GSoC/GCI Archive
Google Summer of Code 2010

The Honeynet Project

Web Page: https://www.honeynet.org/gsoc/ideas

Mailing List: https://public.honeynet.org/mailman/listinfo

Founded in 1999, The Honeynet Project is an international, non-profit (501c3) research organization dedicated to improving the security of the Internet at no cost to the public.

 

For the past ten years everything we have done and continue to do is based on the principles of opensource and volunteer efforts. Our bylaws specifically state any software or papers developed and published by the organization must be licensed as open source and made freely available to the community.

 

Our goal is to help coordinate the development, deployment, advancement and research findings of honeypot related technologies. With over thirty chapters, one hundred members and twenty opensource research projects around around the world, we are a highly diverse and international organization.

 

Simply put, our goal is to make a difference. We accomplish this goal in the following three ways:

 

Awareness We raise awareness of the threats and vulnerabilities that exist in the Internet today. Many individuals and organizations do not realize they are a target, nor understand who is attacking them, how, or why. We provide this information so people can better understand they are a target, and understand the basic measures they can take to mitigate these threats. This information is provided through our Know Your Enemy series of papers.

 

Information For those who are already aware and concerned, we provide details to better secure and defend your resources. Historically, information about attackers has been limited to the tools they use. We provide critical additional information, such as their motives in attacking, how they communicate, when they attack systems and their actions after compromising a system. We provide this service through our Know Your Enemy whitepapers and our Scan of the Month challenges.

 

Tools For organizations interested in continuing their own research about cyber threats, we provide the tools and techniques we have developed. We provide these through our Tools Site.

 

Learn more at http://www.honeynet.org.

 

Google Summer of Code 2010

 

This year in Google Summer of Code we have a wide range of project ideas and we are also interested in your ideas that advance the community knowledge into new areas. Our projects and skill sets cover a wide range of programming languages (C, C++, python, PHP, perl, java, javascript, etc), database, IP networking, kernel and device driver development, UI and web interface development, databases, IDS, data visualisation, etc. Project idea difficulty can range from fairly challenging, low level root kit / kernel / hypervizor modification type projects that are likely to appeal to pretty confident programmers, through to less code intensive but equally interesting data analysis and presentation projects building effective user interfaces.

 

If you want to find out more, take a look at our project ideas web page, subscribe to our blog and come and say hello on the #gsoc-honeynet IRC channel on irc.freenode.net. There should be a mix of organisational admins, project mentors, general Honeynet Project members and prospective students, so feel free to ask questions and we will always try and get back to you. If you are new to IRC, try reading an online primer but don't be worried, we'll be happy to help you get up to speed.

Projects

  • Application for Project 15 - "A uniform sandbox/sandnet with data collection capabilities" The aim of this project is to develop a shared uniform sandbox for automated malware analysis with data collection and aggregation capabilities.
  • Developing an Instant Messenger Honeypot Analyzing Instant Messaging Spam (Spim) is a very complex task. Spim is distributed using the current victim's contact list and some sort of social engineering. This facilitates the fast and rapid spread of Spim. This new type of honeypot should help us to get some first insight into malware distribution and client infection using instant messaging protocols and social engineering.
  • Dionaea Features Improvement Dionaea,as the successor for Nepenthes low interaction honeypot,has been developed since year 2009.It served as the malware collector by emulation of protocol and services.It is widely used and better performance and functionality.Yet it may have more features to adapt the fast changing malware landscape.I would like to improve Dionaea features and enhance its support functions,in term of new DCE-RPC calls,XMPP features polishing,NTLMv2 authentication and SMB stack test suite with Scapytain.
  • GSoC-Honeynet 2010 Project Proposal (TraceXploit) - Koh Yong Chuan I am a graduate student from Singapore. My main reasons for participating are: 1) My personal interest in IT security (hence my work in this field) 2) I have the relevant knowledge and skills 3) What better way to spend my free time! My proposed implementations for TraceXploit are explained. The proposals are realistic enough to be achieved in 3months. It would be an exciting experience and challenge to look forward to if I could be selected as a GSoC-Honeynet 2010 participant.
  • Hale - A botnet command and control monitor Hale will support both the IRC and HTTP protocol, with the ability to easily add new modules that support new protocols. The monitor will have thread support and logging facilities. Collected logs will be accessible via a web interface and all suspicious malware will be analyzed through a sandbox service. To not expose the location of the monitor, the bots will be able to connect through proxies and hide its origin.
  • Implement TraceExploit: Replay the collected network trace to perform successful exploit TraceExploit use a heuristics method to extract a template from single or multiple samples of exploit network flow, and then perform exploit to another host machine (maybe with different os or software version). The shellcode of exploit can be customized by users. The replay of exploit is based on binary network data analysis, without any application layer knowing.
  • Improve high interaction honeypot capabilities. I would like to work on the above idea, which is already proposed. I need some time for this, I would be working on it and in the next 3-4 days I would be submitting my project plan, Milestones with Deliverables.
  • Improving PHoneyC----Detecting and Analyzing Malicious PDF attack Nowadays malicious PDF is a serious Internet security threaten, and its detection and analysis becomes a quite hot research topic. PHoneyC, as a low interactive client-side honeypot, has done well in analyzing malicious HTML pages and also has a module to handle with PDF files, however, this module is not strong enough to analyze complex malicious PDF attack. This proposal discusses the idea to deal with four kinds of malicious PDF attack.
  • Log Anonymization Library The sharing of real logs and network data is very important for researchers, educators and analysts. Many log anonymization tools and techniques have been created. At the same time many atacks was created, trying to exploit weaknesses in this process. This proposal aims new techniques for anonymization proccess and attacks prevention modules. In addition, the possibility of two or more sources of data as input, to make an coherently anonymized set of logs, wich is not present in neither tool.
  • Log File Anonymization This project aims at developing an API providing services for log file anonymization through a C library. Indeed, sharing logs is one of the main ideas of Honeynet Project, but this could involve leakage of sensitive data that their owners would not want to expose to the public for security reasons. In order to reach this goal, this API must be able to find out sensitive data from several types of logs and hide them while preserving the meaning of logs.
  • My proposal for infected host detection through DNS analysis In this proposal, I demonstrate my specified ideas on how to detect infected hosts through DNS analysis, including using a bad domains list, IP reputation records, infected hosts list etc. The goal is to build up an efficient and accurate detection mechanism.
  • PHP/RFI Sandbox I suggest creating a sandbox for PHP scripts used by attackers. It will use and extensions to PHP like 'funcall' and 'APD' to create callbacks for functions related to network and filesystem access. Those callbacks will capture all network traffic and changes to files initiated in a given PHP script. Features like chroot() and SuExec will be used to isolate that malicious script from the system. I've made a prototype can be found here: http://dimensio.dc.turkuamk.fi/sandbox/sandboxindex.php
  • Project 1 - Improve our low interaction client honeypot PHoneyC I propose to design an anomaly detection engine by wrapping the c++ library for anomaly detection system, libAnomaly in cython. This engine can then be utilized from phoneyC to detect unknown attacks with high degree of confidence and low false positive rate. Thus a lot of interesting things can be done like detecting previously unknown attacks, deobfuscated JS code, characterize exploit, generate exploit signature etc.
  • Project 13 - Infected host detection through DNS analysis Project relate DNS analysis, implementation of algorithm and data structures, detection of various types of anomalies that can happen while looking on dns traffic.
  • Using hardware virtualization to improve high interaction honeypot data capture system During this year's GSoC I intend to implement a new HI honeynet data capture tool, HV-Sebek (hardware virtualization assisted Sebek). This tool will have all the capability Sebek does now but will be much more stealthy and better tamper-resistance. This tool will be based on MAVMM and target at monitoring Linux based honeypots. The deliverables include the GPL licensed source code for this functionality, and a working demonstration system running in my lab at Peking University.
  • VoIP (SIP) Honeypot Implementation in Dionaea If one follows the news and blog posts about VoIP security it becomes apparent that attacks on VoIP systems are getting more popular among malicious hackers and criminals. Dionaea is a low-interaction honeypot that exposes known vulnerabilities to the network. Once an attacker attempts to exploit these software flaws Dionaea tries to capture the malware from the network. My project will improve and extend Dionaea with a module that allows to detect and capture common VoIP attacks.