AUTOMATED APPROACH TO HONEYPOT’S DEPLOYMENT AND MONITORING
14.05.2025 10:31
[1. Systemy i technologie informacyjne]
Автор: Andrii Valchuk, PhD student, National University "Lviv Polytechnic", Lviv; Valery Dudykevych, doctor of technical sciences, professor, National University "Lviv Polytechnic", Lviv
Introduction
Today, there is a significant increase in the level of potentially harmful activity on the Internet, as a result organizations deploy mechanisms for detecting and responding to new attacks or suspicious activity. These include Next Gen Firewalls with built-in Intrusion Detection / Prevention Systems (IPS), Security Information Event Management Systems (SIEM Systems). An important component of this system is Threat Intelligence data, which can detect attacks on early stages in the way of exposing Indicators of Compromentation (IoC) in the infrastructure. The simple examples are: outbound traffic to known C2C IP addresses, detect file hashes that are potentially harmful, and so on.
In turn, the solution of this problem could be deployment of honeypots, which allows not only to receive relevant information about targeted threats, but also to detect and neutralize attacks at the early stage. Honeypots are powerful tools for accurately detecting attacks.
The deployment of the honeypot is quite costly in terms of resources, both human and material. So it is a good option to have a possibility to automatically create and deploy the honeypots on many systems in different subnets (places), and centralised monitor them for further threat analysis.
Solution technologies and architecture
As the result of developing and deploying honeypot systems, it is important to isolate it from the operating system (OS) which runs it. There are two basic approaches which provide that: virtualization and containerization.
The advantages of virtualization are the better isolation on the system level as it runs as a separate system, that’s why it requires more resources from the OS.
Advantages of containerization are the use of fewer resources, because the containers run only OS image with limited features. The disadvantages include the fact that container systems use shared resources with the operating system, but the control of access rights to these resources is implemented in another way using the native OS’s mechanism.
The important problem that can be solved with containerization is the automation of the process of system deployment and its scaling (deployment of a large number of honeypots at the same time).
The monitoring software is an essential part, for collection and analysing data from honeypots. It should provide the warranty of data delivery, propper parsing and the possibility to analyse and correlate data to each other. This option was provided by Splunk which was selected as the main platform for data analysis.
The main concept and architecture based on several open source honeypot tools (such as Kippo, Cowrie, rdpy etc):
-build docker images for each of them (or use if its already exist);
-run read-only Docker containers based on this images;
-the logs writes in /honeypot_log folder on local OS;
-Splunk universal forwarder (UF) read this log files and send it to Splunk server which provide data collection and analysis capabilities;
-data analysis and reporting handle by developed Splunk App;
-one of the main advantages that all tasks connected to deployment and configuration automated with Ansible.
Data collection and Analysis
During the research there were selected several open source honeypots to deploy them and integrate as one platform.
There is a lot of data that could be processed by Splunk. Access logs to services allow us to collect a lot of information about the possible attacker. It starts from simple, for example an attacker ip and includes more interesting info such as user-agent in web server access logs, and general requested body.
Based on that there was built a several dashboards and statistics:
-General overview by attacking services;
-Top Attackers by IP address;
-Top Attacking Ports;
-Scanning activity by scan method (syn, syn-ack);
-Top request methods;
-Top request body;
-Top and rare user-agents;
The interesting information which could be analysed is that attackers tried to scan only one port or they provide full scan of the ip address to decide which ports are open.
Based on that statistics and reports we could make a general assumption about popular attack trends in the world especially related to specific sector.
Conclusion
Receiving current information about information security threats allows to extend view on general security posture in the organisation. The main problems that covered in this paper and solution that provided:
-developed simplified and automate process of installation and deploying honeypot system in the cloud environment which allows fast distribution of them on many systems;
-created the architecture of the honeypot system using Docker containers;
-developed the process of log collection from honeypots containers and storing it on the OS with later sending it to Splunk platform in the cloud, using Splunk Universal Forwarder;
-based on the Splunk software developed a several dashboards which allows to generate statistics and reports and provide deeper analysis of ingested data.
The possibility to automate the deployment process of honeypot systems and use the unified way of data collection and analysis is a good choice to improve security posture in the organisation.
References
1.M. Balamurugan and B.S.C. Poornima. Honeypot as a service in cloud.
2.Mohssen Mohammed, Habib-ur Rehman. (2016) Honeypots and Routers: Collecting Internet Attacks. 1st Edition p. 195-215.
3.Banakh, R., Piskozub, A., Stefinko, Y.: Concept of secured cloud infrastructure using honeypots. Autom. Measur. Control 821, 74–78 (2015)
4.Chee Keong Ng, Lei Pan, Yang Xiang Honeypot Frameworks and Their Applications: A New Framework. Published in SpringerBriefs on Cyber Security Systems and Networks 2018