DESS SSIC 2006/2007 - Discovering and Learning Security Threats Using Honeynets/pots

This page is updated (check the update date at the end) every week after each session.

Course Description

The subject of this course is to use the Honeynet/pot technologies as a tool to discover and learn existing and new threats to networked/distributed information system. The course includes a project to build a custom honeypot to turn the theory into a practical collection engine. The course requires a high involvement from the participants.

Given by : Alexandre Dulaunoy

Project

During the period of the course, there will be a specific project to realize. The project is fully integrated into the course sessions that means some topics covered will help to enhance or complete your work.

Project - Modus Operandi

The project is done in group. A group is composed of two people (three if required and approved). It preferred that the group is composed of at least one student having an experience with a computer programming language (e.g. Python, Perl, Ruby, C, Java). I also prefer that the group is working on distinct coverage. That means you must express the project description as soon as possible to all the class in the project wiki (url given in class).

Project - Topic

As the course is mainly covering the aspect of the honeynet/pot technologies, the group has to build a specific honeypot to cover a specific service used on Internet or/and in an internal IP network.

Project - Rules

You are free to reuse existing software components (e.g. honeyd, twisted, modify existing free software) but you must always respect the software license used by those components.
You must have a complete documentation (French or English) of your project including the installation, the mode of operation for the honeypot, the data collection/acquisition mechanisms, the analysis mechanisms, the risks of your honeypot project and the potential improvement of your honeypot.
You must have a working prototype (maybe not including all the features described in your documentation) and a documented test case.
You must assume that your project will be on the global and wild Internet. In other words, you *must* develop your software/project by thinking of the potential abuse.
Discussions/demonstration are highly welcomed during the sessions.
All your project documentation, code, discussion and notes must be on the wiki provided. (scoring will be done based on that information)
Description of your project (and group) must be given before 15th February 2007.
Your project must be completed for the 20th March 2007.
... have fun !

Project - Ideas

If you are lacking imagination, some potential ideas :

A basic and fake authoritative (and recursive?) nameserver honeypot
An SMTP honeypot
An FTP honeypot
An SSH (SecSH) honeypot
A basic and fake name resolution library (client side honeynet)
A public REST API honeypot

Project - Evaluation

Evaluation of the project is based : Originality (10%), Innovation (20%), Security (20%), Risks Analysis (20%), Data Collection/Analysis (20%), Documentation (10%).

Sessions

Date/Where	Topic	Support
Sat. 03 Feb 2007 (09h->13h)/SSIC Computer Room	Introduction to Honeynet/pot Technologies and network datacapture. Reminder regarding the legal status of Honeynet/pot and your ethical role.	Intro and History - Honeynets Network Data Capture : Berkeley Packet Filter Legal framework of Honeynet/pots
Sat. 10 Feb 2007 (09h->13h)/SSIC Computer Room	An introduction to the analysis of malicious software. A sample POP3 honeypot used as security awareness tool.	Analysis of malicious software. A POP3 honeypot used as a security awareness tool.
Sat. 17 Feb 2007 (09h->13h)/SSIC Computer Room	Honeyd overview and configuration. Review of the project status.
Sat. 03 Mar 2007 (09h->13h)/SSIC Computer Room	Data capture and data collection. Distributed honeypots and their usage. Data capture and collection in your project.	Data capture and collection in honeypot/nets. An introduction to black-hole network. Attackers are also distributed not only honeynet/pots.
Sat. 10 Mar 2007 (09h->13h)/Cancelled	Testing your honeypots/honeynets : scanning the network	Network scanning:a brief introduction and how to scan your honeypot/net.
Sat. 17 Mar 2007 (09h->13h)/SSIC Computer Room	Evaluating your honeypot/net. Final project review.	Testing your honeypot/honeynet.

Sessions - Additional Support

IP, TCP, UDP headers + TCP state transition diagram from TCP/IP illustrated, Volume 1

Caveat

You may find that the subject is too experimental and not yet mature for real-life application. If you have any issue with the course (including the way I teach it), don't hesitate to talk about as soon as possible.

Bibliography

Know Your Enemy : Learning about Security Threats (2nd Edition) by Honeynet Project The (2004), Addison Wesley,ISBN:0321166469
The Internet Motion Sensor: A Distributed Blackhole Monitoring System by M Bailey, E Cooke, F Jahanian, J Nazario, D Watson
A Virtual Honeypot Framework by Niels Provos, USENIX Security '04 Paper

Copyright © Alexandre Dulaunoy adulauATATfoo.be This work is licensed to you under version 2 of the GNU General Public License. Alternatively, you may choose to receive this work under any other license that grants the right to use, copy, modify, and/or distribute the work, as long as that license imposes the restriction that derivative works have to grant the same rights and impose the same restriction. For example, you may choose to receive this work under the GNU Free Documentation License, the CreativeCommons ShareAlike License, the XEmacs manual license, or similar licenses.

Updated : Fri 16 Mar 2007 22:10

DESS SSIC 2006/2007 - univ-Metz - MIM

Discovering and Learning Security Threats Using Honeynet/pot Technologies