Identifying Anomalous Network Flow Activity Using Cloud-Based Honeypots

Download
Author
Rowe, Neil C.
Nguyen, Thuy D.
Dougherty, Jeffrey T.
Date
2020-10Metadata
Show full item recordAbstract
This work addressed efficient and effective implementation of honeypots (decoy devices) in cloud services. Honeypots are essential tools for detecting new attacks on computers and networks, and cloud services are distributed processing systems that can be used to provide great flexibility in software deployment. The particular subtype of honeypot we investigated was for industrial control systems (ICS) that manage electrical-power systems. Starting with two existing software frameworks called Conpot and GridPot, we added new obfuscation techniques, new simulated features of a fake electric grid, and new interfaces that looked like real power-plant controls to increase their deceptive power. These deceptions were effective in our first experiments with a standalone honeypot, as we were attacked twice by a sophisticated adversary as well as by many other less sophisticated attackers. In our second experiments, not yet complete, we deployed the same honeypot configurations at two cloud sites in the U.S. and in Asia. We saw clear differences between all three deployments, showing that context is very important in deceiving attackers and collecting useful data about their attacks. We were concerned deployment in the cloud could be detected by attackers and discourage their investigation, but we saw no evidence of that; apparently enough real electric-generation systems are deployed in the cloud today that they are not suspicious. We conclude that honeypots for industrial control systems using cloud services are a useful tool for information security.
Description
Prepared for: U.S. Fleet Forces Command
Approved for public release; distribution unlimited.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. As such, it is in the public domain, and under the provisions of Title 17, United States Code, Section 105, it may not be copyrighted.NPS Report Number
NPS-CS-20-003Related items
Showing items related by title, author, creator and subject.
-
Fake Honeypots: A Defensive Tactic for Cyberspace
Rowe, Neil C.; Duong, Binh T.; Custy, E. John (Monterey, California. Naval Postgraduate School, 2006-06);Cyber-attackers are becoming more aware of honeypots. They generally want to avoid honeypots since it is hard to spread attacks from them, attacks are thoroughly monitored on them, and some honeypots contain planted false ... -
Assessing the effects of honeypots on cyber-attackers
Lim, Sze Li Harry (Monterey, California. Naval Postgraduate School, 2006-12);A honeypot is a non-production system, design to interact with cyber-attackers to collect intelligence on attack techniques and behaviors. While the security community is reaping fruits of this collection tool, the hacker ... -
Testing a low-interaction honeypot against live cyber attackers
Frederick, Erwin E. (Monterey, California. Naval Postgraduate School, 2011-09);The development of honeypots as decoys designed to detect, investigate, and counterattack unauthorized use of information systems has produced an "arms race" between honeypots (computers designed solely to receive cyber ...