diploma thesis - "Usage of Honeypots for Detection and Analysis of Unknown Security Attacks"

[Patrick Diebold <p.diebold () arcor de>]

Dear Commmunity,

My name is Patrick Diebold and I am graduate student of the Technical 
University Berlin (TU-Berlin) in Germany. I have just finished my diploma 
thesis "Usage of Honeypots for Detection and Analysis of Unknown Security 
Attacks" and wanted to share my experiences with the community.

The aim of my thesis was to develop a honeypot architecture that gathers 
intrusion related information. The focus was on unknown attacks.
The evaluation of several honeypot tests using honeyd and some simple 
shell-scripts led to the conclusion that  not every traffic directed to a 
honeypot is an attack. Furtheremore, I was astonished to see how much known 
attacks and worms attacked my honeypot: honeyd collected more than 18 MB 
attack traffic omitting the  nonreadable data - so far so good nothing new up 
to here. 
There are two problems one has to deal with when concentrating on unknown 
attacks: known attacks and non attack connections - false positives. In order 
to filter known attacks an IPS (Intrusion Prevention System) can be used. The 
remaining traffic has to be analyzed whether it is a successful attack or 
not. In the best case the honeypot should do this automated.

I have developed a honeypot architecture that logs the traffic to the honeypot 
in a way that makes it possible to replay the attack and tag the logfiles of a 
successful attack automatically. 
The honeypot architecture is able to replay attacks from the logs without the 
attacker's exploit at hand (some tests with buffer overflow attacks were 
succesful). 
To detect an attack I have written a simple host-IDS  (H-IDS) that detects an 
attack on the basis of unexpected system calls. 
The H-IDS and the logging component can be distributed on several hosts to 
reduce the risk of an eventually compromised honeypot.
The logging component and the H-IDS are synchronized via a control channel
that allows the tracking of the honeypot processes and the corresponding 
traffic.
On a successful attack an alarm is raised, the corresponding logfile is 
tagged and an e-mail is sent to the administrator. This way it should be 
possible to detect unknown attacks on the honeypot. 

The software is written in C++ and the H-IDS is realized as a Linux Kernel 
Module. 
The H-IDS does system call interception by redirecting the function pointers 
in the system-call table.
Stress tests with tcpdump have shown that tcpdump skips packets under heavy 
load so I decided to implement the logging via a socket interceptor.

The software is easily extensible to realize a cluster of honeypot services 
that receive the same traffic from the attacker simultaneously. A lead process 
sends back the response to the attacker. Whenever the H-IDS raises an alarm 
in one of the honeypot services the logfile is tagged. This way several 
varying honeypot installations can be tested simultaneously.

Any feedback and suggestions to this work are welcome and appreciated.

With kind regards, 
Patrick Diebold