۱- Introduction

۲- Honeypot & honeynet background

۳- Related works

۴- Concept of the proposed hybrid honeynet

۵- Implementation of the honeynet

۶- Testing of the expert system using data gathered by honeynet

۷- Results and further development

۸- Conclusions

References

Abstract

Currently, many systems connected to the internet are exposed to hundreds of mostly automated network attacks on a daily basis. These are mostly very simple attacks originating from botnets. However, sophisticated attacks conducted both by automated systems and directly by humans are becoming more common. In order to develop adequate countermeasures, the behaviour of attackers has to be analysed effectively. Honeypots, a sort of lures for the attacks, are used for that purpose. Configuration of honeypots vary depending on the type of attacks they focus on attracting. For simple, analogous attacks that sequentially repeat predefined commands, medium interaction honeypots are sufficient, while more sophisticated attacks require the use of high interactive honeypots. An essential part of the analysis is to differentiate between these types of attacks to make the overall analysis efficient, in terms of efficient use of hardware resources, and effective by providing the attacker with an appropriately emulated environment. This article first analyses the current situation followed by presenting a solution in the form of a system made up of a hybrid honeynet and an expert system. For now, it focuses only on the SSH protocol, as it is widely used for remote system access and is a popular target of attacks. The system has been tested on real data collected over a one-year period. The article also deals with making redirecting SSH connections as transparent as possible.

Introduction

Cybersecurity is one of the most dynamic areas of commercial, academic, scientific, and even personal life. Therefore, to be able to react to both existing and new threats effectively, it is necessary to gain awareness of what threats are currently spreading and what is their destination and target. To gather the data, honeypots, and logical networks of honeypots known as honeynets,1 are used. The subject of this paper is to propose an expert system made to effectively classify the source of the connection to be either a simple or a sophisticated attacker. A simple attacker is typically a bot or an unskilled human attacker only executing a sequence of predefined, repeating commands, or it is a script-kiddie analysing the system and attempting to draw attention to itself. On the other hand, a sophisticated attacker, whether human or advanced malware, reacts to the situation dynamically. The honeynet is comprised of systems emulating SSH protocol, on network port 22 by default, that is among the most popular means for remote access to Linux shell, and administrators use it to manage remote systems or networks. However, it can also be used by an attacker. The SSH protocol was selected as it is among the most attacked protocols, according to the following reports: F-Secure Attack landscape H2 2018,2 Akamai – The State of the Internet Q4 2014.3 Also, the activity and artefacts left behind by an attacker using SSH connection, such as inputted commands or the SSH client used, are analytically useful. To discern and record practices of attackers mainly medium interaction honeypots were used, namely Cowrie.4 Cowrie honeypot emulates Linux shell and many of the basic Linux operating system programs, such as wget or SCP.