Strengthening MT6D Defenses with Darknet and Honeypot capabilities

Basam, Dileep Kumar

09 December 2015

With the ever increasing adoption of IPv6, there has been a growing concern for security and privacy of IPv6 networks. Mechanisms like the Moving Target IPv6 Defense (MT6D) leverage the immense address space available with the new 128-bit addressing scheme to improve security and privacy of IPv6 networks. MT6D allows participating hosts to hop onto new addresses, that are cryptographically computed, without any disruption to ongoing conversations. However, there is no feedback mechanism in the current MT6D implementation to substantiate the core strength of the scheme i.e., to find an attacker attempting to discover and target any MT6D addresses. This thesis proposes a method to monitor the intruder activity targeting the relinquished addresses to extract information for reinforcing the defenses of the MT6D scheme. Our solution identifies and acquires IPv6 addresses that are being discarded by MT6D hosts on a local network, in addition to monitoring and visualizing the incoming traffic on these addresses. This is essentially equivalent to forming a darknet out of the discarded MT6D addresses. The solution's architecture also includes an ability to deploy a virtual (LXC-based) honeypot on-demand, based on any interesting traffic pattern observed on a discarded address. With this solution in place, we can become cognizant of an attacker trailing an MT6D-host along the address changes, as well as understanding the composition of attack traffic hitting the discarded MT6D addresses. With the honeypot deployment capabilities, the solution can take the conversation forward with the attacker to collect more information on attacker methods and delay further tracking attempts. The solution architecture also allows an MT6D host to query the solution database for network activity on its relinquished addresses as a JavaScript Object Notation (JSON) object. This feature allows the MT6D host to identify any suspicious activity on its discarded addresses and strengthen the MT6D scheme parameters accordingly. We have built a proof-of-concept for the proposed solution and analyzed the solution's feasibility and scalability. / Master of Science

Moving Target Defense

MT6D

Darknet

Honeypot

Dionaea

IPv6

Análise de dados de bases de honeypots: estatística descritiva e regras de IDS

Ferreira, Pedro Henrique Matheus da Costa

04 March 2015

Made available in DSpace on 2016-03-15T19:37:56Z (GMT). No. of bitstreams: 1 PEDRO HENRIQUE MATHEUS DA COSTA FERREIRA.pdf: 2465586 bytes, checksum: c81a1527d816aeb0b216330fd4267b93 (MD5) Previous issue date: 2015-03-04 / Fundação de Amparo a Pesquisa do Estado de São Paulo / A honeypot is a computer security system dedicated to being probed, attacked or compromised. The information collected help in the identification of threats to computer network assets. When probed, attacked and compromised the honeypot receives a sequence of commands that are mainly intended to exploit a vulnerability of the emulated systems. This work uses data collected by honeypots to create rules and signatures for intrusion detection systems. The rules are extracted from decision trees constructed from the data sets of real honeypots. The results of experiments performed with four databases, both public and private, showed that the extraction of rules for an intrusion detection system is possible using data mining techniques, particularly decision trees. The technique pointed out similarities between the data sets, even the collection occurring in places and periods of different times. In addition to the rules obtained, the technique allows the analyst to identify problems quickly and visually, facilitating the analysis process. / Um honeypot é um sistema computacional de segurança dedicado a ser sondado, atacado ou comprometido. As informações coletadas auxiliam na identificação de ameaças computacionais aos ativos de rede. Ao ser sondado, atacado e comprometido o honeypot recebe uma sequência de comandos que têm como principal objetivo explorar uma vulnerabilidade dos sistemas emulados. Este trabalho faz uso dos dados coletados por honeypots para a criação de regras e assinaturas para sistemas de detecção de intrusão. As regras são extraídas de árvores de decisão construídas a partir dos conjuntos de dados de um honeypot real. Os resultados dos experimentos realizados com quatro bases de dados, duas públicas e duas privadas, mostraram que é possível a extração de regras para um sistema de detecção de intrusão utilizando técnicas de mineração de dados, em particular as árvores de decisão. A técnica empregada apontou similaridades entre os conjuntos de dados, mesmo a coleta ocorrendo em locais e períodos de tempos distintos. Além das regras obtidas, a técnica permite ao analista identificar problemas existentes de forma rápida e visual, facilitando o processo de análise.

honeypot

dionaea

mineração de dados

IDS

árvores de decisão

honeypot

dionaea

data mining

IDS

decision trees

CNPQ::ENGENHARIAS::ENGENHARIA ELETRICA

Monitorování síťových útoků pomocí systémů honeypot / Monitoring of network attacks with honeypot systems

Krula, Jiří

January 2016

This thesis focuses on the topic of honeypots technology and their use for network attacks monitoring. It theoretically analyzes the honeypots and their variants honeynet and honeytoken. The practical part describes how to deploy two open source solutions of honeypot, Kippo and Dionaea. Kippo honeypot can be classified, despite its limitations, as a high interactive honeypot. This solution emulates the SSH service and it is primarily intended for the detection and capture of brute force attacks on the service. Dionaea is a honeypot designed primarily for capturing malware. It aims to capture malware in the trap using the vulnerabilities of offered and exposed network services with the aim to obtain a copy of the malware for subsequent analysis. Data obtained from the real deployment of the proposed solutions are presented and measures in relation to the SIEM instruments are proposed as well as improved security of the protected network.