Return to search

Deceptive Environments for Cybersecurity Defense on Low-power Devices

The ever-evolving nature of botnets have made constant malware collection an absolute necessity for security researchers in order to analyze and investigate the latest, nefarious means by which bots exploit their targets and operate in concert with each other and their bot master.

In that effort of on-going data collection, honeypots have established themselves as a curious and useful tool for deception-based security. Low-powered devices, such as the Raspberry Pi, have found a natural home with some categories of honeypots and are being embraced by the honeypot community. Due to the low cost of these devices, new techniques are being explored to employ multiple honeypots within a network to act as sensors, collecting activity reports and captured malicious binaries to back-end servers for later analysis and network threat assessments. While these techniques are just beginning to gain their stride within the security community, they are held back due to the minimal amount of deception a traditional honeypot on a low-powered device is capable of delivering.

This thesis seeks to make a preliminary investigation into the viability of using Linux containers to greatly expand the deception possible on low-powered devices by providing isolation and containment of full system images with minimal resource overhead. It is argued that employing Linux containers on low-powered device honeypots enables an entire category of honeypots previously unavailable on such hardware platforms. In addition to granting previously unavailable interaction with honeypots on Raspberry Pis, the use of Linux containers grants unique advantages that have not previously been explored by security researchers, such as the ability to defeat many types of virtual environment and monitoring tool detection methods. / Master of Science / The term ‘honeypot’, as used in computer security, refers to computer systems that are intended to be targeted by malicious third parties, but contain little value. While these systems are being attacked, the honeypot collects as much data as it can on the actions being performed by the attacker; information that is extremely useful for security researchers in understanding the latest techniques and methods that are employed by cyber-criminals. Unfortunately, not all honeypot architectures are equal and often trade-offs have to be made between ease of setup, cost of hardware, and how realistic the honeypot is capable of behaving.

This thesis proposes that by using a new and useful software package available to Linux computer systems called ‘Linux Containers’, it is possible to implement honeypots that significantly reduce the amount of trade-offs required. Specifically, honeypots that are capable of highly realistic behavior can be run on highly affordable, low-power devices, such as the Raspberry Pi.

In addition to granting realistic honeypots the ability to operate on low-cost devices, Linux containers also provide the benefit of defeating several, difficult to overcome methods that malicious software authors implement in order to prevent their malware from being monitored and analyzed by security experts. Defeating the investigated forms of environment detection has remained a difficult challenge for security experts and remains an open-ended problem in the field.

Identiferoai:union.ndltd.org:VTETD/oai:vtechworks.lib.vt.edu:10919/86164
Date05 June 2017
CreatorsKedrowitsch, Alexander Lee
ContributorsComputer Science, Yao, Danfeng (Daphne), Raymond, David Richard, Wang, Gang Alan
PublisherVirginia Tech
Source SetsVirginia Tech Theses and Dissertation
Detected LanguageEnglish
TypeThesis
FormatETD, application/pdf
RightsIn Copyright, http://rightsstatements.org/vocab/InC/1.0/

Page generated in 0.0025 seconds