RECLAMO: virtual and collaborative honeynets based on trust management and autonomous systems applied to intrusion management

Security intrusions in large systems is a problem due to its lack of scalability with the current IDS-based approaches. This paper describes the RECLAMO project, where an architecture for an Automated Intrusion Response System (AIRS) is being proposed. This system will infer the most appropriate response for a given attack, taking into account the attack type, context information, and the trust and reputation of the reporting IDSs. RECLAMO is proposing a novel approach: diverting the attack to a specific honeynet that has been dynamically built based on the attack information. Among all components forming the RECLAMO's architecture, this paper is mainly focused on defining a trust and reputation management model, essential to recognize if IDSs are exposing an honest behavior in order to accept their alerts as true. Experimental results confirm that our model helps to encourage or discourage the launch of the automatic reaction process

Evaluating the effectiveness of an intrusion prevention / honeypot hybrid

An intrusion prevention system is a variation of an intrusion detection system that drops packets that are anomalous based on a chosen criteria. An intrusion prevention system is typically placed on the outer perimeter of a network to prevent intruders from reaching vulnerable machines inside the network, though it can also be placed inside the network in front of systems requiring extra security measures. Unfortunately, intrusion prevention systems, even when properly configured, are susceptible to both false positives and false-negatives. The risk of false positives typically leads organizations to deploy these systems with the prevention capability disabled and only focus on detection. In this paper I propose an expansion to current intrusion prevention systems that combines them with the principles behind honeypots to reduce false positives while capturing attack traffic to improve prevention rules. In an experiment using the Snort-inline intrusion prevention system, I was able to reduce the rate of false positives to zero without negatively impacting the rate of false-negatives. I was further able to capture a successful attack in a way that minimized disruption to legitimate users but allowed the compromised system to be later analyzed to find weaknesses, improve prevention rules, and prevent future attacks

ELECTRON: An Architectural Framework for Securing the Smart Electrical Grid with Federated Detection, Dynamic Risk Assessment and Self-Healing

The electrical grid has significantly evolved over the years, thus creating a smart paradigm, which is well known as the smart electrical grid. However, this evolution creates critical cybersecurity risks due to the vulnerable nature of the industrial systems and the involvement of new technologies. Therefore, in this paper, the ELECTRON architecture is presented as an integrated platform to detect, mitigate and prevent potential cyberthreats timely. ELECTRON combines both cybersecurity and energy defence mechanisms in a collaborative way. The key aspects of ELECTRON are (a) dynamic risk assessment, (b) asset certification, (c) federated intrusion detection and correlation, (d) Software Defined Networking (SDN) mitigation, (e) proactive islanding and (f) cybersecurity training and certification

DIGITAL FORENSIC READINESS FRAMEWORK BASED ON HONEYPOT AND HONEYNET FOR BYOD

The utilization of the internet within organizations has surged over the past decade. Though, it has numerous benefits, the internet also comes with its own challenges such as intrusions and threats. Bring Your Own Device (BYOD) as a growing trend among organizations allow employees to connect their portable devices such as smart phones, tablets, laptops, to the organization’s network to perform organizational duties. It has gained popularity over the years because of its flexibility and cost effectiveness. This adoption of BYOD has exposed organizations to security risks and demands proactive measures to mitigate such incidents. In this study, we propose a Digital Forensic Readiness (DFR) framework for BYOD using honeypot technology. The framework consists of the following components: BYOD devices, Management, People, Technology and DFR. It is designed to comply with ISO/IEC 27043, detect security incidents/threats and collect potential digital evidence using low- and high-level interaction honeypots. Besides, the framework proffers adequate security support to the organization through space isolation, device management, crypto operations, and policies database. This framework would ensure and improve information security as well as securely preserve digital evidence. Embedding DFR into BYOD will improve security and enable an organization to stay abreast when handling a security incident

Profiling Behavior of Intruders on Enterprise Honeynet: Deployment and Analysis

Network and information security continues to be one of the largest areas that require greater attention and improvement over the current state of infrastructure within enterprise information systems. Intruders to enterprise networks are no longer just hacking for fun or to show off their programming skills; rather they are now doing it for profit-making motives. As a result, developing profiles for the behavior of intruders, trespassing upon business information systems within an enterprise networking environment, has become a primary focus of cyber-security research recently. In the proposed on-going project, we deploy a novel honeynet system using advanced virtualization technologies, in order to collect the forensic evidence of an attack, by allowing attackers to interact with compromised computers in a real enterprise network. We then analyze the behavior of intruders in order to investigate and compare their hidden linkages as compared with enterprise networks, and the attacker(s)’ potential group structures, including attributes such as geographic distribution and service communities, thus providing strategies for enterprise-network administrators to stay protected against malicious attacks from external intruders. Preliminary results on the proposed research is very promising, showing intruders’ behaviors over one month were distributed across over 60 different countries, and our work demonstrated that the most popular service intruders like use to interact with is the very HTTP Web itself

An Architecture for Securing Communications in Critical Infrastructure

7th International Conference on Data Communication Networking - DCNET 2016, , 26/07/2016-28/07/2016, Lisboa, PortugalThe disruption of communications in critical infrastructures could have a serious impact on the health, safety, security or economic well-being of citizens or even prevent the effective functioning of governments or other agencies. For this reason, in this paper we present a distributed architecture, named CYBERSENS, aimed at preventing, early detecting, and mitigating cyber attacks to critical infrastructure networks. CYBERSENS is an advanced IDS/IPS system specially tailored for securing communications in critical infrastructures. It"s federated architecture, the combination of misuse detection techniques and novel anomaly detection approaches, and the inclusion of mechanisms for self-obfuscation and self-protection, makes our proposal specially suitable for these scenarios.European Commissio

Enabling an Anatomic View to Investigate Honeypot Systems: A Survey

A honeypot is a type of security facility deliberately created to be probed, attacked, and compromised. It is often used for protecting production systems by detecting and deflecting unauthorized accesses. It is also useful for investigating the behavior of attackers, and in particular, unknown attacks. For the past 17 years plenty of effort has been invested in the research and development of honeypot techniques, and they have evolved to be an increasingly powerful means of defending against the creations of the blackhat community. In this paper, by studying a wide set of honeypots, the two essential elements of honeypots—the decoy and the captor—are captured and presented, together with two abstract organizational forms—independent and cooperative—where these two elements can be integrated. A novel decoy and captor (D-C) based taxonomy is proposed for the purpose of studying and classifying the various honeypot techniques. An extensive set of independent and cooperative honeypot projects and research that cover these techniques is surveyed under the taxonomy framework. Furthermore, two subsets of features from the taxonomy are identified, which can greatly influence the honeypot performances. These two subsets of features are applied to a number of typical independent and cooperative honeypots separately in order to validate the taxonomy and predict the honeypot development trends

Anomaly based intrusion detection for network monitoring using a dynamic honeypot.

This thesis proposes a network based intrusion detection approach using anomaly detection and achieving low configuration and maintenance costs. A honeypots is an emerging security tool that has several beneficial characteristics, one of which is that all traffic to it is anomalous. A dynamic honeypot reduces the configuration and maintenance costs of honeypot deployment. An anomaly based intrusion detection system with low configuration and maintenance costs can be constructed by simply observing the egress and ingress to a dynamic honeypot. This thesis explores the design and implementation of a dynamic honeypot using a variety of publicly available tools. The main contributions of the design consist of a database containing network relevant information and a dynamic honeypot engine that generates honeypot configurations from the relevant network information. The thesis also explores a simple intrusion detection system built around the dynamic honeypot. These systems were experimentally implemented and preliminary testing identified anomalous traffic, though in some cases it was not necessarily intrusive. In one instance the dynamic honeypot based intrusion detection system identified an intrusion, which was not detected by conventional means

Development of a multi-layered botmaster based analysis framework

Botnets are networks of compromised machines called bots that come together to form the tool of choice for hackers in the exploitation and destruction of computer networks. Most malicious botnets have the ability to be rented out to a broad range of potential customers, with each customer having an attack agenda different from the other. The result is a botnet that is under the control of multiple botmasters, each of which implement their own attacks and transactions at different times in the botnet. In order to fight botnets, details about their structure, users, and their users motives need to be discovered. Since current botnets require the information about the initial bootstrapping of a bot to a botnet, the monitoring of botnets are possible. Botnet monitoring is used to discover the details of a botnet, but current botnet monitoring projects mainly identify the magnitude of the botnet problem and tend to overt some fundamental problems, such as the diversified sources of the attacks. To understand the use of botnets in more detail, the botmasters that command the botnets need to be studied. In this thesis we focus on identifying the threat of botnets based on each individual botmaster. We present a multi-layered analysis framework which identifies the transactions of each botmaster and then we correlate the transactions with the physical evolution of the botnet. With these characteristics we discover what role each botmaster plays in the overall botnet operation. We demonstrate our results in our system: MasterBlaster, which discovers the level of interaction between each botmaster and the botnet. Our system has been evaluated in real network traces. Our results show that investigating the roles of each botmaster in a botnet should be essential and demonstrates its potential benefit for identifying and conducting additional research on analyzing botmaster interactions. We believe our work will pave the way for more fine-grained analysis of botnets which will lead to better protection capabilities and more rapid attribution of cyber crimes committed using botnets