Paravirtualized Honeypot Deployment for the Analysis of Malicious Activity

Security BSides Athens 2018 (Sat, 23/Jun/2018) Paravirtualized Honeypot Deployment for the Analysis of Malicious Activity - Andronikos Kyriakou Abstract: In today’s world, cyber security is a fast-paced changing environment. New threats are continuously emerging and the ability to capture and effectively analyze them is more crucial than ever. A popular and widespread tool that is being utilized in the quest for new and unknown threats is a honeypot. Based on [1], a honeypot is “a security resource whose value lies in being probed, attacked or compromised”. In our work, we examine a multi-honeypot system that aims to gather and analyze in real time the actions of an attacker. The implementation of the system uses Docker in order to deploy a cowrie, a dionea and a glastopf container. Cowrie is a medium interaction SSH and Telnet honeypot, dionaea is a malware collector designed to expose network services and glastopf is a web application honeypot. By using Docker, isolation of the resources needed for each system to run, as well as, a low system load are achieved. The open source Elastic stack is selected for the purpose of analyzing and visualizing the data gathered. The Elastic stack consists of Logstash, which is the streaming Extract, Transform and Load (ETL) engine, Elastic Search, a real-time, full-text search engine and Kibana, an administration and visualization platform. Using this modular and expandable stack an examination of the data is made possible and an abundance of information such as the origin country of the attack and the most popular port targeted can be identified. In closing, by monitoring the incoming connections many useful conclusions can be drawn about the behavior and the nature of the malicious users. This information can be exploited in order to create more powerful intrusion detection systems, as well as, to identify and mitigate zero day attacks. Bio: Andronikos Kyriakou is an Undergraduate student at the Computer Engineering & Informatics Department (CEID), University of Patras. He is a computer security enthousiast and has joined SCYTALE Research Group in January 2018 where he is working on his Diploma Thesis under the supervision of Associate Professor, Dr. Nicolas Sklavos. His research interests include digital forensics, network security, privacy issues and machine learning. In recent years, he has attended many conferences and has taken active part in the organising commiteee of ECESCON 8