Security & Forensics

Distributed Honeynet System v2.0


Brief Description
The Distributed Honeynet System Ver 2.0 “Cyber Threat Analyzer - मधुपाश” is designed with client server based architecture for deployments in broadband network, leased lines to analyze and monitor threats captured upon honeynet system with a provision for five types of honeypot sensors: (1) OS Services honeypot, (2) Client Honeypot, (3) Web Server honeypot, (4) Honeyport (windows unused port monitor) and (5) Router honeypot. These honeypots run at the client end with a local data visualization interface. The honeypot management and configuration is done through the central server web interface.

A user can dynamically configure the honeypot nodes in terms of type of honeypot and the vulnerabilities exposed to the attacker. The attack data collected with honeypot sensors at a node is filtered, logically fused and displayed at the client node and subsequently sent to the central server. At central server, the data collected from multiple clients is correlated and processed by server side analysis engines. The web application running at central server displays the statistics of the captured data and analysis results.

Security Issues addressed

  • Malware and Attack Data Capturing
  • Situational Awareness through Threat Monitoring.
  • Determination of latest attack trends spreading in networks
  • Leveraging Honeypot Contextual Information to detect Bots and C&C Servers.
  • Novel attack data capture useful for signature generation

Key Features
  • Client-Server Based Architecture
  • Dynamically Configurable Honeynet nodes.
  • USB bootable Honeynet client nodes
  • In-built Malware Collection mechanism and Malware labeling
  • Scan & probes capture; Shellcode detection and analysis
  • Near Real Time Visualization of attack data from multiple sensors
  • Central Web console for captured data display, administrative user rights, remote node management and monitoring
  • Supports Vulnerability based Honeypot deployment, variety of honeypots, real or emulated OS, Services and IP reallocation. Multiple OS personalities for client honeypot.
  • Deployable on broadband networks, leased lines and behind NAT scenarios
  • Enumeration of Vulnerabilities
  • Vulnerability based mapping of captured attacks and its display on web console
  • Privileges for downloading the PCAP data, Malicious binary, shell codes through web console
  • SSL/TLS with PKI is used for securing communication process
  • Incorporate structured analysis framework at central server for botnet tracking and confirmative analysis
  • Analysis Output includes:
    • Analysis report of Sandbox execution of malwares downloadable from web console
    • Botnet profiles in the form of C & C, Egg download, Infection source, Domain queried and domain answered.
    • Captured shell codes
    • List of Vulnerability exploited
    • Statistical information of captured attacks
  • Well –defined Reporting format specifying various analysis parameters
  • Indicators of Compromise (IOC) Feeds generation directly integrated with Threat incident management system (AbuseSA).
To send an eMail:
rks[at]cdac[dot]in
Mr. Rakesh Kumar Sehgal
(Chief Investigator)