Taxonomy of honeynet solutions

Honeynet research has become more important as a way to overcome the limitations imposed by the use of individual honeypots. A honeynet can be defined as a network of honeypots following certain topology. Although there are at present many existing honeynet solutions, no taxonomies have been proposed in order to classify them. In this paper, we propose such taxonomy, identifying the main criteria used for its classification and applying the classification scheme to some of the existing honeynet solutions, in order to quickly get a clear outline of the honeynet architecture and gain insight of the honeynet technology. The analysis of the classification scheme of the taxonomy allows getting an overview of the advantages and disadvantages of each criterion value. We later use this analysis to explore the design space of honeynet solutions for the proposal of a future optimized honeynet solution

Flow analysis based on role and pattern matching

Flow analysis has always been a great concern for a network system. An attacker can gain important information through several ways by monitoring the frequency and timing of network packets or by impersonating another user through remote access. Access to a network system based on single-factor authentication is nothing but monitoring the perimeter around the network leaving a company\u27s a network wide open for the inside threat. There is a necessity to develop a classic network to reduce or eliminate threats within the organization. This thesis will analyze the flows to inspect every activity performed within the network in order for the untrusted flows to earn their way in becoming trusted flows based on notion of flow activity matching a specified pattern affiliated with the role

HoneyProxy Implementation in Cloud Environment with Docker HoneyFarm

Pilveteenustel põhinev infotehnoloogia süsteemide taristu on saamas tavapäraseks nii idufirmades, keskmise suurusega ettevõtetes kui ka suurtes korporatsioonides, toetades agiilsemat tarkvara arendust ning lihtsustades andmekeskuste haldamist, kontrollimist ja administreerimist. See kiirelt arenev tehnoloogiavaldkond tõstatas palju turvalisusega seotud küsimusi seoses pilves hoitavate teenuste ligipääsetavuse kontrollimisega ning sellega, kas pakutud lahenduste jõudlus ning viiteaeg (latentsus) jäävad aktsepteeritavatesse piiridesse. Käesolev teadustöö tutvustab honeypot peibutusmehhanismi pilves revolutsioonilisel viisil, mis rakendab HoneyProxy lahendust honeynet lüüsina pöördproksile, mis kontrollib sissetulevaid ja väljaminevaid päringuid back-end teenustesse. Vastav HoneyProxy on ühendatud HoneyFarm lahendusega, mida käitatakse samal masinal (pilveserveril). Iga honeypot jookseb eraldi Docker’i konteineris ning omab unikaalset IP-d, mistõttu on võimalik igat ründesessiooni isoleerida ühte konteinerisse võimalusega vahetada erinevate konteineritüüpide vahel, ajades ründaja segadusse honeypot’i kasutust paljastamata. See kaitsemehhanism suudab tuvastada ja logida ründaja tegevusi, mis võivad omakorda paljastada uusi ründetehnikaid ning isegi “nullpäeva” (zero-day) haavatavusi. Käesoleva töö fookus on tutvustada raamistikku HoneyProxy implementeerimiseks pilveteenustel Docker’i konteinereid kasutades.Cloud hosting services is a common trend nowadays for small startups, medium sized business and even for large big cooperations, that is helping the agility and scaling of resources and spare the overhead of controlling, managing and administrating the data-centers. The fast growing technology raised security questions of how to control the access to the services hosted on the cloud, and whether the performance and the latency of the solutions offered to address these questions are within the bearable limits. This research is introducing the honeypots to the cloud in a revolutionary way that exposes and applies what is called a HoneyProxy to work as a honeynet gateway for a reverse proxy that is controlling the incoming and outgoing flow to the back-end services. This HoneyProxy is connected to a HoneyFarm that is hosted on the same machine (cloud server) each honeypot is serviced in a docker container dedicated for every unique IP, so that each attack session can be isolated within one container with the ability to switch between different types of containers that can fool the attacker without suspecting the existence of a honeypot. This defending mechanism can detect and log attackers behavior which can reveal new attack techniques and even zero day exploits. The contribution of this work is introducing the framework to implement the HoneyProxy on the cloud services using Docker containers

Wide spectrum attribution: Using deception for attribution intelligence in cyber attacks

Modern cyber attacks have evolved considerably. The skill level required to conduct a cyber attack is low. Computing power is cheap, targets are diverse and plentiful. Point-and-click crimeware kits are widely circulated in the underground economy, while source code for sophisticated malware such as Stuxnet is available for all to download and repurpose. Despite decades of research into defensive techniques, such as firewalls, intrusion detection systems, anti-virus, code auditing, etc, the quantity of successful cyber attacks continues to increase, as does the number of vulnerabilities identified. Measures to identify perpetrators, known as attribution, have existed for as long as there have been cyber attacks. The most actively researched technical attribution techniques involve the marking and logging of network packets. These techniques are performed by network devices along the packet journey, which most often requires modification of existing router hardware and/or software, or the inclusion of additional devices. These modifications require wide-scale infrastructure changes that are not only complex and costly, but invoke legal, ethical and governance issues. The usefulness of these techniques is also often questioned, as attack actors use multiple stepping stones, often innocent systems that have been compromised, to mask the true source. As such, this thesis identifies that no publicly known previous work has been deployed on a wide-scale basis in the Internet infrastructure. This research investigates the use of an often overlooked tool for attribution: cyber de- ception. The main contribution of this work is a significant advancement in the field of deception and honeypots as technical attribution techniques. Specifically, the design and implementation of two novel honeypot approaches; i) Deception Inside Credential Engine (DICE), that uses policy and honeytokens to identify adversaries returning from different origins and ii) Adaptive Honeynet Framework (AHFW), an introspection and adaptive honeynet framework that uses actor-dependent triggers to modify the honeynet envi- ronment, to engage the adversary, increasing the quantity and diversity of interactions. The two approaches are based on a systematic review of the technical attribution litera- ture that was used to derive a set of requirements for honeypots as technical attribution techniques. Both approaches lead the way for further research in this field

Intrusion Alert Quality Framework For Security False Alert Reduction [TH9737. N162 2007 f rb].

Tesis ini mengkaji rekabentuk dan perlaksanaan rangka-kerja yang mempersiapkan amaran-amaran keselamatan dengan metrik-metrik yang disahkan, memperkayakan amaran-amaran keselamatan dengan metrik-metrik tersebut dan akhirnya, menyeragamkan amaran-amaran tersebut dengan satu format yang dipersetujui agar sesuai digunakan oleh prosedur-prosedur penganalisaan amaran di peringkat tinggi. This thesis investigates the design and implementation of a framework to prepare security alerts with verified data quality metrics, enrich alerts with these metrics and finally, format the alerts in a standard format, suitable for consumption by highlevel alert analysis procedures

Reactive Security for SDN/NFV-enabled Industrial Networks leveraging Service Function Chaining

The innovative application of 5G core technologies, namely Software Defined Networking (SDN) and Network Function Virtualization (NFV), can help reduce capital and operational expenditures in industrial networks. Nevertheless, SDN expands the attack surface of the communication infrastructure, thus necessitating the introduction of additional security mechanisms. These major changes could not leave the industrial environment unaffected, with smart industrial deployments gradually becoming a reality; a trend that is often referred to as the 4th industrial revolution or Industry 4.0. A wind park is a good example of an industrial application relying on a network with strict performance, security, and reliability requirements, and was chosen as a representative example of industrial systems. This work highlights the benefit of leveraging the flexibility of SDN/NFV-enabled networks to deploy enhanced, reactive security mechanisms for the protection of the industrial network, via the use of Service Function Chaining. Moreover, the implementation of a proof-of-concept reactive security framework for an industrial-grade wind park network is presented, along with a performance evaluation of the proposed approach. The framework is equipped with SDN and Supervisory Control and Data Acquisition (SCADA) honeypots, modelled on and deployable to the wind park, allowing continuous monitoring of the industrial network and detailed analysis of potential attacks, thus isolating attackers and enabling the assessment of their level of sophistication. Moreover, the applicability of the proposed solutions is assessed in the context of the specific industrial application, based on the analysis of the network characteristics and requirements of an actual, operating wind park

Intrusion Alert Quality Framework For Security False Alert Reduction

Tesis ini mengkaji rekabentuk dan perlaksanaan rangka-kerja yang mempersiapkan amaran-amaran keselamatan dengan metrik-metrik yang disahkan This thesis investigates the design and implementation of a framework to prepare security alerts with verified data quality metric

Improving intrusion detection systems using data mining techniques

Recent surveys and studies have shown that cyber-attacks have caused a lot of damage to organisations, governments, and individuals around the world. Although developments are constantly occurring in the computer security field, cyber-attacks still cause damage as they are developed and evolved by hackers. This research looked at some industrial challenges in the intrusion detection area. The research identified two main challenges; the first one is that signature-based intrusion detection systems such as SNORT lack the capability of detecting attacks with new signatures without human intervention. The other challenge is related to multi-stage attack detection, it has been found that signature-based is not efficient in this area. The novelty in this research is presented through developing methodologies tackling the mentioned challenges. The first challenge was handled by developing a multi-layer classification methodology. The first layer is based on decision tree, while the second layer is a hybrid module that uses two data mining techniques; neural network, and fuzzy logic. The second layer will try to detect new attacks in case the first one fails to detect. This system detects attacks with new signatures, and then updates the SNORT signature holder automatically, without any human intervention. The obtained results have shown that a high detection rate has been obtained with attacks having new signatures. However, it has been found that the false positive rate needs to be lowered. The second challenge was approached by evaluating IP information using fuzzy logic. This approach looks at the identity of participants in the traffic, rather than the sequence and contents of the traffic. The results have shown that this approach can help in predicting attacks at very early stages in some scenarios. However, it has been found that combining this approach with a different approach that looks at the sequence and contents of the traffic, such as event- correlation, will achieve a better performance than each approach individually