Canadian chapter status report
ORGANIZATION
Canadian chapter currently spawns two locations: University of New Brunswick (UNB) and Toronto, each maintaining an independent honeynet. Unfortunately, Ottawa location that joined us in the middle of the last year is no longer active. Our current members are:
Ali A. Ghorbani is the chapter lead and the dead of UNB Faculty of Computer Science. He oversees the general organization and functioning of the Canadian honeynet.
David Townsend is a Professor at the Faculty of Law at the UNB and a legal advisor on security and privacy issues related to honeynet use.
Dinesh Bareja is the industry liaison. Dinesh is involved in the issues of the chapter administration and primarily responsible for promoting the honeynet in the Toronto security community.
Greg Sprague is the chapter liaison with the Privacy Security and Trust (PST) network.
Natalia Stakhanova is an administrator of the chapter operations and is the research lead.
Sami K. Guirguis is the primary lead of the Toronto honeynet location and an administrator of our Canadian honeynet website.
Stephen Marsh is a research officer of the Information Security Group, NRC, Ottawa.
Wei Lu is the lead of the research work. His current research focus is on botnets.
Hanli Ren is the network administrator of the UNB honeynet.
DEPLOYMENTS
University of New Brunswick: we have deployed a high-interaction GEN III honeynet that includes several physical machines and VM server with virtual honeynet running various operating systems. We currently have roo-1.4 version of the Honeywall. We use sebek for attack capture, Walleye for administering the Honeywall and Snort for some data analysis.
Since our original honeynet has not attracted much traffic, we are currently experimenting with honeynet profiles: redesigning and reinstalling our honeynet to fully mimic various organizational settings.
Toronto: we have Windows 2k honeypot, IIS , VNC server , FTP server. Linux (kernel 2.6.28). Data capture box connected between the pot and the internet as a layer 2 gateway with tcpdump capturing traffic.
Attacks overview:
Majority of the observed attacks are script kiddies scans e.g., the SQL slammer worm scans, FTP brute force and scan for Web server vulnerability.
RESEARCH AND DEVELOPMENT
- List any new tools, projects or ideas you are currently researching or developing.
We are currently developing a botnet detection system that can be integrated into the Honeynet Project's honeywall. The new system is expected to work on the honeynet traffic and detect IRC traffic passing through the honeynet, preferably on the internal network interface that connects to the honeypot network. Detection on the internal interface will help to ensure that all inbound and outbound flows are seen before data control measures such as dropping or disabling malicious packets are enforced.
Our goal is to develop an IRC botnet detection system for honeynet that will not be only limited to the Honeynet Project's honeywall, but rather can be deployed, with as little customization as possible, in different honeynet architectures that use other forms of data control and data capture. We also aim to provide in the detection tool some IRC botnet traffic logging and system administrator notification mechanisms.
Our other focus is on design of an Application Programming Interface (API) that will specify how the botnet detection system is integrated with the honeywall, how it is accessed and configured.
We would be interested to collaborate on the botnet research.
FINDINGS
1. Highlight any unique findings, attacks, tools, or methods.
Our Toronto locations has seen:
- Webserver vulnerability scanner presented a user client "Morfeus F**ng Scanner" . There is not much information about this tool.
- HTML attack code captured http://honeynetproject.ca/node/64
2. Any trends seen in the past year?
Our Toronto locations has seen: script kiddies scan for the following list of TCP ports: 2967,2100,8000,23,9090,3128,25,22,8090,21,8081.
3. What are you using for data analysis?
We mostly use Wireshark and Snort. Our current goal is to deploy additional tools.
PAPERS AND PRESENTATIONS
Are you working on or did you publish any papers or presentations, such as KYE or academic papers? If yes, please provide a description and link (if possible)
1. Wei Lu, Mahbod Tavallaee, Goaletsa Rammidi and Ali A. Ghorbani. "BotCop: An Online Botnets Traffic Classifier." submitted to 7th Annual Conference on Communication Networks and Services Research (CNSR 2009)
2. Wei Lu, Mahbod Tavallaee and Ali. A. Ghorbani. "Automatic Discovery of Botnet Communities on Large-Scale Communication Networks." accepted by ACM Symposium on Information, Computer and Communications Security, in press.
3. Wei Lu and Ali A. Ghorbani. "Botnets Detection Based on IRC-Community." IEEE Global Communications Conference (GLOBECOM 2008), Nov. 30 - Dec. 4, New Orleans, LA, USA.
Where did you present honeypot-related material? ( selected publications )
- Toronto : Honeynet project introduction TASK meeting http://www.task.to/events/past.php
- Toronto : honeynet & Canadian legislation http://honeynetproject.ca/node/49
GOALS
Our major achievement this year is the establishment of the Canadian honeynet chapter. So we have
- established a Canadian chapter through honeynet.org
- setup a chapter's website honeynetproject.ca and started publishing a biweekly quiz question
- setup honeynets labs at UNB and Toronto locations (machines at the Toronto location were donated with the help of Mr. Bareja)
- setup Wiki for UNB honeynet
- announced the chapter through connections and TASK meeting introduction.
Our goals for the next year:
- improve traffic analysis and data collection. Specifically, deploy tools for data collection and more sophisticated data analysis, e.g. nepenthes, Honeysnap
- narrow the focus to a specific application or technology vulnerability during data analysis and collection
- finish the development of the botnet detection tool and hopefully, release a beta version
- use connections to attract more members in Toronto Area need for application/software experience professional.
MISC ACTIVITIES
