Show simple item record

dc.contributor.authorVetterl, Alexander
dc.date.accessioned2020-03-09T16:53:15Z
dc.date.available2020-03-09T16:53:15Z
dc.date.issued2020-05-20
dc.date.submitted2019-11-20
dc.identifier.urihttps://www.repository.cam.ac.uk/handle/1810/303171
dc.description.abstractToday's Internet connects billions of physical devices. These devices are often immature and insecure, and share common vulnerabilities. The predominant form of attacks relies on recent advances in Internet-wide scanning and device discovery. The speed at which (vulnerable) devices can be discovered, and the device monoculture, mean that a single exploit, potentially trivial, can affect millions of devices across brands and continents. In an attempt to detect and profile the growing threat of autonomous and Internet-scale attacks against the Internet of Things, we revisit honeypots, resources that appear to be legitimate systems. We show that this endeavour was previously limited by a fundamentally flawed generation of honeypots and associated misconceptions. We show with two one-year-long studies that the display of warning messages has no deterrent effect in an attacked computer system. Previous research assumed that they would measure individual behaviour, but we find that the number of human attackers is orders of magnitude lower than previously assumed. Turning to the current generation of low- and medium-interaction honeypots, we demonstrate that their architecture is fatally flawed. The use of off-the-shelf libraries to provide the transport layer means that the protocols are implemented subtly differently from the systems being impersonated. We developed a generic technique which can find any such honeypot at Internet scale with just one packet for an established TCP connection. We then applied our technique and conducted several Internet-wide scans over a one-year period. By logging in to two SSH honeypots and sending specific commands, we not only revealed their configuration and patch status, but also found that many of them were not up to date. As we were the first to knowingly authenticate to honeypots, we provide a detailed legal analysis and an extended ethical justification for our research to show why we did not infringe computer-misuse laws. Lastly, we present honware, a honeypot framework for rapid implementation and deployment of high-interaction honeypots. Honware automatically processes a standard firmware image and can emulate a wide range of devices without any access to the manufacturers' hardware. We believe that honware is a major contribution towards re-balancing the economics of attackers and defenders by reducing the period in which attackers can exploit vulnerabilities at Internet scale in a world of ubiquitous networked `things'.
dc.description.sponsorshipPremium Research Studentship, Department of Computer Science and Technology, University of Cambridge
dc.language.isoen
dc.rightsAll rights reserved
dc.subjectNetwork security
dc.subjectHoneypot
dc.subjectFingerprinting
dc.subjectAttackers
dc.subjectDistributed Denial of Service (DDoS)
dc.subjectMalware
dc.subjectThreat analysis
dc.subjectHonware
dc.subjectNetwork measurement
dc.subjectInternet of Things (IoT)
dc.subjectFirmware
dc.subjectEmulation
dc.subjectVirtualisation
dc.subjectWarning messages
dc.subjectDeterrence
dc.subjectDetection
dc.subjectSystem trespassing
dc.subjectUnauthorized access
dc.subjectCustomer Premise Equipment (CPE)
dc.subjectZero days
dc.subjectNetwork protocols
dc.titleHoneypots in the age of universal attacks and the Internet of Things
dc.typeThesis
dc.type.qualificationlevelDoctoral
dc.type.qualificationnameDoctor of Philosophy (PhD)
dc.publisher.institutionUniversity of Cambridge
dc.publisher.departmentDepartment of Computer Science and Technology
dc.date.updated2020-02-26T16:34:31Z
dc.identifier.doi10.17863/CAM.50250
dc.contributor.orcidVetterl, Alexander [0000-0003-4761-8679]
dc.publisher.collegeChurchill College
dc.type.qualificationtitlePhD in Computer Science
cam.supervisorAnderson, Ross John
cam.supervisorClayton, Richard
cam.thesis.fundingfalse


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record