Saudi Honeynet (SAHNET) Chapter Status Report For 2012

ORGANIZATION

The Saudi Honeynet (SAHNET) Chapter joined the Honeynet Project on July 26th, 2010.

The SAHNET chapter members are:

  • Mohammed Houssaini Sqalli
  • Khaled Salah
  • Marwan Abu-Amara
  • Zubair Baig
  • Farag Azzedin
  • Talal Alkharobi
  • Hakim Adiche
  • Mir Ahmed Ali Shajee
  • Shoieb Arshad
  • Azzat Al-Sadi

The activities of the chapter include the following:

  • Development of anomaly detection and data mining techniques for Honeynet traffic analysis.
  • Deployment of multiple Honeypots at King Fahd University of Petroleum & Minerals (KFUPM) in Saudi Arabia.
  • Collection and analysis of Honeynet traffic using existing tools.
  • Applying data mining techniques to the collected data for the purpose of identifying malicious activities.
  • Translation of the OUCH! newsletter to Arabic.
  • Collaboration with CERT-SA in Saudi Arabia.

DEPLOYMENTS

1. We have deployed multiple Dionaea honeypots across the KFUPM campus. We have seen many malware downloads.

2. We have collected many local traces, containing suspected malicious activities, which were also used for analysis.

RESEARCH AND DEVELOPMENT

1. Muhammad Shoieb Arshad defended his MS thesis titled “Identifying Malicious Activities in Honeynets using Clustering” on May 15th, 2012 (Supervisor: Mohammed H. Sqalli)

2. We have used different anomaly detection techniques for analyzing Honeynet traffic. This included identifying malicious activities in Honeynet traffic based on the entropy and volume-based classification.

3. We have used data mining techniques to identify malicious activities in Honeynet traffic. This included the following:

  • Identifying network traffic features suitable for Honeynet data analysis by using entropy and volume values.
  • Using the entropy values for the selected IP features and log10 for the selected volume features as input to the data mining algorithms.
  • Using the Density Based Spatial Clustering of Applications with Noise(DBSCAN) algorithm to detect the malicious activities present in the data collected by Honeynet.
  • Using Hierarchical Clustering algorithms to detect the malicious activities present in the data collected by Honeynet.

4. We are mainly interested in working with other chapters on Honeynet traffic analysis and sharing the findings.

FINDINGS

We were able to classify different types of malicious activities in Honeynet traffic based on our developed techniques that use entropy analysis and volume-based thresholds. We have also improved some of these techniques by using data mining techniques and have improved the results obtained.

PAPERS AND PRESENTATIONS

List of Publications:

  • “Classifying Malicious Activities in Honeynets using Entropy and Volume‐based Thresholds”, Mohammed H Sqalli, Syed Naeem Firdous, Khaled Salah, and Marwan Abu‐Amara. Security and Communication Networks, John Wiley & Sons, Ltd, July 2012.
  • “A Selective Parameter-based Evolutionary Technique for Network Intrusion Detection”, Zubair A. Baig, Saad Khan, Saif Ahmed, and Mohammed Sqalli. The 11th International Conference on Intelligent Systems Design and Applications (ISDA), Córdoba, Spain, November 22-24, 2011.
  • “An Entropy and Volume-based Approach for Identifying Malicious Activities in Honeynet Traffic,” Mohammed H. Sqalli, Syed Naeem Firdous, Zubair A. Baig, and Farag Azzedin. The International Conference on Cyberworlds, Banff, Alberta, Canada, October 4-6, 2011.
  • “Clustering-based Malicious Traffic Analysis for Honeynet Deployments,” Mohammed H. Sqalli, Syed Naeem Firdous, Zubair A. Baig, and Farag Azzedin. To be submitted.
  • “Identifying Malicious Activities in Honeynet Data using DBSCAN Clustering,” Mohammed H. Sqalli and Shoieb Arshad. To be submitted.
  • “Identifying Malicious Activities in Honeynet Data using Hierarchical Clustering,” Mohammed H. Sqalli and Shoieb Arshad. To be submitted.
  • “Identifying Scanning Activities in Honeynet Data using Data Mining,” Mohammed H. Sqalli, Shoieb Arshad, Mohammad Khalaf, and Khaled Salah, 3rd International Conference on Computational Intelligence, Communication Systems and Networks, CICSyN2011, Bali, Indonesia, July 26, 2011-July 28, 2011.

Presentations:

  • Talk by Zubair A. Baig about “A Selective Parameter-based Evolutionary Technique for Network Intrusion Detection”, The 11th International Conference on Intelligent Systems Design and Applications (ISDA), Córdoba, Spain, November 22-24, 2011.
  • Talk by Mohammed H. Sqalli on October 5th, 2011 about “An Entropy and Volume-based Approach for Identifying Malicious Activities in Honeynet Traffic,” in the International Conference on Cyberworlds, Banff, Alberta, Canada, October 4-6, 2011.

GOALS

We have achieved our main goals for the last year which were to deploy honeypots on the KFUPM campus, collect traces, and improve the techniques developed last year for analyzing Honeynet traffic.

For the next year, our goal is to improve the techniques developed for analyzing Honeynet traffic.

MISC ACTIVITIES

We have achieved the first position of the “academic track” in the national completion for Open Source (Motah), which was held at King Abdulaziz City for Science and Technology (KACST), Riyadh, Saudi Arabia, on February 27th, 2012. Motah is a national contest and award organized by KACST and offered to national organizations with the highest adoption of Open Source Software (OSS). Raed Al-Shaikh presented a project titled “Towards Simulating a Virtual Distributed Honeynet”, which was completed jointly with Azzat Al-Sadi, and which was supervised by Mohammed H. Sqalli. The aim of the project is to build an IT surveillance network in the KFUPM Campus at minimal cost.

ACKNOWLEDGMENT

The Saudi Honeynet (SAHNET) research project was sponsored by King Abdulaziz City for Science and Technology (KACST) under the First Five Year National Science, Technology, & Innovation Plan (NSTIP).