IWA Poster Template - raid-symposium.org

IWA Poster Template - raid-symposium.org

Mohammed Sqalli*, Raed AlShaikh**, Ezzat
Ahmed*
* Department of Computer Science and
Engineering
King Fahd University of Petroleum and Minerals
Dhahran, Saudi Arabia
** ECC Network Operations Department
EXPEC Computer Center (ECC)
Saudi Aramco
Dhahran 31311, Saudi Arabia

A Virtual Distributed Honeynet at KFUPM:
A Case Study
Introduction

Aim

A honeynet is a network set up with intentional vulnerabilities to invite attack, so
that an attacker's activities and methods can be studied.

Build a high-interaction honeynet environment at KFUPMs two
main campuses:
The students living dorms.
The Computer Engineering College campus
Most enthusiastic and computer-literate intruders are found in
the Computer Science and Engineering College.

Two commonly used Implementations were tested:
The Honeywall CDROM
KFSensor
VMWare virtualization was used since it offers several advantages as opposed
to the use of physical machines:
VMs can be modified more easily than physical machines (software layer).
An administrator can start, stop or clone a VM very easily which is especially
important in the case of security.

The aim of our experiment is to explore:
The type of attacks the campuses are exposed to. (DoS, port
scanning, etc).
The most common tools for these attacks. (rsh, ssh, parallel ping,
etc)
The most common source(s) and destination(s) for these attacks.
The feasibility of the design and tools used.

VLAN2

Internet

Windows
XP

Experimental
Results
In terms of severity, around 65% of the traffic was considered

private
network
Logging
server

Honeywall
CDROM

VLAN1

Fedora

High-interaction honeypots were used:
Collect as much information as possible.

Fedora

Windows XP

High
interaction
honeypots

The Computer Engineering
College campus

medium risk, while the remaining 35% was considered low. The
high percentage of the medium-level category was due to the fact
that the system classifies BitTorrents file sharing, which makes
around 70% of the total traffic, as medium risk. This percentage is
of no surprise since BitTorrent accounts for an astounding 40-55%
of all the traffic on the Internet, and it is expected to be high in the
students living campuses.
Protocol

Severity

Total

IIS view script source code
vulnerability attack

TCP

Medium

8

MS Uni Plug and Play UDP

UDP

Medium

30

logs, and informs the system
administrator for any successful intrusion incident. The script sends emails
containing these matched logs.

NBT(NetBIOS) Datagram
Service

UDP

Low

399

Bit Torrent requests

TCP

Medium

19098

To: [email protected]
From: [email protected]

DHCP requests

UDP

Low

9938

Random traffic

--------

-------

357

Further
Enhancements
Developed a wrapper that checks these

Subject: ------ ALERT!: OUTBOUND CONN -------Apr 6 17:19:05 honeywall FIREWALL:OUTBOUND CONN UDP:IN=br0
PHYSIN=eth1 OUT=br0 PHYSOUT=eth2 SRC=192.168.1.101
DST=63.107.222.112 LEN=123 TOS=0x00 PREC=0x00 TTL=255 ID=43147
PROTO=UDP SPT=5353 DPT=79 LEN=103

Name

Moreover, we detected a vulnerability attack on the Internet
Information Service (IIS) that was installed on the Windows-based
honeypots. This vulnerability has the signature KFAGC165421, and
indicates that IIS contains a flaw that allows an attacker to cause IIS
to return the source code for a script file instead of processing the
script. This vulnerability attack traffic was generated by one of the
systems in the students living campus.

Conclusion and
Future
Work
Our experience shows that Honeywall CDROM proved to be a solid tool that is capable of capturing great deal of information and assisting in analyzing
traffic on the distributed honeypots. The honeynet designer, nevertheless, needs to consider few issues related to scalability and resource utilization.

Out future work includes expanding our honeynet network to include other colleges and campuses in the university and have wider honeynet coverage.
This will also require increasing our logging disk space to allow for more logging time, longer logging intervals and thus broader analysis.

Recently Viewed Presentations

  • Cost-Sensitive Deep Neural Networks to Address Class Imbalance

    Cost-Sensitive Deep Neural Networks to Address Class Imbalance

    Kruy Seng and Man-Leung Wong. Department of Computing and Decision Sciences. Lingnan University. September 07, 2017. background. Machine Learning is a field of study that provides computers with ability to learn without being explicitly programmed .
  • A diagnostic followup programme for first-year Engineering ...

    A diagnostic followup programme for first-year Engineering ...

    Diagnostic Followup Programme HELM Resources HEFCE FDTL4 project 2002-2005 Workbooks on various mathematical topics. Workbooks on mathematical topics Example Engineering Application Diagnostic Followup Programme Manchester Mathematics Resource Centre. Support Centre for students to drop into with Mathematical Enquiries.
  • Jacqueline Chunn, CISR Southern Insurance Agency Business Continuity

    Jacqueline Chunn, CISR Southern Insurance Agency Business Continuity

    Nearly a quarterof businesses forced to close as a result of a disaster never reopen.. Why is BCP Important? Business interruptions can have serious consequences. Preparation is essential. Having documentation . of individual and corporate roles and clearly defined responsibilities...
  • Greek Drama - bpi.edu

    Greek Drama - bpi.edu

    Prepositional Phrases can modify _____ or _____. Diagram the following sentence: The early bird gets the tasty worm with the long tail. ... (relates to Dionysian rituals) The Stage Where and how were the dramas performed? …In an amphitheatre …With...
  • Compulsory Licensing in Pharmaceuticals India: Why is it ...

    Compulsory Licensing in Pharmaceuticals India: Why is it ...

    Shasun/Eli Lilly. FDI flows in India, 2000 to 2012. Source Chalapati Rao et al, 2014. Per cent Manufacturing Pharmaceuticals Greenfield 30.3 17.2 14.5. ... Started by Dr Reddys and Ranbaxy in early 1990s followed by several others - Glenmark, Lupin,...
  • QuickTime and a TIFF (Uncompressed) decompressor are needed

    QuickTime and a TIFF (Uncompressed) decompressor are needed

    Gravity GRAVITY DEFINED Gravity is the tendency of objects with mass to accelerate towards each other Gravity is one of the four fundamental forces (interactions) in nature.
  • Pointers - Embry-Riddle Aeronautical University

    Pointers - Embry-Riddle Aeronautical University

    The byte addressable memories used in personal computers store 1 byte (8 bits) at each address. Word addressable memories are used in higher performance machines and store multiple bytes at each address. The address is how the hardware picks one...
  • MEET THE STAFF - taapmo.com

    MEET THE STAFF - taapmo.com

    Emphasis includes: Health care issues, Physical disability processing, Medical retention, Finance, Legal, Transition benefits, VA, TSGLI Assist with writing appeals (at any stage of the board) Ombudsman Ador Yabut 253-320-9725 Checklist # 30 * Every SOLDIER will be able to...