Google Summer of Code 2013 Project Ideas

This page contains a list of potential project ideas that we are keen to develop during GSoC 2013 (we also have additional project ideas currently undergoing internal review, which will be added here too once project deliverables and available mentors have been confirmed). You can view our previous GSoC 2009, GSoC 2010 , GSoC 2011 and GSoC 2012 project ideas pages if you are looking for inspiration, or you might like to work on one of our existing tools, rather than working on something new.

We are always also interested in hearing any ideas for additional relevant honeynet-related R&D projects (although remember that to qualify for receiving GSoC funding from Google your project deliverables need to fit in to GSoC's 3-month project timescales!). If you have a suitable and interesting project, we'll always try and find the right resources to mentor it and support you. Please note - even if you aren't an eligible GSoC student, we are also always looking for general volunteers who are enthusiastic and interested in getting involved in honeynet R&D.

Each sponsored GSoC 2013 project will have one or more mentors available to provide a guaranteed contact point to students, plus one or more technical advisors to help applicants with the technical direction and delivery of the project (often the original author of a tool or its current maintainer, and usually someone recognised as an international expert in their particular field). Our Google Summer of Code organisational administrators will also be available to all sponsored GSoC students for general advice and logistical support. We'll also provide supporting hosted svn/trac/git/redmine/mailman/IRC/etc project infrastructure, if required.

For all questions about the Honeynet Project, the GSoC program or our projects, please contact us on #gsoc-honeynet on irc.freenode.net, subscribe to our public mailing list for people interested in GSoC at https://public.honeynet.org/mailman/listinfo/gsoc or email us directly at project@honeynet.org.

To learn more about the Google Summer of Code event, see the the GSoC 2013 Website.

R&D Focus Areas

In previous years our internal honeynet R&D focus was primarily directed into a number of priority areas, which were:

  • Mobile device honeypots
  • Virtualization honeypots / monitoring / attacks
  • Topical malware (e.g. stuxnet SCADA, attacks against mobile platforms such as Android, etc)
  • Active defense research (e.g. botnet take down in an ethical manner)
  • IPv6 honeynets
  • Distributed data collection, analysis and visualisation

So unsurprisingly a number of our suggested potential project ideas fall into these research areas. However, we are also interested in receiving project proposals and tool updates/new tool developments outside these research focus areas too, so hopefully this provides potential students with a wide variety of exciting topics to contributed to and be engaged with this summer.

GSoC 2013 Project Ideas

(more to follow)

GSoC 2013 Project Ideas

Name: Project 1 - Pwnypot Honeyclient (detection improvement)
Mentor: Georg Wicherski (DE)
Backup mentor: Technical support Shahriyar Jalayeri
Skills required:

  • C++ (good)
  • Windows and Java Internals (good)
  • Exploitation (and anti-exploitation) techniques (familiar)

Project type: Improve existing tool
Project goal:
The goal of the project is to add more detection techniques to Pwnypot (https://github.com/shjalayeri/MCEDP) for detecting shellcodes, ROPs and also Java logical exploits.
Description:
Pwnypot (a.k.a. MCEDP) is a high-interaction client honeypot that uses some techniques to detect malicious web servers at exploitation stage. Some of the methods used in Pwnypot have been first implemented in MS EMET. Attackers can use some methods (which has not been seen in the wild yet!) to bypass Shellcode and ROP detector modules. Currently we are aware of most of these evasion methods and we expect to fix them during this project. Another problem is Java Sandbox Escape exploits. This kind of exploits are often logical and do not use any kind of memory corruption or legacy Shellcodes. Because MCEDP/Pwnypot is designed base on memory corruption issues and Shellcode execution, it can’t detect this type of Java exploits yet! We also need to detect these types of Java exploits.

Name: Project 2 - Pwnypot manager
Mentor: Jamie Riden (UK)
Backup mentor: Georg Wicherski (DE), Techincal support Adel Karimi
Skills required:

  • Python (good)
  • HTML/CSS/Javascript (good)

Project type: Extension of existing tool
Project goal:
The goal of the project is to develop a manager module for Pwnypot (https://github.com/shjalayeri/MCEDP), sending tasks to pwnypot agents / VMs, get the results after the analysis and insert them in a DB) and a simple web frontend for management and showing the results.
Description:
Currently Pwnypot honeyclient is not fully automated and just has a detection module with a GUI for its configuration (agent / pwnypot client). We need a manager module for sending tasks to agents/VMs (feeding inputs to pwnypot clients) and getting the results. We also need a DB and simple web frontend to manage the pwnypot and showing the analysis results.

Name: Project 3 - Thug Distributed Task Queueing

Mentor: Angelo Dell'Aera (IT)
Backup mentor: Sebastian Poeplau (DE)
Skills required:

  • Python (good)

  • Distributed computing (basic)


Project type: Improve existing tool

Project goal:
The goal of the project is to introduce a new distributed operating mode in the honeyclient (Thug)
Description:
Currently Thug works like a stand-alone tool but there are plans to make it able to work in a distributed environment. The idea is that an instance of Thug operating in distributed mode should be able to connect to a (centralized or not) URL distribution point. Such distribution point will be fed with URLs coming from different sources (i.e. spamtraps) and redistribute such URLs to all Thug instances which are currently idle and waiting for tasks to run. The distribution algorithm should be able to load balance the tasks among the existing live and connected Thug instances and provide to them additional parameters in order to be able to fine tune the running instance.

Name: Project 4 - Thug Document Object Model (DOM) improvements and validation
Mentor: Angelo Dell'Aera (IT)
Backup mentor: Sebastian Poeplau (DE)
Skills required:

  • Python (good)
  • HTML, Javascript, browser internals(good)

Project type: Improve existing tool

Project goal:
The goal of the project is to improve the Document Object Model implementation of the honeyclient (Thug) and implement a generic framework for its validation
Description:
Thug implements its own Document Object Model (DOM) which is far from perfect. Considering that a correct implementation is key for correctly emulating web pages (and thus exploit kits too) the goal of this project is about improving the existing Document Object Model implementation and implementing a generic framework for its validation.

Name: Project 5 - Android webhoneyclient
Mentor: Hugo Gonzalez (MX)
Backup mentor: Natalia Stakhanova (Canada)
Skills required:

  • Android (good)
  • Python (good)

Project type: Develop a new tool
Project goal:
The goal of the project is to develop a new tool capable of detect and analyze malicious attacks to android using web servers.
Description:
Currently there are some honeyclients that mimic a browser in specific platform. These one won’t mimic, because this will be using a “real” platform to conduct a complete analysis. The point of this project is not to develop an Android app but an analysis tool to be run on a traditional (not mobile phone) environment.

At this stage the analysis should focus on URLs. An Android honeyclient should be able to (1) visit the suspicious url, (2) record all the activities of the device, (3) analyze the recorded activity.

An input to the Honeyclient is a list of URLs and an output is a result of their analysis. We envision the analysis to be performed through an emulation in virtual setting to expose an Android environment to a possibly malicious URL.
As such the project has two components to it: (1) a straightforward implementation of a controller that will be responsible for starting up a clean environment for Android platform emulation, running URL in it, collecting traces, closing an environment; and (2) a more advanced piece on behavioral analysis of recorded traces.
The latter component is likely to call for some research. We're not looking for a sophisticated analysis here and were thinking of some definition of normal environment behavior and consequently a comparison of recorded traces with what is defined as normal.

Name: Project 6 - Dynamic attack surface for Glastopf
Mentor: Johnny Vestergaard (DK)
Backup mentor: Lukas Rist (DE)
Skills required:

  • Python (good)
  • HTML/CSS/Javascript (good)

Project type: Extension of existing tool
Project goal:
Extend (Glastopf) with functionality to change attack surface.
Description:
The goal of this project is to develop functionality to dynamically change the attack surface of Glastopf, in this context attack surface means the HTML, CSS, Javascript and paths visible to the attacker. One or more of the following suggestions could be interesting in this context:

Functionality to mirror/mimic existing website. This would involve automatically scraping a website whereafter glastopf would mimic that site. Also see:http://research.microsoft.com/apps/pubs/default.aspx?id=145126 for a similar approach. There are definitely search engine consequences and legal aspects to consider.

Development of templates for common website. (Wordpress, Drupal, etc). Maybe adept HIHATS approach of turning a CMS template into a honeypot: http://hihat.sourceforge.net/

Improve the WSGI application using Glastopf so we can run the Honeypot behind an already deployed web server like Apache and alongside other web applications.

Project Name: Project 7 - Network Analyzer
Primary Mentor: Oğuz Yarımtepe (TR)
Backup mentor: Adam Pridgen (US), Nicolas Collery (FR)
Skills required:

  • Python (intermediate)
  • Django / MTV related web development information (intermediate)

Project type: Improve existing tool
Project goal:
The goal of the project is to enhance the features of the Network Analyzer tool.
Description:
Currently Network Analyzer is supporting DNS, HTTP and SMTP protocols. It has a site that explains the installation procedure and other details:https://github.com/oguzy/ovizart

Briefly, Ovizart (network analyzer) aimed to analyze the traffic data in a more human readable way. It analyzes the information at the application level and displays the assembled information. It helps you answer questions when you analyze a traffic data:

  • What type of traffic am i looking at (HTTP, DNS, FTP, ..)
  • Does this HTTP traffic have malicious js files inside?
  • What is the mail content and header information of this SMTP traffic, does its attachment malicious?

There is also an online demo: http://ow.comu.edu.tr

This year the planned todos are below:

  • More plugins are required to support more protocols.
  • Testing the current modules is also esential.
  • Traffic analysis is working offline and supporting only raw traffic dumps. It should be able to support other feed sources, like HPFeeds, as well.
  • Application level information is gathered from Bro-ids logs. Integration with (Brownian) can improve the information displayed
  • Time line and other interfaces can be beautified.
  • Performance increase is required to decrease the analyze process and upload time of the big files. Optimizing the current code or suggesting a different method can be a solution.
  • Current handlers are written in a way to let anyone write its own handlers by overriting the current function definitions. The better way is to subclass usage and let them extendable. In addition to main functionality of an HTTP analyze for HTTP handler, a javascript analysis for ex, must be able to be added.
  • Clear seperation of handlers and web interface will be good addition. This requires CLI support to the project. One may use ovizart, analyze pcaps and get its outputs withour requiring to install Django.

Project Name: Project 8 - IMALSE: Integrated Malware Simulator and Emulator
Primary Mentor: Jing Conan Wang (CN)
Backup mentor: Cong Wei (US),
Skills required:

  • Python
  • C++

Project type: Improve existing tool
Project goal:
The goal of the project is to enhance the features of the existing IMALSE tool.
Description:
This is open source software we have developed to help researchers generate data of botnet-based network malware. Currently has basic functionality of simulating and emulating the botnet based
attack. IMALSE website.

The student will be asked to improve the software by:

  • Improving the background traffic generator; The tool has a simple background traffic generator which can generate normal traffic with some distribution. The student needs to improve the background traffic generator to make it more realistic.
  • Implementing more practical attack scenarios. Now we only have two attaching scenario, one is for data exfiltration attack, and the other is for DDoS ping flooding attack. More attacking scenarios will make the tool more useful.
  • Improve the usability of the software. There are two GUI systems in the software, one is used to create network topology and the other one is to animate the simulation process. For historical reasons, these two GUI systems are separate, the student should create a unified GUI system that has both functionality.
  • Name: Project 9 - OSX malware analysis honeypot
    Mentor: Hugo Gonzalez (MX)
    Backup mentor: Jamie Riden (UK), Felix Leder (DE)
    Skills required:

    • OS X (good)
    • dtrace (medium)
    • Python (good)

    Project type: Improve, finish the tool
    Project goal:
    The goal of the project is to improve/finish this tool to be able to detect and analyze attacks to OSX system by malicious web servers, or malicious files.
    Description:
    This will be a complete system sandbox to trace malicious activities on OSX. Once a file was ran or a web page visited, the system should record all the activities and report if the file or url could cause some suspicious on the system. This could be an extension for the cuckoo sandox, running on OS X clients. Prototype iHoneyC code.

    Name: Project 10 - AfterGlow Cloud
    Mentor: Raffael Marty (US)
    Backup mentor: Ralph Logan (US), Ryan Smith (US)
    Skills required:

    • HTML5, CSS (good)
    • JavaScript (good)
    • Python (good)
    • D3.js (preferred)

    Project type: Improve a tool / service

    Project goal:
    This project is about updating AfterGlow Cloud to move away from using GraphViz to render the graphs. Instead we will be using D3.js to render directly into HTML and/or SVG.
    Description:
    AfterGlow Cloud is a Web service that lets users visualize their own data. A dataset is uploaded and filtered through AfterGlow to generate a DOT file. The DOT file is then visualized with GraphViz and the resulting image is shown to the user in a static Web page. In this project, we are going to replace GraphViz with D3.js to do the entire rendering in JavaScript. We are going to rebuild the underlying data structure to use a graph data structure (like helios.js) that we can then also use to do graph computations, such as clustering, finding connected sets, calculating modularity, etc. These metrics will then be applied to the graph to filter nodes, apply color, etc. This will enable the user to better analyze and understand their data to identify previously unknown threats and attacks.

    Name: Project 11 - HpfeedsHoneyGraph for visualizing malicious intention transmission using multiple honeypot logs
    Mentor: Julia Yuchin Cheng (TW)
    Backup mentor: Hugo Gascón (ES)
    Skills required:

    • HTML5, CSS (good)
    • JavaScript (Perfect)
    • Python (good)
    • D3.js (preferred)
    • Splunk (preferred)
    • Graph theory
    • Project type:
      Improve a tool / service
      Project goal:
      This project is about improving HpfeedsHoneyGraph, a tool to visualize malicious intent transmission for HPFeeds logs.
      Description:
      HpfeedsHoneyGraph is an app to visual HPFeeds on splunk platform. Multi-logs are subscribed from hpfeeds indexed by splunk to generate transmission relationship between data fields and continue to generate graph using D3.js library. Currently, HpfeedsHoneyGraph can generate forced-based graph to visualize the transmission over malicious activities. Unfortunately, the graph is too complex to be analyzed. Please read the blog at http://www.honeynet.org/node/957 before you start this project

      In this year, this project aims to:

      • (1) Improve transmission graph visualization readability. It means to apply graph algorithm to simplify similar common motifs with easily understandable entities. The most difficult part is to mining special attributes and topology for replacing with entities. After simplification, this will improve the graph readability and easy to analyze.
      • (2) Improve HpfeedsHoneyGraph interface to make easy to use and increase user dialogue functionality. Dialogue functionality is able to choose what malicious activities they needs to show on the graph and allow users to do filtering on tthe graph.

      Code is available at https://github.com/yuchincheng/HpfeedsHoneyGraph

      Name: Project 12 - Android static analysis web application
      Mentor: Ryan W Smith (US)
      Backup mentor: TBC
      Skills required:

      • Python/Django or Ruby/Rails
      • JavaScript
      • Android static analysis

      Project type: Improve existing tool
      Project goal:
      The goal of this project is to migrate the features of the Android static analysis tool APKInspector from a stand-alone application to a hosted web application.
      Description:
      APKInspector provides an open source GUI to perform many of the common static analysis techniques in a single tool. Some of the most common complaints is that it takes too long and it’s too complicated to install all of the dependencies, or that some of the
      dependencies don’t install properly on their OS. By migrating APKInspector to a web application framework such as Django or Rails, with a Javascript-aided front-end UI, we’ll alleviate the need for users to install all of the dependencies locally. We will host APKInspector on our own servers so users can simply upload their APK and start static analysis immediately. Like the current version of APKInspector, many of the basic features will be provided by open source tools such as androguard, JED, smali/baksmali, etc. allowing the student to focus on implementing workflow and analytic features on top of them. The successful completion of this project would be a fully functioning web application which provides at least the same set of features as the current stand along APKInspector tool.

      Name: Project 13 - IPv6 attack detector
      Mentor: Tan Kean Siong (MY)
      Backup mentor: Xu Weilin (CN)
      Skills required:

      • Python (good)
      • Network protocol (good)

      Project type: Extension of existing tool
      Project goal:
      The goal of the project is to improve current IPv6 honeypot (6Guard) detection mechanism for various latest IPv6 attacks, get the results and have a proper logging method.
      Description:
      Currently IPv6 honeypot (6Guard) is capable to detect certain IPv6 attacks. As there are various new IPv6 attacks technique discovered and tools were released since last year, we need to improve the detection mechanism. For example, it should be able to fully detect the attack scenarios with various Extension headers combination, fragmentation techniques, RA-Guard bypass tricks, packet DoS attempts and etc. We also need a proper logging mechanism for the collected results, e,g, a DB for better results analysis.

      Name: Project 14 - SHIVA: Spam Honeypot with Intelligent Virtual Analyzer
      Mentor: Sumit Sharma (IN)
      Backup Mentor: Muslim Koser (IN)
      Skills Required:

      • Python (good)
      • DB acquaintance (mongodb, MySQL)

      Project Type: Improve and extend existing tool
      Project Goal:
      The goal of the project is to improve existing SHIVA backend codecode to make it easily deployable, improve its intelligence to differentiate spams (new/old), develop spam content classification, integrate with HPFeeds / HPfriends for larger
      community sharing and handling large amounts of data. In addition, and if possible within given time frame, UI is required for analysis of data captured.
      Description:
      At present, SHIVA is an open but controlled relay Spam honeypot built on top of Lamson python framework with capability of collecting and analyzing all spams thrown at it. With its built-in intelligence, it relays few of them to make it appear a misconfigured open relay SMTP server to spammers. Current SHIVA code.

      Analysis of data captured reveals phishing attacks, scamming campaigns, malware campaigns, spam botnets et-cetera with current speed of processing ~7k spams per minute.

      Proposed Enhancements / Upgrade:

      • For easier deployment, an installation package has to be built to meet dependencies and create environment for project.
      • Intelligence of core engine needs to be improved to differentiate between new spam and another instance of old spam. Idea behind it is to keep database free of redundant data as much as possible and provide broader window for probing mails (mails by the spammers to verify open relay) to get relayed.
      • Intelligence is further to be increased to classify spams based on their content – phishing/scamming/banking etc.
      • HPFeeds / HPFriends integration would make it possible to publish spams hitting various sensors globally and with subscription to appropriate channel would present users with what they would be interested in obtaining from project – suspected attachments, malicious URLs, source IP addresses etc. Obtained data shall be in form to be used by other projects like Cuckoo, Thug, Mnemosyne etc.
      • Mongo DB Integration to handle big data.

      Project can be found here: honeynet/shiva

      Name: Project 15 - Conpot: ICS/SCADA honeypot
      Mentor: Lukas Rist (DE)
      Backup mentor: Johnny Vestergaard (DK)
      Skills required: Python, TCP, (HTTP, FTP, modbus, snmp, dnp3 and IEC 60870 an advantage)
      Project type: Improve existing tool
      Project goal: Conpot is an ICS honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting industrial control systems. In this project we want to add additional protocols, improve the existing protocols, data logging, system and vulnerability emulation and overall infrastructure virtualization.
      Description: Until now setting up a ICS honeypot required substantial manual work, real systems which are usually either inaccessible or expensive and lecture of quite tedious protocol specifications. With implementing master server for a larger set of common industrial communication protocols and virtual slaves which are easy to configure, we provide an easy entry into the analysis of threats against industrial infrastructures and control systems.
      A student applying for this project has to be open to learn new protocols and adopt and modify existing implementations. This includes also automated testing and continuous integration, management of sensor deployments and data analysis. As this field is quite young and unexplored it will provide a large variety of challenges to solve.

      Project can be found here: glastopf/conpot

      Previous GSoC Projects

      If this list of potential project ideas doesn't interest you, or you want to work on a previous project or tool, you can find more details at:

      * GSoC 2012 Project Ideas
      * GSoC 2012 Accepted Projects
      * GSoC 2011 Project Ideas
      * GSoC 2011 Accepted Projects
      * GSoC 2010 Project Ideas
      * GSoC 2010 Accepted Projects
      * GSoC 2009 Project Ideas
      * GSoC 2009 Accepted Projects
      * Honeynet Project Existing Tools

      Finally, please remember that you are also free to suggest your own project ideas and we'll try our best to find you a suitable mentor for GSoC 2013 too.

      Good luck with your student applications! :-)