Saudi Honeynet Chapter Status Report For 2011

ORGANIZATION

The Saudi Honeynet (SAHNET) Chapter joined the Honeynet Project on July 26th, 2010.

The chapter members are:

  • Mohammed Houssaini Sqalli
  • Khaled Salah
  • Marwan Abu-Amara
  • Zubair Baig
  • Farag Azzedin
  • Talal Alkharobi
  • Hakim Adiche
  • Mir Ahmed Ali Shajee
  • Syed Naeem Firdous
  • Shoieb Arshad
  • Azzat Al-Sadi
  • Mohammed Almehdhar

The activities of the chapter include the following:

  • Development of anomaly detection and data mining techniques for Honeynet traffic analysis.
  • Deployment of multiple Honeypots at King Fahd University of Petroleum & Minerals (KFUPM) in Saudi Arabia.
  • Collection and analysis of Honeynet traffic using existing tools.
  • Translation of the OUCH! newsletter to Arabic.
  • Collaboration with CERT-SA in Saudi Arabia.
  • Collaboration with CyberSecurity Malaysia.

DEPLOYMENTS

1. The first pilot run of a dionaea honeypot was deployed in the period of November-December 2010. Some of the activities that were captured during that period include:

  • Large number of Malware downloads
  • Multiple attempts to log into the MS- SQL service offered by Dionaea
  • Scanning activities on ports 1433, 445, and 80
  • SIP port scanning
  • Sunday (sundayddr) SIP scanning worm
  • Phpmyadmin attack
  • Vulnerability Scanners

2. We deployed a Windows virtual machine with Microsoft SQL Server, and we have seen many ms-sql-s login attempts, some of which were successful.

3. Currently, we have deployed multiple Dionaea honeypots across the KFUPM campus. We are seeing many malware downloads and we are collecting more traces for further analysis.

4. We have just started deploying Glastopf and Cuckoo SandBox.

5. We have collected many local traces, containing suspected malicious activities, which were also used for analysis.

RESEARCH AND DEVELOPMENT

1. We have used different anomaly detection techniques for analyzing Honeynet traffic. The following lists some of the work accomplished:

  • Identifying network traffic features suitable for Honeynet data analysis by using entropy and volume values of different features.
  • Classifying different types of malicious activities in Honeynet traffic based on entropy and volume thresholds of the most suitable features.
  • Identifying malicious activities in Honeynet traffic based on the entropy and volume-based classification.

2. We have used data mining techniques to identify scanning activities in Honeynet traffic.

3. We are mainly interested in working with other chapters on Honeynet traffic analysis and sharing the findings.

FINDINGS

1. We were able to classify different types of malicious activities in Honeynet traffic based on our developed techniques that use entropy analysis and volume-based thresholds. We are still improving some of these techniques to obtain better results.

2. We were able to identify scanning activities in Honeynet traffic, which could help us focus on other more interesting types of malicious activities.

3. We have seen many types of malicious activities as stated above in the deployments section, including many malware downloads.

4. We have seen many ms-sql-s login attempts, some of which were successful. The attacker then logged into the Microsoft SQL database and changed the password, so we have no access to it. We are interested to know if anyone has seen something similar, and what happens after the access to the database is obtained. A trace of this is available at:
MS SQL Login Attempts Trace

PAPERS AND PRESENTATIONS

List of Publications:

  • “Identifying Scanning Activities in Honeynet Data using Data Mining,” Mohammed H. Sqalli, Shoieb Arshad, Mohammad Khalaf, and Khaled Salah, 3rd International Conference on Computational Intelligence, Communication Systems and Networks, CICSyN2011, Bali, Indonesia, July 26, 2011-July 28, 2011.
  • “Identifying Network Traffic Features Suitable for Honeynet Data Analysis,” Mohammed H. Sqalli, Syed Naeem Firdous, Khaled Salah, and Marwan Abu-Amara, The 24th Canadian Conference on Electrical and Computer Engineering, Niagara Falls, Ontario, Canada, May 8-11, 2011.
  • “Identifying Features for Honeynet Data Analysis using Feature Evaluation,” Syed Naeem Firdous and Mohammed H. Sqalli, Second Scientific Conference for Graduate and Undergraduate Students, Jeddah, Saudi Arabia, 28-31 March 2011.
  • “Towards Simulating a Virtual Distributed Honeynet at KFUPM: A Case Study,” Mohammed H. Sqalli, Raed AlShaikh, and Ezzat Ahmed, The IEEE UKSim 4th European Modelling Symposium on Mathematical Modelling and Computer Simulation (EMS), Pisa, Italy, November 17-19, 2010.
  • “A Distributed Honeynet at KFUPM: A Case Study,” Mohammed H. Sqalli, Raed AlShaikh, and Ezzat Ahmed, The 13th International Symposium on Recent Advances in Intrusion Detection (RAID), LNCS 6307, pp. 486-487, Ottawa, Ontario, Canada, September 15-17, 2010.
  • “Saudi Honeynet Project,” Syed Naeem Firdous and Mohammed H. Sqalli, First Scientific Conference for Graduate and Undergraduate Students, Riyadh, Saudi Arabia, 1-3 March 2010.

Presentations:

  • Seminar by Mohammed H. Sqalli on May 23rd, 2011 titled "The Saudi Honeynet Project" during the "IET-KFUPM's Engineering & Technology Week" organized by IET-KFUPM Student Chapter and Computer Engineering Department, KFUPM, Saudi Arabia.
  • Talk by Mohammed H. Sqalli on March 23rd, 2011 about “Honeynet Traffic Analyzer Using Anomaly Detection Techniques” in the Annual Honeynet Project Workshop, March 21-25, 2011, ESIEA Institute, Paris, France.
  • Talk by Mohammed H. Sqalli on March 16th, 2011 about “Saudi Honeynet Project - Trapping The Hackers” for the Saudi Computer Emergency Response Team (CERT) in Riyadh, Saudi Arabia.
  • Seminar by Mohammed H. Sqalli on January 4th, 2011 about “Saudi Honeynet Project - Trapping The Hackers” for the College of Computer Science & Engineering (CCSE) community, KFUPM, Saudi Arabia.
  • Presentation by Raed AlShaikh on July 19th, 2010 at the KACST National Program for free/open source software technologies on ""The Honeynet project at KFUPM: A Case Study", Saudi Arabia.

GOALS

We have achieved our main goals for the last year which were to deploy honeypots on the KFUPM campus, collect traces, and develop new techniques for analyzing Honeynet traffic.

For the next year, our goal is to improve the techniques developed for analyzing Honeynet traffic. In addition, we aim at extending our experience with Honeynet deployment and traffic analysis to the national level by collaborating with CERT-SA in Saudi Arabia and other interested parties.

MISC ACTIVITIES

We had a visit on June 4-8, 2011 of two CyberSecurity Malaysia Experts, Mahmud Ab Rahman and Mohd Hafiz Tabrani. The program of their visit included seminars on CyberSecurity, training on Web security, and a workshop on analyzing malicious PDF. It was a very successful event with around 30 attendees. In addition, we discussed the Honeynet deployment at KFUPM by the SAHNET Project and ways of collaboration between CyberSecurity Malaysia and SAHNET chapter.