Honeypot Project

Anna Shields, Daniel Kapit, Mahitosh Patel, Julia Pennington, Sean Bae

Research question

Previous work

  • An article from 2012 about the difference between hacks from Eastern Asia and from the former Soviet Union territories. (Kellerman)

Hypothesis

  • There will be a relationship between IP location and the method of hack.

  • There will be a relationship between IP location and the files they download (which will be labeled in different languages)

Motivation

Determine if there is another way to track the location of hackers other than IP

Contributions

Since IP addresses can be spoofed and covered it is important that a new way to locate hackers is developed so that hacks can be accurately attributed to a group or country.

Experimental Design

  • High Interaction Honeypot
  • SSH vulnerabilities
    • Bad passwords and usernames
    • Encouraging attacks

Life cycle

  • Begin with the attacker logging in through ssh
  • Once compromised, the attacker has 6 hours
  • Keylogging will begin immediately
  • At the end of every attack, the VM will be reset

Data sets

  • IP address
  • Downloads
  • Key logs
  • Timestamp

architecture

  • Two honeypots under OpenVZ
  • Firewall external, prohibits modification
  • Data collection not on network
  • Outgoing ports open to allow files to be downloaded

Risk

  • High interaction honeypot
  • Another attack could be launched
  • What if a file is downloaded?
  • Assets, Vulnerabilities, Threats
  • Why?

Threat

Vulnerability

Information Asset

Risk

Security

  • Controlled compromises
    • Password cracking
    • File downloads
  • Uncontrolled compromises
    • Tampering with honeypot tools/settings
    • Misusing the outgoing internet connection

Policy

  • Response
    • Step 1: tell Bertrand
    • Step 2: address issue
      • return to intended settings
      • honeypot offline if harmful activities
    • up-to-date awareness
      • E-mail alerts
      • Daily manual check

Monitoring

  • wget, curl, scp, sftp
  • /var/log/auth.log
  • Sebek

Architecture protection

  • External firewall
    • Some ports left open intentionally
    • Network traffic monitored
  • Secure root password
    • Attack encouraged, but no more compromise than necessary

Data analysis

  • k-mean clustering
  • Support Vector Machine
  • Weka
  • SmileMiner

deck

By seanbae

Made with Slides.com

deck

  • 341

More from seanbae