Alaskan Chapter

Alaskan Chapter Status Report For 2008

ORGANIZATION

  1. Brian Hay is now the chapter lead.  Chris Hecker remains involved in the project, but has changed employer in later 2008 and has less time available to lead the Chapter for the first half of 2008.
  2. Brian Hay (VMI, Active honeypot), Chris Hecker (Automating honeynet deployments), Kara Nance (VMI).

DEPLOYMENTS

  1. Honeyd and sebek deployments in research lab, but no public deployments at this time.  Students deployed several honeynets as part of a class project during Fall 2008.
  2. Activity timeline: Recently secured a larger IP allocation on which honeypots could be deployed, and expect to use this allocation starting in summer 2009.

RESEARCH AND DEVELOPMENT

  1. Working on an active high interaction honeypot in which user interaction is performed prior to and during an intrusion.  Deployed a tool to generate honeyd configurations from log files.
  2. Virtual Machine Introspection toolkit for Xen was developed at UAF, and is under current development for use in several fields, including honeynet deployements and digital forensics.
  3. Currently collaborating with Ron Dodge on the active honeynet work.
  4. Explain what kind of help or tools or collaboration you are interested in.

FINDINGS

  1. Highlight any unique findings, attacks, tools, or methods. None.
  2. Any trends seen in the past year? None.
  3. What are you using for data analysis? None.
  4. What is working well, and what is missing, what data analysis functionality would you like to see developed?  Our interest is more in the data capture and honeynet management area at this point.

PAPERS AND PRESENTATIONS

  1. Are you working on or did you publish any papers or presentations,
    such as KYE or academic papers?  If yes, please provide a description
    and link (if possible).  Three journal papers on VMI and digital forensics live analysis (which is somewhat relevant).

Hay, B., M. Bishop, and K. Nance. Live Analysis: Progress and Challenges. IEEE Security and Privacy. (in press)
Nance, K., M. Bishop, and B. Hay. Virtual Machine Introspection: Observation or Interference? IEEE Security and Privacy Virtualization Special Issue, October 2008.
Hay, B. and Nance, K. 2008. Forensics Examination of Volatile System Data Using Virtual Introspection. SIGOPS Oper. Syst. Rev. 42, 3 (Apr. 2008), 74-82. DOI= http://doi.acm.org/10.1145/1368506.1368517

  1. Are you looking for any data or people to help with your papers?

Not at this point, although possibly with the active honeypot work.

  1. Where did you present honeypot-related material? ( selected publications )

See above list of pubs.

GOALS

  1. Which of your goals did you meet for the past year?

We made good progress on the VMI project, and got some students involved in honeynet work as part of a class project.

  1. Goals for the next year.

Deploy a honeynet with VMI as the major monitoring component.  Determine the extent to which VMI is detectable from the persepctive of the VM user.  Deploy and test the active honeypot code in a production setting.
MISC ACTIVITIES