Status Report (31st of March 2007)
1.1 Current technologies deployed. Describe anything that you have deployed that is collecting information, including honeynets, client honeypots, honeyd, mwcollect, or anything else honeypot related.
* GDH node at Auckland University.
* Capture-HPC high interaction client honeypot deployment at Victoria University of Wellington.
2.1 Highlight any unique findings, attacks, tools, or methods.
PHPHoP . see KYE: Web Application Attacks for more details.
2.2 Any trends seen in the past six months.
3.0 LESSONS LEARNED
3.1 What new positive things can you share with the community, so they can replicate your success?
GDH packaging of software made it possible for us to deploy node with minimum of effort on our part. Also automated collection and shared analysis make it worth while. We did not have the resources to deploy a honeypot *and* analyse the result. GDH has made it possible for us to contribute what we had, i.e. hardware and address space.
3.2 What new mistakes can you share with the community, so they don't make the same mistakes?
Keep all your data and log as much as you can. Automate as much as possible. This will save you time and you may want to go back and re-evaluate data at some point.
Think your experiments through until data analysis and design your data collection accordingly. Don't want to find you need some data for analysis that you didn't collect.
3.3 Are there any research ideas you would like to see developed?
Automatic analysis of binaries, a la Norman sandbox / cwsandbox / Capture-BAT for linux binaries.
Avoidance of detection of honeypot tools, such as VMware & API hooking.
4.1 What tools or functionality are we lacking, what do we need to work on?
4.2 What new tools or technology are you working on?
* HoneyC . Low Interaction Client Honeypot
* Capture-HPC . High Interaction Client Honeypot
* PHPHoP - Application-based low-level interaction honeypot
4.3 Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?
We would like to develop a web service that allows end users as well as other researchers to interact with the client honeypot deployments.
5.0 PAPERS AND PRESENTATIONS
5.1 Are you working any papers to be published, such as KYE or academic papers?
Currently working on KYE: Malicious Web Server paper. We are identifying malicious web servers using high interaction client honeypots. The paper is likely to contain information about where malicious web servers exist on the Internet as well as in-depth analysis of exploits.
Currently working on academic paper that looks at improving the detection speed of high interaction client honeypots.
Currently working on academic paper on assessing false negative rate of high interaction client honeypots.
5.2 Are you looking for any data or people to help with your papers?
5.3 Where did you publish/present honeypot-related material?
* http://www.securityfocus.com/infocus/1876 - Analyzing Malicious SSH Login Attempts
* http://www.securityfocus.com/infocus/1880 - Using Nepenthes Honeypots to Detect Common Malware
* http://www.honeynet.org/papers/webapp - KYE: Web Application Attacks
* http://www.infosecwriters.com/texts.php?op=display&id=416 . Detecting Botnets Using a Low Interaction Honeypot
* Seifert, C., Welch, I. and Komisarczuk, P. HoneyC - The Low-Interaction Client Honeypot, Proceedings of the 2007 NZCSRCS, Waikato University, Hamilton, New Zealand, April 2007
* Seifert, C., Welch, I. and Komisarczuk, P. Taxonomy of Honeypots, Victoria University of Wellington, Wellington, 2006, Available from http://www.mcs.vuw.ac.nz/comp/Publications/index-byyear-06.html; accessed on 14 July 2006
6.1 Changes in the structure of your organization.
Fairly informal structure. Jamie has moved to the UK and Christian is now project contact.
6.2 Your feedback on Alliance activities.
The honeynet meeting was great and Jamie definitely tries to attend again.
6.3 Any suggestions for improving the Alliance?
Ability to participate at the honeynet meetings even if physically not present. This includes the ability to hack on stuff that are being worked on at the honeynet meetings as well as able to view presentations during the meetings remotely.
Interface and collaborate with other honeynet and security related research organizations that are not part of the alliance.
7.1 Which of your goals did you meet for the last six months?
Did manage to write and publish quite a few papers including the KYE.
7.2 Which of your goals did you not meet for the last six months?
7.3 Goals for the next six months
Increase visibility of the NZ Honeynet Alliance within New Zealand and recruit additional members from New Zealand in academia as well as the corporate world.
Publish KYE paper on malicious web servers.
Integrate client honeypot technologies to existing tools of the Honeynet Alliance.
8.0 MISC ACTIVITIES
8.1 Anything else not covered you would like to share.