Giraffe Honeynet Project - Chapter Status Report for 2011

The Giraffe Chapter's continuous goal is to develop and improve honeypot technology and related tools and to conduct in-depth analysis of new attack techniques and malware specimens. This report lists our main activities and contributions from 2011.

_________________________________________________________________________________

ORGANIZATION

The Giraffe Chapter consists of the following people:

  • Felix Leder
  • Mark Schloesser
  • Tillmann Werner
  • Georg Wicherski

_________________________________________________________________________________
DEPLOYMENTS

More than seven years after the https://www.honeynet.org/papers/bots paper, botnet tracking is still one of our main interests, although our focus has shifted with the change in technology. Our goal is to identify particularly challenging botnets, such as ones that rely on a peer-to-peer (P2P) based infrastructure, and develop methods and techniques to track these. We currently have monitors and tracking systems for several botnets deployed.

We have a few dionaea, nepenthes, mwcollectd and honeytrap sensors deployed (all low-interaction server honeypots we develop or contributed to), although our focus has shifted a bit towards developing data analysis tools. We also run the HoneyMap, a data visualization framework for events that can be mapped on a geographic location. Some event feeds we have been experimenting with are the geo-locations of IP addresses hitting our honeypots or the logs from our various botnet sinkholes.

_________________________________________________________________________________
RESEARCH AND DEVELOPMENT

Most of the tools we have developed for the Honeynet Project are hosted on http://src.carnivore.it/. Below is a list of the major new projects we created in the last two years:

hpfeeds

A lightweight data-sharing protocol based on a publish/subscribe channel paradigm. Sensors publish data to channels and databases or analytics tools can subscribe to the data to store, analyze or visualize it.

PyBox

User level hooking library and sandboxing framework in Python. This is a joint work with other people in the research community.

HoneyMap

A real-time world map that visualizes attacks captured by honeypots of the Honeynet Project which are attached to the hpfeeds data-sharing setup. Red markers on the map represent attackers, yellow markers are targets (honeypot sensors). The map itself is available as a general data visualization tool.

_________________________________________________________________________________
FINDINGS

As far as an overall rating of current honeypot technology is concerned, we echo our assessment from our last status reports: evaluating recorded data remains the main challenge in honeypot research. For the immense amount of data, automating analysis is crucial, but only few tools are available to date. The recent efforts by the Honeynet Project to create and establish an internal data sharing system has already greatly improved this situation, but there is still a lot of work ahead.

Our work on botnets resulted in the takedown of the Kelihos.B botnet, which we blogged about here. While we believe that leading research and pushing the envelope in novel and aggressive operations against botnets is in line with the Honeynet Project's goals, we acknowledge that such actions raise discussions about ethics in computer security research. The project addresses this point in another blog post, which resulted in the release of an ethical Code of Conduct. The Giraffe Chapter has contributed to this thought process and will continue to engage in ethical discussions, internally and also publicly, with the goal enhance the proposed ethical standard. We believe that it is the research community's responsibility to address ethical questions.

_________________________________________________________________________________
PAPERS AND PRESENTATIONS

The following presentations were given by us at our 2011 workshop in Paris:

We also organized two trainings during our 2012 workshop in San Francisco:

We believe that sharing and discussing our thoughts and findings with the security community is an important part of the Honeynet Project's mission. We very much enjoyed the talks and trainings we gave and will continue our engagements at future workshops.

_________________________________________________________________________________
GOALS

One of our foremost goals is to improve the internal data sharing efforts in the Honeynet Project to enable people to conduct research and analysis more easily. One achievement was the HoneyMap, which gave people an incentive to actually deploy their HonEEEboxes and other sensors - they would show up on a public visualization that is well-perceived by media and the community. We saw quite an increase in events on hpfeeds after the success of the HoneyMap.

Peer-to-peer (P2P) botnets are not only technically challenging, they are also a popular field amongst researchers. The Giraffe Chapter maintains a continuously growing corpus of P2P botnet traffic and provides this data to other project members (and sometimes to external researchers upon request as well) to facilitate research. The current set includes sample traffic for Storm, Waledac, Gameover, all versions of Kelihos, Conficker.C, Miner, ZeroAccess, and Sality.
_________________________________________________________________________________
MISC ACTIVITIES

  • Felix and Tillmann serve on the board of directors where they help developing the strategic vision of the Honeynet Project.
  • Mark holds the position of the project's treasurer.
  • Maintaining some of the project's infrastructure and parts of the Honeycloud systems (e.g., PostgreSQL hpfeeds subscribers and sensors, redmine, git repositories) is another responsibility that Mark has voluntarily taken on.

_________________________________________________________________________________
MENTORING

Every year, we help selecting and mentoring talented students who work on one of our Google Summer of Code projects. Examples are these three projects.