Technology independent honeynet description language

Several languages have been proposed for the task of describing networks of systems, either to help on managing, simulate or deploy testbeds for testing purposes. However, there is no one specifically designed to describe the honeynets, covering the specific characteristics in terms of applications and tools included in the honeypot systems that make the honeynet. In this paper, the requirements of honeynet description are studied and a survey of existing description languages is presented, concluding that a CIM (Common Information Model) match the basic requirements. Thus, a CIM like technology independent honeynet description language (TIHDL) is proposed. The language is defined being independent of the platform where the honeynet will be deployed later, and it can be translated, either using model-driven techniques or other translation mechanisms, into the description languages of honeynet deployment platforms and tools. This approach gives flexibility to allow the use of a combination of heterogeneous deployment platforms. Besides, a flexible virtual honeynet generation tool (HoneyGen) based on the approach and description language proposed and capable of deploying honeynets over VNX (Virtual Networks over LinuX) and Honeyd platforms is presented for validation purposes

Defining a Covert Analysis Detection (CAD) System and its Stealthy Date Capture, Control and Analysis Capabilities

A Covert Analysis Detection (CAD) system is an operationalized honeypot or honeynet that is designed to covertly capture, control and provide analysis capabilities of all traffic that flows through it. It was found that the covert data capture capability not only revealed the attackers tools ( captured as source code) and tactics ( collection of compromised systems), but also over time it revealed that that attacker's actual motive was the creation of a distributed denial of service (DDoS) network. The discovery of this lethal network tool and all the signatures of its creation and maintenance, proved the validity of the CAD's capabilities to aid in the enhancement of our information protection resources.Captain, United States Marine CorpsApproved for public release; distribution is unlimited

Wireless security for secure facilities

This thesis presents methods for securing a facility that has wireless connectivity. The goal of this research is to develop a solution to securing a facility that utilizes wireless communications. The research will introduce methods to track and locate the position of attackers. This research also introduces the idea of using a Honeynet system for added security. This research uses what is called Defense-In-Depth. Defense-in-depth is when multiple layers of security are used. The first of the layers is the Zone of Interference. This Zone is an area where jammer transmitters and directive antennas are set up to take advantage of the near-far-effect. The idea is to use the near-far-effect to give a stronger signal on the perimeter of the secure area, to mask any signals escaping from the secure area. This Zone uses directive Yagi antenna arrays to direct the radiation. There are multiple jamming methods that are utilized within this Zone. The next layer of security is the Honeynet Zone. The idea is to make an attacker believe that they are seeing real network traffic. This is done at the Honeynet Zone once a device has been determined to be unfriendly. Decoy mobile devices are first placed within the Honeynet Zone. Spoofed traffic is then created between the Honeynet base stations and the decoy mobile devices zone; using adaptive antennas incorporated within the design to face the signals away from the inside secure area. The third defense is position location and tracking. The idea is to have constant tracking of all devices in the area. There are several methods available to locate and track a device that is giving off an RF signal. This thesis looks at combining all these methods into an integrated, and more robust, facility security system

Determining the effectiveness of deceptive honeynets

Over the last few years, incidents of network based intrusions have rapidly increased, due to the increase and popularity of various attack tools easily available for download from the Internet. Due to this increase in intrusions, the concept of a network defence known as Honeypots developed. These honeypots are designed to ensnare attackers and monitor their activities. Honeypots use the principles of deception such as masking, mimicry, decoying, inventing, repackaging and dazzling to deceive attackers. Deception exists in various forms. It is a tactic to survive and defeat the motives of attackers. Due to its presence in the nature, deception has been widely used during wars and now in Information Systems. This thesis considers the current state of honeypot technology as well as describes the framework of how to improve the effectiveness of honeypots through the effective use of deception. In this research, a legitimate corporate deceptive network is created using Honeyd (a type of honeypot) which is attacked and improved using empirical learning approach. The data collected during the attacking exercise were analysed, using various measures, to determine the effectiveness of the deception in the honeypot network created using honeyd. The results indicate that the attackers were deceived into believing the honeynet was a real network which instead was a deceptive network

DIGITAL FORENSIC READINESS FRAMEWORK BASED ON HONEYPOT AND HONEYNET FOR BYOD

The utilization of the internet within organizations has surged over the past decade. Though, it has numerous benefits, the internet also comes with its own challenges such as intrusions and threats. Bring Your Own Device (BYOD) as a growing trend among organizations allow employees to connect their portable devices such as smart phones, tablets, laptops, to the organization’s network to perform organizational duties. It has gained popularity over the years because of its flexibility and cost effectiveness. This adoption of BYOD has exposed organizations to security risks and demands proactive measures to mitigate such incidents. In this study, we propose a Digital Forensic Readiness (DFR) framework for BYOD using honeypot technology. The framework consists of the following components: BYOD devices, Management, People, Technology and DFR. It is designed to comply with ISO/IEC 27043, detect security incidents/threats and collect potential digital evidence using low- and high-level interaction honeypots. Besides, the framework proffers adequate security support to the organization through space isolation, device management, crypto operations, and policies database. This framework would ensure and improve information security as well as securely preserve digital evidence. Embedding DFR into BYOD will improve security and enable an organization to stay abreast when handling a security incident

Uncovering Vulnerable Industrial Control Systems from the Internet Core

Industrial control systems (ICS) are managed remotely with the help of dedicated protocols that were originally designed to work in walled gardens. Many of these protocols have been adapted to Internet transport and support wide-area communication. ICS now exchange insecure traffic on an inter-domain level, putting at risk not only common critical infrastructure but also the Internet ecosystem (e.g., DRDoS~attacks). In this paper, we uncover unprotected inter-domain ICS traffic at two central Internet vantage points, an IXP and an ISP. This traffic analysis is correlated with data from honeypots and Internet-wide scans to separate industrial from non-industrial ICS traffic. We provide an in-depth view on Internet-wide ICS communication. Our results can be used i) to create precise filters for potentially harmful non-industrial ICS traffic, and ii) to detect ICS sending unprotected inter-domain ICS traffic, being vulnerable to eavesdropping and traffic manipulation attacks

Dynamic Honeypot Configuration for Programmable Logic Controller Emulation

Attacks on industrial control systems and critical infrastructure are on the rise. Important systems and devices like programmable logic controllers are at risk due to outdated technology and ad hoc security measures. To mitigate the threat, honeypots are deployed to gather data on malicious intrusions and exploitation techniques. While virtual honeypots mitigate the unreasonable cost of hardware-replicated honeypots, these systems often suffer from a lack of authenticity due to proprietary hardware and network protocols. In addition, virtual honeynets utilizing a proxy to a live device suffer from performance bottlenecks and limited scalability. This research develops an enhanced, application layer emulator capable of alleviating honeynet scalability and honeypot inauthenticity limitations. The proposed emulator combines protocol-agnostic replay with dynamic updating via a proxy. The result is a software tool which can be readily integrated into existing honeypot frameworks for improved performance. The proposed emulator is evaluated on traffic reduction on the back-end proxy device, application layer task accuracy, and byte-level traffic accuracy. Experiments show the emulator is able to successfully reduce the load on the proxy device by up to 98% for some protocols. The emulator also provides equal or greater accuracy over a design which does not use a proxy. At the byte level, traffic variation is statistically equivalent while task success rates increase by 14% to 90% depending on the protocol. Finally, of the proposed proxy synchronization algorithms, templock and its minimal variant are found to provide the best overall performance