gathered with the web honeypots, the attacking behaviour will be classified across different attacking profiles to analyse the necessary risk mitigation safeguards to deal with business losses. Different security frameworks commonly used by enterprises are analysed to evaluate the benefits of the honeypots security concepts in responding to each framework’s requirements and consequently mitigating the risk

Context-Aware Network Security.

The rapid growth in malicious Internet activity, due to the rise of threats like automated worms, viruses, and botnets, has driven the development of tools designed to protect host and network resources. One approach that has gained significant popularity is the use of network based security systems. These systems are deployed on the network to detect, characterize and mitigate both new and existing threats. Unfortunately, these systems are developed and deployed in production networks as generic systems and little thought has been paid to customization. Even when it is possible to customize these devices, the approaches for customization are largely manual or ad hoc. Our observation of the production networks suggest that these networks have significant diversity in end-host characteristics, threat landscape, and traffic behavior -- a collection of features that we call the security context of a network. The scale and diversity in security context of production networks make manual or ad hoc customization of security systems difficult. Our thesis is that automated adaptation to the security context can be used to significantly improve the performance and accuracy of network-based security systems. In order to evaluate our thesis, we explore a system from three broad categories of network-based security systems: known threat detection, new threat detection, and reputation-based mitigation. For known threat detection, we examine a signature-based intrusion detection system and show that the system performance improves significantly if it is aware of the signature set and the traffic characteristics of the network. Second, we explore a large collection of honeypots (or honeynet) that are used to detect new threats. We show that operating system and application configurations in the network impact honeynet accuracy and adapting to the surrounding network provides a significantly better view of the network threats. Last, we apply our context-aware approach to a reputation-based system for spam blacklist generation and show how traffic characteristics on the network can be used to significantly improve its accuracy. We conclude with the lessons learned from our experiences adapting to network security context and the future directions for adapting network-based security systems to the security context.Ph.D.Computer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/64745/1/sushant_1.pd

Enabling an Anatomic View to Investigate Honeypot Systems: A Survey

A honeypot is a type of security facility deliberately created to be probed, attacked, and compromised. It is often used for protecting production systems by detecting and deflecting unauthorized accesses. It is also useful for investigating the behavior of attackers, and in particular, unknown attacks. For the past 17 years plenty of effort has been invested in the research and development of honeypot techniques, and they have evolved to be an increasingly powerful means of defending against the creations of the blackhat community. In this paper, by studying a wide set of honeypots, the two essential elements of honeypots—the decoy and the captor—are captured and presented, together with two abstract organizational forms—independent and cooperative—where these two elements can be integrated. A novel decoy and captor (D-C) based taxonomy is proposed for the purpose of studying and classifying the various honeypot techniques. An extensive set of independent and cooperative honeypot projects and research that cover these techniques is surveyed under the taxonomy framework. Furthermore, two subsets of features from the taxonomy are identified, which can greatly influence the honeypot performances. These two subsets of features are applied to a number of typical independent and cooperative honeypots separately in order to validate the taxonomy and predict the honeypot development trends

Honeypot for Wireless Sensor Networks

People have understood that computer systems need safeguarding and require knowledge of security principles for their protection. While this has led to solutions for system components such as malware-protection, firewalls and intrusion detection systems, the ubiquitous usage of tiny microcomputers appeared at the same time. A new interconnectivity is on the rise in our lives. Things become “smart” and increasingly build new networks of devices. In this context the wireless sensor networks here interact with users and also, vice versa as well; unprivileged users able to interact with the wireless sensor network may harm the privileged user as a result. The problem that needs to be solved consists of possible harm that may be caused by an unprivileged user interacting with the wireless sensor network of a privileged user and may come via an attack vector targeting a vul- nerability that may take as long as it is needed and the detection of such mal-behaviour can only be done if a sensing component is implemented as a kind of tool detecting the status of the attacked wireless sensor network component and monitors this problem happening as an event that needs to be researched further on. Innovation in attack detection comprehension is the key aspect of this work, because it was found to be a set of hitherto not combined aspects, mechanisms, drafts and sketches, lacking a central combined outcome. Therefore the contribution of this thesis consists in a span of topics starting with a summary of attacks, possible countermeasures and a sketch of the outcome to the design and implementation of a viable product, concluding in an outlook at possible further work. The chosen path for the work in this research was experimental prototype construction following an established research method that first highlights the analysis of attack vectors to the system component and then evaluates the possibilities in order to im- prove said method. This led to a concept well known in common large-scale computer science systems, called a honeypot. Its common definitions and setups were analy- sed and the concept translation to the wireless sensor network domain was evaluated. Then the prototype was designed and implemented. This was done by following the ap- proach set by the science of cybersecurity, which states that the results of experiments and prototypes lead to improving knowledge intentionally for re-use