Title

Architectural analysis and customised deployment of deceptive cowrie and conpot honeypots

Author Identifiers

Warren Cabral

https://orcid.org/0000-0002-5270-0020

Date of Award

2021

Degree Type

Thesis

Degree Name

Master Of Computing And Security By Research

School

School of Science

First Advisor

Leslie F Sikos

Second Advisor

Craig Valli

Abstract

Honeypots are progressively becoming a fundamental cybersecurity tool to detect, prevent, and record new threats and attack methodologies used by attackers to penetrate systems. A honeypot is a deceptive or fake computer system that presents itself as a real computer system with actual sensitive information. A range of open-source honeypots are available today, such as Cowrie and Conpot, which can be easily downloaded and deployed within minutes—with default settings. Cowrie is a medium-interaction secure shell (SSH) and Telnet honeypot intended to log brute force and shell interaction attacks. In contrast, Conpot is a low-interaction SCADA honeypot, which attempts to mimic an active SCADA system. These honeypots operate on a standardised configuration file that encompass options for deployment such as hostnames, IPs, network services, protocols, applications, and fingerprint information. These options are convoluted and must be used in an integrated and granular fashion to make the deception presented by the honeypot to be plausible and effective. The current issue with the default configurations is that it is easily detected by adversaries using default parameters, automated scripts and scanners such as Shodan and NMAP. Nonetheless, cybersecurity specialists deploy most honeypots with default configurations. This is because modern systems do not provide a standard framework for optimal deployment of these honeypots based on the various configuration options available to produce a non-default configuration. Hence, default honeypot deployments are counterproductive and a surplus network resources and personnel.

A quantitative empirical learning approach driven by a quasi-experimental methodology was undertaken to develop a solid understanding about the deceptive capabilities of the Cowrie and Conpot honeypots. This was accomplished by developing a framework created from the analysis of numerous Cowrie and Conpot configurations and linking these artefacts to their deceptive potential. This framework provides for customised honeypot configuration, thereby enhancing their functionality to achieve a high degree of deceptiveness and realism. Thereafter, these configured honeypots were then deployed in association with banners and firewall rules to prevent Shodan and NMAP detections and to prevent attackers from acknowledging default parameters. The results of these deployments show an exponential increase in attackerhoneypot interaction in comparison to their subsequent default implementations. In turn, they inform and educate cybersecurity audiences how important it is to deploy honeypots with advanced deceptive configurations to bait cybercriminals and mitigate counterproductive distributions.

Access Note

Access to this thesis is embargoed until 18 May 2023.

Access to this thesis is restricted. Please see the Access Note below for access details.

Share

 
COinS