This page is updated (check the update date at the end) every week after each session.

Course Description

The subject of this course is to use the Honeynet/pot technologies as a tool to discover and learn existing and new threats to networked/distributed information system. The course includes a project to build a custom honeypot to turn the theory into a practical collection engine. The course requires a high involvement from the participants.

Given by : Alexandre Dulaunoy

Project

During the period of the course, there will be a specific project to realize. The project is fully integrated into the course sessions that means some topics covered will help to enhance or complete your work.

Project - Modus Operandi

The project is done in group. A group is composed of two people (three if required and approved). It preferred that the group is composed of at least one student having an experience with a computer programming language (e.g. Python, Perl, Ruby, C, Lisp, PHP, Java). I also prefer that the group is working on distinct coverage. That means you must express the project description as soon as possible to all the class in the project wiki (url given in class).

Project - Topics

First topic, as the course is mainly covering the aspect of the honeynet/pot technologies, the group has to build a specific honeypot to cover a specific service used on Internet or/and in an internal IP network.

Second topic, analysis and security visualization of the "jubrowska" data. The visualization can be around the network capture but also the communication inside or the tty interaction capture. The visualization can be also used as tool to see the interactions (if any) between the data collected.

Project - Rules

Project - Ideas

If you are lacking imagination, some potential ideas :

Project - Evaluation

Evaluation of the project is based : Originality (10%), Innovation (20%), Security (20%), Risks Analysis (20%), Data Collection/Analysis (20%), Documentation (10%).

Sessions

Date/WhereTopicSupport
Sat. 31 Jan 2009 (09h00->13h00)/SSIC Computer RoomIntroduction to Honeynet/pot Technologies
and network datacapture. Reminder regarding the legal status of Honeynet/pot and your ethical role.
Intro and History - Honeynets
Network Data Capture : Berkeley Packet Filter Legal framework of Honeynet/pots
Sat. 7 Feb 2009 (09h00->13h00)/SSIC Computer RoomAnalysis of Malicious Software (practical example). Datacapture in Honeypot. Datacapture in Honeypot.Analysis of Malicious Software. Practical Analysis of Malware Collected. Open Discussion About Circular Visualization. (moowheel or circos)
Sat. 14 Feb 2009 (09h00->12h50)/SSIC Computer RoomNetwork scanning. An overview of flow analysis and how to analyze specific network flows. Another use of a Honeypot. Discussion about projects.Network scanning and service discovery. Another use of a Honeypot : a security awareness tool.
Sat. 21 Feb 2009 (09h00->12h50)/SSIC Computer RoomHolidaysHolidays
Sat. 28 Feb 2009 (09h00->12h50)/SSIC Computer RoomHow can we benefit from the analysis of the honeypot trace? An introduction to forensic analysis. Review of the project state and bootstrapping some projects.Learning from the attacker.... An introduction to forensic analysis.
Sat. 7 Mar 2009 (09h00->12h50)/SSIC Computer RoomForensic analysis...An introduction to forensic analysis. Support document : flash| memory| coldboot
Sat. 14 Mar 2009 (09h00->12h50)/SSIC Computer RoomBerkeley Packet Filter (bis) and review of current projects.Berkeley Packet Filter . You must alway carry with you the pocketguide of IP, TCP and UDP headers. Sample logs and question.

Sessions - Additional Support

Caveat

You may find that the subject is too experimental and not yet mature for real-life application. If you have any issue with the course (including the way I teach it), don't hesitate to talk about as soon as possible.

Bibliography