Deception Honeypots : Deep Intelligence

En un món on Internet és una eina fonamental pel desenvolupament de les empreses, que volen créixer i establir-se en el mercat econòmic global, la seguretat dels seus sistemes informàtics es converteix en una necessitat. La constant evolució de les tecnologies, promou un ambient en el qual els mètodes que es fan servir per atacar els sistemes informàtics, evolucionen encara més ràpid que les pròpies tecnologies, crean un estat on és pràcticament impossible garantir la integritat i la seguretat completa dels sistemes. La majoria dels mètodes actuals de seguretat, tenen com a objectiu la prevenció o detecció. Per aquest motiu aquest treball implementa els honeypots d'alta interacció, amb els quals podem implementar un factor proactiu en la nostre seguretat, atraient als atacants a un espai controlat, per aprendre els seus mètodes i fer servir aquesta informació per protegir els sistemes reals. En aquest article, es proposa el desenvolupament d'un honeypot d'alta interacció i la seva implementació, en una xarxa similar al entorn de producció d'una empresa per enganyar possibles atacants.In a world where Internet is a key element for the development of any company, that wants to rise and establish in the economic global market, the security of the computer systems used in the company's becomes an imperious need. The constant evolution of technology, provides an environment where the methods used to attack the computer systems evolve even faster than the technologies itself, creating a state where it is practically impossible to assure the integrity and complete security of the systems. Most actual security methods and policies, act only as a prevention or detection solution. Therefore in this paper we implement high interaction honeypots, which allow a new proactive factor in our security, to attract the attackers into a controlled environment, where we can learn their methods and use that information to protect the real systems. In this paper we will propose the development of a high interaction honeypot, and its implementation in a network, which we could find in a real bussines environment.En un mundo donde Internet es una herramienta basica para el dessarrollo de las empresas, que quieren crecer y establecer-se en el mercado economico global, la seguridad de sus sistemas informàticos se convierte en una necesitat. La constante evolucion de las tecnologias, promueve un ambiente en el que los metodos que se usan para atacar los sistemas informàticos evolucionan aun mas rápido que las propias tecnologias, creando un estado donde es practicamente imposible garantizar la integridad y seguridad de los sistemas. La mayoria de los metodos actuales de seguridad, tienen como objetivo la prevención o detección. Por este motivo en este trabajo implementa honeypots de alta interacción, con los quales se puede implantar un factor pro-activo en la seguridad, atraiendo a los atacantes a un espació controlado, para aprender sus metodos i usar esta información para proteger los sistemas reales. En este Articulo, se propone el desarrollo de un honeypot de alta interacción i su implementación, en una red similar a la de un entorno de producción de una empresa para engañar a posibles atacantes

Mise en place d'un pot de miel dans un réseau Wi-Fi

L’informatique et Internet sont toujours en grande expansion dans notre société. Selon des statistiques menées en 2017 par l’Union Internationale des Télécommunications, plus de 50% des ménages dans le monde ont accès à Internet. Depuis l’arrivée des données cellulaires quasi illimitées, le nombre de personnes utilisant Internet n’a pas cessé d’augmenter ces dernières années. Cette hausse d’utilisateurs n’est pas sans conséquence. Le terme de « sécurité informatique » surgit souvent dans les actualités. La sécurité est souvent négligée au profit du progrès technologique. Il existe des hackers mal intentionnés qu’on appelle les black-hats, qui profitent des failles exploitables dans les systèmes pour des actes souvent illégaux. Nous savons qu’ils trouvent sans cesse des brèches pour se glisser dans nos systèmes, même les plus récents. Les hackers visent les systèmes les plus utilisés, touchant ainsi le maximum d’utilisateurs. Nous allons tenter de démontrer un exemple de contre attaque

A Flexible Laboratory Environment Supporting Honeypot Deployment for Teaching Real-World Cybersecurity Skills

In the practical study of cybersecurity, students benefit greatly from having full control of physical equipment and services. However, this presents far too great a risk to security to be permitted on university campus networks. This paper describes an approach, used successfully at Northumbria University, in which students have control of an off-campus network laboratory, with a dedicated connection to the Internet. The laboratory is flexible enough to allow the teaching of general purpose networking and operating systems courses, while also supporting the teaching of cybersecurity through the safe integration of honeypot devices. In addition, the paper gives an analysis of honeypot architectures and presents two in detail. One of these offers students the opportunity to study cybersecurity attacks and defences at very low cost. It has been developed as a stand-alone device that also can be integrated safely into the laboratory environment for the study of more complex scenarios. The main contributions of this paper are the design and implementation of: an off-campus, physical network laboratory; a small, low-cost, configurable platform for use as a “lightweight” honeypot; and a laboratory-based, multi-user honeypot for large-scale, concurrent, cybersecurity experiments. The paper outlines how the laboratory environment has been successfully deployed within a university setting to support the teaching and learning of cybersecurity. It highlights the type of experiments and projects that have been supported and can be supported in the future

Constructing Cost-Effective and Targetable ICS Honeypots Suited for Production Networks

Honeypots are a technique that can mitigate the risk of cyber threats. Effective honeypots are authentic and targetable, and their design and implementation must accommodate risk tolerance and financial constraints. The proprietary, and often expensive, hardware and software used by Industrial Control System (ICS) devices creates the challenging problem of building a flexible, economical, and scalable honeypot. This research extends Honeyd into Honeyd+, making it possible to use the proxy feature to create multiple high interaction honeypots with a single Programmable Logic Controller (PLC). Honeyd+ is tested with a network of 75 decoy PLCs, and the interactions with the decoys are compared to a physical PLC to test for authenticity. The performance test evaluates the impact of multiple simultaneous connections to the PLC. The functional test is successful in all cases. The performance test demonstrated that the PLC is a limiting factor, and that introducing Honeyd+ has a marginal impact on performance. Notable findings are that the Raspberry Pi is the preferred hosting platform, and more than five simultaneous connections were not optimal

TOWARDS A HOLISTIC EFFICIENT STACKING ENSEMBLE INTRUSION DETECTION SYSTEM USING NEWLY GENERATED HETEROGENEOUS DATASETS

With the exponential growth of network-based applications globally, there has been a transformation in organizations\u27 business models. Furthermore, cost reduction of both computational devices and the internet have led people to become more technology dependent. Consequently, due to inordinate use of computer networks, new risks have emerged. Therefore, the process of improving the speed and accuracy of security mechanisms has become crucial.Although abundant new security tools have been developed, the rapid-growth of malicious activities continues to be a pressing issue, as their ever-evolving attacks continue to create severe threats to network security. Classical security techniquesfor instance, firewallsare used as a first line of defense against security problems but remain unable to detect internal intrusions or adequately provide security countermeasures. Thus, network administrators tend to rely predominantly on Intrusion Detection Systems to detect such network intrusive activities. Machine Learning is one of the practical approaches to intrusion detection that learns from data to differentiate between normal and malicious traffic. Although Machine Learning approaches are used frequently, an in-depth analysis of Machine Learning algorithms in the context of intrusion detection has received less attention in the literature.Moreover, adequate datasets are necessary to train and evaluate anomaly-based network intrusion detection systems. There exist a number of such datasetsas DARPA, KDDCUP, and NSL-KDDthat have been widely adopted by researchers to train and evaluate the performance of their proposed intrusion detection approaches. Based on several studies, many such datasets are outworn and unreliable to use. Furthermore, some of these datasets suffer from a lack of traffic diversity and volumes, do not cover the variety of attacks, have anonymized packet information and payload that cannot reflect the current trends, or lack feature set and metadata.This thesis provides a comprehensive analysis of some of the existing Machine Learning approaches for identifying network intrusions. Specifically, it analyzes the algorithms along various dimensionsnamely, feature selection, sensitivity to the hyper-parameter selection, and class imbalance problemsthat are inherent to intrusion detection. It also produces a new reliable dataset labeled Game Theory and Cyber Security (GTCS) that matches real-world criteria, contains normal and different classes of attacks, and reflects the current network traffic trends. The GTCS dataset is used to evaluate the performance of the different approaches, and a detailed experimental evaluation to summarize the effectiveness of each approach is presented. Finally, the thesis proposes an ensemble classifier model composed of multiple classifiers with different learning paradigms to address the issue of detection accuracy and false alarm rate in intrusion detection systems

CamDec: Advancing axis P1435-LE video camera security using honeypot-based deception

The explosion of online video streaming in recent years resulted in advanced services both in terms of efficiency and convenience. However, Internet-connected video cameras are prone to exploitation, leading to information security issues and data privacy concerns. The proliferation of video-capable Internet of Things devices and cloud-managed surveillance systems further extend these security issues and concerns. In this paper, a novel approach is proposed for video camera deception via honeypots, offering increased security measures compared to what is available on conventional Internet-enabled video cameras

Analysis and Classification of Current Trends in Malicious HTTP Traffic

Web applications are highly prone to coding imperfections which lead to hacker-exploitable vulnerabilities. The contribution of this thesis includes detailed analysis of malicious HTTP traffic based on data collected from four advertised high-interaction honeypots, which hosted different Web applications, each in duration of almost four months. We extract features from Web server logs that characterize malicious HTTP sessions in order to present them as data vectors in four fully labeled datasets. Our results show that the supervised learning methods, Support Vector Machines (SVM) and Decision Trees based J48 and PART, can be used to efficiently distinguish attack sessions from vulnerability scan sessions, as well as efficiently classify twenty-two different types of malicious activities with high probability of detection and very low probability of false alarms for most cases. Furthermore, feature selection methods can be used to select important features in order to improve the computational complexity of the learners

BEHAVIORAL CHARACTERIZATION OF ATTACKS ON THE REMOTE DESKTOP PROTOCOL

The Remote Desktop Protocol (RDP) is popular for enabling remote access and administration of Windows systems; however, attackers can take advantage of RDP to cause harm to critical systems using it. Detection and classification of RDP attacks is a challenge because most RDP traffic is encrypted, and it is not always clear which connections to a system are malicious after manual decryption of RDP traffic. In this research, we used open-source tools to generate and analyze RDP attack data using a power-grid honeypot under our control. We developed methods for detecting and characterizing RDP attacks through malicious signatures, Windows event log entries, and network traffic metadata. Testing and evaluation of our characterization methods on actual attack data collected by four instances of our honeypot showed that we could effectively delineate benign and malicious RDP traffic and classify the severity of RDP attacks on unprotected or misconfigured Windows systems. The classification of attack patterns and severity levels can inform defenders of adversarial behavior in RDP attacks. Our results can also help protect national critical infrastructure, including Department of Defense systems.DOE, Washington DC 20805Civilian, SFSApproved for public release. Distribution is unlimited