Gerard Wagener

Self Adaptive High Interaction Honeypots Driven by Game Theory

High-interaction honeypots are relevant to provide rich and useful information obtained from attackers. Honeypots come in different flavors with respect to their interaction potential. A honeypot can be very restrictive, but then only a few interactions can be observed. If a honeypot is very tolerant though, attackers can quickly achieve their goal. Having the best trade-off between attacker freedom and honeypot restrictions is challenging. In this paper, we address the issue of self adaptive honeypots, that can change their behavior and lure attackers into revealing as much information as possible about themselves. The key idea is to leverage game-theoretic concepts for the configuration and reciprocal actions of high-interaction honeypots.

Malware analysis with graph kernels and support vector machines

This paper addresses a fundamentally new method for analyzing the behavior of executed applications and sessions. We describe a modeling framework capable of representing relationships among processes belonging to the same session in an integrated way, as well as the information related to the underlying system calls executed. We leverage for this purpose graph-based kernels and Support Vector Machines (SVM) in order to classify either individually monitored applications or more comprehensive user sessions. Our approach can serve both as a host-level intrusion detection and application level monitoring and as an adaptive jail framework.

MISP: The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform

The IT community is confronted with incidents of all kinds and nature, new threats appear on a daily basis. Fighting these security incidents individually is almost impossible. Sharing information about threats among the community has become a key element in incident response to stay on top of the attackers. Reliable information resources, providing credible information, are therefore essential to the IT community, or even at broader scale, to intelligence communities or fraud detection groups. This paper presents the Malware Information Sharing Platform (MISP) and threat sharing project, a trusted platform, that allows the collection and sharing of important indicators of compromise (IoC) of targeted attacks, but also threat information like vulnerabilities or financial indicators used in fraud cases. The aim of MISP is to help in setting up preventive actions and counter-measures used against targeted attacks. Enable detection via collaborative-knowledge-sharing about existing malware and other threats.

Towards an Estimation of the Accuracy of TCP Reassembly in Network Forensics

Today, honeypot operators are strongly relying on network analysis tools to examine network traces collected in their honeynet environment. The accuracy of such analysis depends on the ability of the tools to properly reassemble streams especially TCP sessions. Network forensics analysis quality is tight to those tools and we evaluated widely used network analysis tools. We pinpoint TCP reassembly errors with their causes and propose algorithms and analytical techniques to measure them in order to improve network forensic analysis.

SDBF: Smart DNS brute-forcer

The structure of the domain name is highly relevant for providing insights into the management, organization and operation of a given enterprise. Security assessment and network penetration testing are using information sourced from the DNS service in order to map the network, perform reconnaissance tasks, identify services and target individual hosts. Tracking the domain names used by popular Botnets is another major application that needs to undercover their underlying DNS structure. Current approaches for this purpose are limited to simplistic brute force scanning or reverse DNS, but these are unreliable. Brute force attacks depend of a huge list of known words and thus, will not work against unknown names, while reverse DNS is not always setup or properly configured. In this paper, we address the issue of fast and efficient generation of DNS names and describe practical experiences against real world large scale DNS names. Our approach is based on techniques derived from natural language modeling and leverage Markov Chain Models in order to build the first DNS scanner (SDBF) that is leveraging both, training and advanced language modeling approaches.

Adaptive and self-configurable honeypots

Honeypot evangelists propagate the message that honeypots are particularly useful for learning from attackers. However, by looking at current honeypots, most of them are statically configured and managed, which requires a priori knowledge about attackers. In this paper we propose a high-interaction honeypot capable of learning from attackers and capable of dynamically changing its behavior using a variant of reinforcement learning. It can strategically block the execution of programs, lure the attacker by substituting programs and insult attackers with the intent of revealing the attackers nature and ethnic background. We also investigated the fact that attackers could learn to defeat the honeypot and discovered that attacker and honeypot interests sometimes diverge.

PeekKernelFlows: peeking into IP flows

This paper introduces a new method for getting insights into IP related data flows based on a simple visualization technique that leverages kernel functions defined over spatial and temporal aggregated IP flows. This approach was implemented in a visualization tool called PeekKernelFlows. This tool simplifies the identification of anomalous patterns over a time period. An intuitive adapting image allows network operators to detect attacks. We validated our method on a real use-case scenario, where we inspected traffic of a high-interaction honeypot.

An Instrumented Analysis of Unknown Software and Malware Driven by Free Libre Open Source Software

Reverse engineering is often the last resort for analyzing unknown or closed source software. Such an investigation is motivated by a risk evaluation of closed source programs or by evaluating consequences and countermeasures against infections by malicious programs that are often closed source. This article presents a success story where we used and modified free software serving as environment for analyzing unknown software. We explain how a malware sandbox can be constructed based on free software. Moreover we describe how we modified free software to improve malware analysis with additional features or extensions. Free software helped us to increase the accuracy of malware or unknown software analysis.

Breaking Tor anonymity with game theory and data mining

Attacking anonymous communication networks is very tempting, and many types of attacks have already been observed. In the case for Tor, a widely used anonymous overlay network is considered. Despite the deployment of several protection mechanisms, an attack originated by just one rogue exit node is proposed. The attack is composed of two elements. The first is an active tag injection scheme. The malicious exit node injects image tags into all HTTP replies, which will be cached for upcoming requests and allow different users to be distinguished. The second element is an inference attack that leverages a semi‐supervised learning algorithm to reconstruct browsing sessions. Captured traffic flows are clustered into sessions, such that one session is most probably associated to a specific user. The clustering algorithm uses HTTP headers and logical dependencies encountered in a browsing session. A prototype has been implemented and its performance evaluated on the Tor network. The article also describes several countermeasures and advanced attacks, modeled in a game theoretical framework, and their effectiveness assessed with reference to the Nash equilibrium. Copyright

Heliza: talking dirty to the attackers

In this article we describe a new paradigm for adaptive honeypots that are capable of learning from their interaction with attackers. The main objective of such honeypots is to get as much information as possible about the profile of an intruder, while decoying their true nature and goals. We have leveraged machine learning techniques for this task and have developed a honeypot that uses a variant of reinforcement learning in order to learn the best behavior when facing attackers. The honeypot is capable of adopting behavioral strategies that vary from blocking commands, returning erroneous messages right up to insults that aim to irritate the intruder and serve as reverse Turing Test. Our preliminary experimental results show that behavioral strategies are dependent on contextual parameters and can serve as advanced building blocks for intelligent honeypots.