Technology independent honeynet description language

Several languages have been proposed for the task of describing networks of systems, either to help on managing, simulate or deploy testbeds for testing purposes. However, there is no one specifically designed to describe the honeynets, covering the specific characteristics in terms of applications and tools included in the honeypot systems that make the honeynet. In this paper, the requirements of honeynet description are studied and a survey of existing description languages is presented, concluding that a CIM (Common Information Model) match the basic requirements. Thus, a CIM like technology independent honeynet description language (TIHDL) is proposed. The language is defined being independent of the platform where the honeynet will be deployed later, and it can be translated, either using model-driven techniques or other translation mechanisms, into the description languages of honeynet deployment platforms and tools. This approach gives flexibility to allow the use of a combination of heterogeneous deployment platforms. Besides, a flexible virtual honeynet generation tool (HoneyGen) based on the approach and description language proposed and capable of deploying honeynets over VNX (Virtual Networks over LinuX) and Honeyd platforms is presented for validation purposes

Versatile virtual honeynet management framework

Honeypots are designed to investigate malicious behavior. Each type of homogeneous honeypot system has its own characteristics in respect of specific security functionality, and also suffers functional drawbacks that restrict its application scenario. In practical scenarios, therefore, security researchers always need to apply heterogeneous honeypots to cope with different attacks. However, there is a lack of general tools or platforms that can support versatile honeynet deployment in order to investigate the malicious behavior. In this study, the authors propose a versatile virtual honeynet management tool to address this problem. It is a flexible tool that offers security researchers the versatility to deploy various types of honeypots. It can also generate and manage the virtual honeynet through a dynamic configuration approach adapting to the mutable network environment. The experimental results demonstrate that this tool is effective to perform automated honeynet deployment toward a variety of heterogeneous honeypots

A Methodology For Intelligent Honeypot Deployment And Active Engagement Of Attackers

Thesis (Ph.D.) University of Alaska Fairbanks, 2012The internet has brought about tremendous changes in the way we see the world, allowing us to communicate at the speed of light, and dramatically changing the face of business forever. Organizations are able to share their business strategies and sensitive or proprietary information across the globe in order to create a sense of cohesiveness. This ability to share information across the vastness of the internet also allows attackers to exploit these different avenues to steal intellectual property or gather information vital to the national security of an entire nation. As technology advances to include more devices accessing an organization's network and as more business is handled via the internet, attackers' opportunities increase daily. Honeypots were created in response to this cyber warfare. Honeypots provide a technique to gather information about attackers performing reconnaissance on a network or device without the voluminous logs obtained by the majority of intrusion detection systems. This research effort provides a methodology to dynamically generate context-appropriate honeynets. Administrators are able to modify the system to conform to the target environment and gather the information passively or through increasing degrees of active scanning. The information obtained during the process of scanning the environment aids the administrator in creating a network topology and understanding the flux of devices in the network. This research continues the effort to defend an organization's networks against the onslaught of attackers

Honeypot-based Security Enhancements for Information Systems

The purpose of this thesis is to explore honeypot-based security enhancements for information systems. First, we provide a comprehensive survey of the research that has been carried out on honeypots and honeynets for Internet of Things (IoT), Industrial Internet of Things (IIoT), and Cyber-physical Systems (CPS). We provide a taxonomy and extensive analysis of the existing honeypots and honeynets, state key design factors for the state-of-the-art honeypot/honeynet research and outline open issues. Second, we propose S-Pot, a smart honeypot framework based on open-source resources. S-Pot uses enterprise and IoT honeypots to attract attackers, learns from attacks via ML classifiers, and dynamically configures the rules of SDN. Our performance evaluation of S-Pot in detecting attacks using various ML classifiers shows that it can detect attacks with 97% accuracy using J48 algorithm. Third, for securing host-based Docker containers from cryptojacking, using honeypots, we perform a forensic analysis to identify indicators for the detection of unauthorized cryptomining, present measures for securing them, and propose an approach for monitoring host-based Docker containers for cryptojacking detection. Our results reveal that host temperature, combined with container resource usage, Stratum protocol, keywords in DNS requests, and the use of the container’s ephemeral ports are notable indicators of possible unauthorized cryptomining

HoneyDOC: An Efficient Honeypot Architecture Enabling All-Round Design

Honeypots are designed to trap the attacker with the purpose of investigating its malicious behavior. Owing to the increasing variety and sophistication of cyber attacks, how to capture high-quality attack data has become a challenge in the context of honeypot area. All-round honeypots, which mean significant improvement in sensibility, countermeasure and stealth, are necessary to tackle the problem. In this paper, we propose a novel honeypot architecture termed HoneyDOC to support all-round honeypot design and implementation. Our HoneyDOC architecture clearly identifies three essential independent and collaborative modules, Decoy, Captor and Orchestrator. Based on the efficient architecture, a Software-Defined Networking (SDN) enabled honeypot system is designed, which supplies high programmability for technically sustaining the features for capturing high-quality data. A proof-of-concept system is implemented to validate its feasibility and effectiveness. The experimental results show the benefits by using the proposed architecture comparing to the previous honeypot solutions.Comment: Non

Towards improving the security of low-interaction honeypots: insights from a comparative analysis

The recent increase in the number of security attacks by cyber-criminals on small businesses meant that security remained a concern for such organizations. In many such cases, detecting the attackers remained a challenge. A common tool to augment existing attack detection mechanisms within networks involves the use of honeypot systems. A fundamental feature of low-interaction honeypots is to be able to lure intruders, but the effectiveness of such systems has nevertheless been affected by various constraints. To be able to secure honeypots systems, it is important to firstly determine its requirements, before taking appropriate actions to ensure that the identified requirements have been achieved. This paper critically examines how existing low-interaction honeypot systems abide to major requirements before recommending how their security could be improved

Web attack risk awareness with lessons learned from high interaction honeypots

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Com a evolução da web 2.0, a maioria das empresas elabora negócios através da Internet usando aplicações web. Estas aplicações detêm dados importantes com requisitos cruciais como confidencialidade, integridade e disponibilidade. A perda destas propriedades influencia directamente o negócio colocando-o em risco. A percepção de risco providencia o necessário conhecimento de modo a agir para a sua mitigação. Nesta tese foi concretizada uma colecção de honeypots web de alta interacção utilizando diversas aplicações e sistemas operativos para analisar o comportamento do atacante. A utilização de ambientes de virtualização assim como ferramentas de monitorização de honeypots amplamente utilizadas providencia a informação forense necessária para ajudar a comunidade de investigação no estudo do modus operandi do atacante, armazenando os últimos exploits e ferramentas maliciosas, e a desenvolver as necessárias medidas de protecção que lidam com a maioria das técnicas de ataque. Utilizando a informação detalhada de ataque obtida com os honeypots web, o comportamento do atacante é classificado entre diferentes perfis de ataque para poderem ser analisadas as medidas de mitigação de risco que lidam com as perdas de negócio. Diferentes frameworks de segurança são analisadas para avaliar os benefícios que os conceitos básicos de segurança dos honeypots podem trazer na resposta aos requisitos de cada uma e a consequente mitigação de risco.With the evolution of web 2.0, the majority of enterprises deploy their business over the Internet using web applications. These applications carry important data with crucial requirements such as confidentiality, integrity and availability. The loss of those properties influences directly the business putting it at risk. Risk awareness provides the necessary know-how on how to act to achieve its mitigation. In this thesis a collection of high interaction web honeypots is deployed using multiple applications and diverse operating systems in order to analyse the attacker behaviour. The use of virtualization environments along with widely used honeypot monitoring tools provide the necessary forensic information that helps the research community to study the modus operandi of the attacker gathering the latest exploits and malicious tools and to develop adequate safeguards that deal with the majority of attacking techniques. Using the detailed attacking information gathered with the web honeypots, the attacking behaviour will be classified across different attacking profiles to analyse the necessary risk mitigation safeguards to deal with business losses. Different security frameworks commonly used by enterprises are analysed to evaluate the benefits of the honeypots security concepts in responding to each framework’s requirements and consequently mitigating the risk

HoneyProxy Implementation in Cloud Environment with Docker HoneyFarm

Pilveteenustel põhinev infotehnoloogia süsteemide taristu on saamas tavapäraseks nii idufirmades, keskmise suurusega ettevõtetes kui ka suurtes korporatsioonides, toetades agiilsemat tarkvara arendust ning lihtsustades andmekeskuste haldamist, kontrollimist ja administreerimist. See kiirelt arenev tehnoloogiavaldkond tõstatas palju turvalisusega seotud küsimusi seoses pilves hoitavate teenuste ligipääsetavuse kontrollimisega ning sellega, kas pakutud lahenduste jõudlus ning viiteaeg (latentsus) jäävad aktsepteeritavatesse piiridesse. Käesolev teadustöö tutvustab honeypot peibutusmehhanismi pilves revolutsioonilisel viisil, mis rakendab HoneyProxy lahendust honeynet lüüsina pöördproksile, mis kontrollib sissetulevaid ja väljaminevaid päringuid back-end teenustesse. Vastav HoneyProxy on ühendatud HoneyFarm lahendusega, mida käitatakse samal masinal (pilveserveril). Iga honeypot jookseb eraldi Docker’i konteineris ning omab unikaalset IP-d, mistõttu on võimalik igat ründesessiooni isoleerida ühte konteinerisse võimalusega vahetada erinevate konteineritüüpide vahel, ajades ründaja segadusse honeypot’i kasutust paljastamata. See kaitsemehhanism suudab tuvastada ja logida ründaja tegevusi, mis võivad omakorda paljastada uusi ründetehnikaid ning isegi “nullpäeva” (zero-day) haavatavusi. Käesoleva töö fookus on tutvustada raamistikku HoneyProxy implementeerimiseks pilveteenustel Docker’i konteinereid kasutades.Cloud hosting services is a common trend nowadays for small startups, medium sized business and even for large big cooperations, that is helping the agility and scaling of resources and spare the overhead of controlling, managing and administrating the data-centers. The fast growing technology raised security questions of how to control the access to the services hosted on the cloud, and whether the performance and the latency of the solutions offered to address these questions are within the bearable limits. This research is introducing the honeypots to the cloud in a revolutionary way that exposes and applies what is called a HoneyProxy to work as a honeynet gateway for a reverse proxy that is controlling the incoming and outgoing flow to the back-end services. This HoneyProxy is connected to a HoneyFarm that is hosted on the same machine (cloud server) each honeypot is serviced in a docker container dedicated for every unique IP, so that each attack session can be isolated within one container with the ability to switch between different types of containers that can fool the attacker without suspecting the existence of a honeypot. This defending mechanism can detect and log attackers behavior which can reveal new attack techniques and even zero day exploits. The contribution of this work is introducing the framework to implement the HoneyProxy on the cloud services using Docker containers