Using Football Formations in a Honeypot Environment

Int'l Conf. Security and Management | SAM'16 | 299

Sebastian Kollmannsperger and Tyrone S. Toland Department of Informatics University of South Carolina Upstate 800 University Way, Spartanburg, SC 29303 [email protected], [email protected]

Abstract — Unauthorized access to information continues to be a tools act rather passive. An intrusion detection system is an challenging problem, especially in a time where cyber attacks are example for a detection system. on the rise. Current security measures (e.g., access control systems, firewalls, intrusion detection systems) may not be sufficient to After an intruder has been detected, we have to react. Every protect the information technology (IT) infrastructure from a action in a system gets recorded and stored by one of the resourceful malicious attacker. This paper presents a novel approach to embed a football formation into a Honeypot detection tools. Therefore, also the intruder leaves behind environment. We show how executing football plays in a Honeypot evidences. By analyzing these evidences, we can find out environment can be used to gather information about a malicious how the attacker got in, what the attacker accessed and what attacker. This reconnaissance information can be used to prevent the intruder manipulated. With this information we can take future unauthorized access to sensitive information. We also steps to react adequately. Backup and recovery tools are an discuss of our implementation and provide some results from a example of response tools. proof of concept experiment. We now discuss a tool that can be used to assist in securing a Keywords — Honeypots, Intrusion Detection System, computer system. Information Security A. Honeypots I. INTRODUCTION Compared to other approaches to information security, Information security has been challenging since humans honeypots are a more aggressive and active form of defense began exchanging information. For example, cipher has against malicious attacks [2]. Honeypots are defined in always been discussed in information security. In fact, different ways. Schneier [3] defines a Honeypot as a security ciphers were used to encrypt important messages as far back resource whose value lies in being probed, attacked or as 50 BC [5]. The advent of the computer required stronger compromised. This paper defines a Honeypot as an IT measures to enforce security, which became an even bigger resource with the goal to attract potential malicious challenge with the rise of the Internet. As companies become attackers. That is, any access of the Honeypots is examined inter-connected more and more via the Internet, the and recorded to be used to deter similar attacks from challenge of protecting the infrastructure and information occurring in the future. Contrary to other components of an becomes an even bigger challenge. Nowadays many IT system, it is desired that the Honeypot gets attacked and different defense mechanisms work together to form a secure probed. Since Honeypots are masquerading as sensitive system. Firewalls, encryption tools, access control systems, resource, they do not provide any functionality for an intrusion detection systems as well as other security software organization. Therefore, if a malicious user accesses the contribute to information security in a slightly different way. Honeypot, then this access can be seen as unauthorized access and therefore as an intrusion [2]. Honeypots can be Schneier [3] identifies three tasks of information security categorized as either a production honeypot or a research which are prevention, detection and response. All security honeypot as follows [3][4]: tools can be assigned to either one of these tasks. • Production Honeypot: According to the name, Prevention is the attempt to protect resources from danger these kind of Honeypots are especially used in a and harm. Preparations have to be done, to set up production environment. Their main purpose is to mechanisms that protect the IT. The goal is to make it as gather information for a specific organization about hard as possible, for intruders and hackers to access intrusions. They add value to an organizations resources. Well known prevention tools are firewalls, information security. password protections, encryption tools and digital signatures. • Research Honeypot: These Honeypots are used When prevention is not effective, detection becomes an principally in a research environment to gather important process. With detection, we want to find out if our information about potential attackers. They do not system was compromised and from where. Detection is add value to a specific organization. Information therefore like a monitoring tool. However, it does not from Research Honeypots can be used to find out contribute to the protection of systems, because detection about techniques and resources from attackers

ISBN: 1-60132-445-6, CSREA Press © 300 Int'l Conf. Security and Management | SAM'16 |

which can help to prepare the production system information collected by a Honeypot, we can for attacks. construct countermeasures to prevent similar attacks from occurring in the future. B. Value of Honeypots It should be noted, that the goal of a Honeypot is not to Honeypots are flexible tools and contribute to each one of prevent attacks, but to detect them. Therefore, a Honeypot the three security aspect as follows [4][3]: should be combined with other security tools (e.g., firewalls, encryption, password protection). • Prevention: Contrary to the belief of the majority, Honeypots can help to prevent attacks because of In this paper we discuss how American football plays can be deception and deterrence. Deception means, that used to gather information about malicious attackers in a potential attackers may waste time and resources on honeypot research environment. In particular, we propose honeypots. Without knowing, attackers interact using various offensive plays to provide valuable with a honeypot that imitates a valuable resource. reconnaissance information to defend sensitive information During this interaction, organizations have the time in an infrastructure. This reconnaissance information can be to react. After all, attacks can be stopped before analyzed and used to defend sensitive information in an even leaking information. Deterrence on the other infrastructure. Our novel approach to mapping football hand is the effect of scaring off attackers because of formations into a honeypot research environment can be the warning effect of Honeypots. When attackers extended to a networked infrastructure. know that an organization uses Honeypots, they may not even try to attack. As we can see, This paper is organized as follows. In Section II, we discuss honeypots contribute to the prevention of attacks in a research Honeypot environment. In Section III, we briefly a certain degree. Nonetheless, traditional prevention describe a simplified football formation. In Section IV, we tools like firewalls are more efficient. show how to map a football formation into a research Honeypot environment. Section V discusses our • Detection: Honeypots have the biggest impact in implementation and results from proof concept experiment. detection. For many organizations, detection is a Section VI concludes the paper. difficult topic. Schneier [3] identifies three challenges when it comes to detection: false II. RESEARCH HONEYPOT ENVIRONMENT positives, false negatives and data aggregation.

False positives are mistakenly reported alerts. This Honeypots allow a wide range of application areas. Because happens, when the system interprets normal of their goal to distract and attract attackers, the best way to network traffic as an attack. The opposite false use Honeypots is within an IT infrastructure. The probability negatives are attacks, that the system does not that an attacker interacts with Honeypots are increased by notice. Finally, data aggregation is the struggle to masquerading as sensitive data. collect the data and transform it into valuable

information. Common intrusion detection systems In Fig. 1, we illustrate a Honeypot integrated with other struggle in these three aspects. Intrusion detection important and possible sensitive IT resources. Fig. 1 is a systems act like a watchdog over a company’s IT variation of a model in [4]. infrastructure. They monitor the traffic and identify

whether an access is authorized or not. Therefore, intrusion detection systems generate a lot of data, resulting in an overload of information. Honeypots however, help us to eliminate these negative aspects. Because every interaction with a honeypot can be seen as unauthorized, honeypots only register these interactions. The problem with data aggregation and false positives can be eliminated. False negatives can still occur, for example if an intrusion does not affect the Honeypot, but this risk can be mitigated by placing the Honeypot in an attracting position. Consequently, Honeypots help us to detect intrusions more effectively.

• Response: After an intrusion is detected, response is the next step to take. Honeypots help us to identify evidences via log files. That is, the user can analyze Fig. 1 Honeypot in IT Infrastructure log files that are generated by Honeypots to find out how the attacker gain access to the system. With the

ISBN: 1-60132-445-6, CSREA Press © Int'l Conf. Security and Management | SAM'16 | 301

The Honeypot is part of the infrastructure similar to other one player of the OL, called the right offensive lineman important resources (e.g., mail server, web server). (ROL). For the purpose of this play, the ROL positions on a Therefore, the Honeypot distracts and attracts malicious different position to be able to perform the play. Fig. 2 attackers. Assuming that the attacker scans either our web or shows the starting position. The dashed lines show the mail server, the likelihood that the attacker will access the running paths of the players. The continuous line shows the Honeypot is high. path of the ball. So in the first move, the ball travels from the center of the offensive line to the QB. The ROL and RB run III. FOOTBALL OVERVIEW their paths. In Fig. 3 we can see the subsequent moves. When the RB crosses the QB, the ball travels from the QB to We now provide a brief overview of American Football the RB (1). The next move happens, when the RB crosses (football). In American football there are two teams of the ROL. The ball travels from the RB to the ROL (2). The eleven players. Each team takes turns defending their goal. final move happens, when the ROL crosses the QB. Hereby, That is, the defending team wants to prevent the opposing the ball goes from the ROL to the QB (3). During the play, team from taking the football into their end zone to score the QB does not switch the place. However, the RB and the (e.g., touchdown, field goal, touch back). ROL cross and switch their sides. The ball travels from the center to the QB to the RB to the ROL and back to the QB. A. Football Offensive Formation The goal of that play is to distract the defenders and create room for the QB to pass the ball. The opponent cannot Although in real football there are eleven players per team, recognize where the ball is and tackle the wrong player. This we will only consider seven players in this paper. Our distraction has a huge similarity with the way Honeypots offensive formation consists of five players that form the work. This is the reason why we chose to map this play onto offensive line (OL + ROL). The offensive line has the task a Honeypot research environment. of keeping the ball away from the defending team. Behind the offensive line we have the Quarterback (QB) and Running Backs (RB). The job of the QB is to control the play. The Running Back on the other hand tries to outrun the defense. Fig. 2 shows the offense represented a circles.

Fig. 3 Double Reverse Flea Flicker Moves

IV. COMBINING FOOTBALL FORMATIONS and HONEYPOTS

Fig. 4 shows how a football formation can be implemented into a research Honeypot environment. As explained in Fig. 2 Offensive & Defensive Formation Section 3, Defenders are represented as X’s and Attackers are represented as O’s. We now map the football formation onto an IT infrastructure whereby the roles change. Now, the B. Football Defensive Formation Attackers are X’s (i.e., they retrieve something) and the Defenders are O’s (they protect something). Therefore, in The defensive formation consists of five defensive linemen this model the football attackers are playing the role of the and two Linebacker (LB). The defensive linemen try to defense, while the football defenders play the role of the attack either the QB or the ball carrier. The LB are there to attackers. provide additional support for the defense. Sometimes the

LB also try to sack the opposing QB. Ultimately, the goal of The goal now is to protect the ball instead of carrying the the defense is to get the ball and stop the attack. Fig. 2 shows ball into the end zone. In our model the ball represents the the defense represented as X. sensitive data. The Honeypots are masquerading the

sensitive data to attract attackers. The defense are protection C. Double Reverse Flea Flicker tools like Firewalls, encryption tools and password The double reverse flea flicker is one of many different protection. The defense protects our infrastructure. This football plays. It involves three players, the QB, the RB and infrastructure consists of three Honeypots (HP1, HP2, and

ISBN: 1-60132-445-6, CSREA Press © 302 Int'l Conf. Security and Management | SAM'16 |

HP3). Since we are working with a research environment, we do not have any production entity. The arrows illustrate • HoneypotManager (HPTM) – is a program that unauthorized access. Since every defense mechanism is not sends a message to either activate or deactivate completely safe, there may be some traffic coming through access to sensitive data on HPTS. When data access the firewall that will access the Honeypots. When this has been deactivated on a HPTS, then the data happens, the Honeypots will work together to execute the access is activated on another HPTS, i.e., data play in Section 2.3. access has moved.

A. Running the Play in a Honeypot Environment • HoneypotAttacker (HPTA) – is a program that the In Fig. 4, HP1 acts like the RB, HP2 acts like the QB and attacker uses to attempt to access sensitive data on a HP3 acts like the ROL. This means, that in the beginning HPTS. The attacker sends an access message HP2 (i.e., QB) masquerades as a sensitive resource (i.e., request (i.e., a malicious attack message) to the ball). So, the attackers try to access HP2. When this happens, HPTS. If HPTS has access capability to the we want HP1 to masquerade as a sensitive resource. So, we sensitive data (i.e., activeData is true), then an pass the ball to HP1. This again means that attackers now try active message is generated that contains: A (i.e., to access HP1. Then, we want HP3 to masquerade as a access to sensitive data is active), HPTA IP address, sensitive resource, meaning HP3 becomes the new goal for the attack message arrival time on HPTS, and the attackers. Finally, HP2 again masquerades as a sensitive attack message departure time from HPTS. resource. To pass the data between the Honeypots, we will Otherwise, an inactive message is generated that simulate data being active and inactive, which in essence we contains: N (i.e., access to sensitive data is not are not reallyyg passing data between the Honeypots. y active), HPTA IP address, the attack message arrival time on HPTS, and the attack message departure time from HPTS.

B. Experiment We ran our experiment in a test networking lab. To simulate the example in Section IV, we ran HPTS on three computers (i.e., HP1, HP2, and HP3). We ran HPTA on a separate computer to simulate the attacks. On another separate computer, we ran HPTM to activate and deactivate data access on HP1, HP2 and HP3, respectively. For our experiments, HPTS only listens on port 9001.

This experiment implements Fig. 4. That is, HP2 is initially activated, while HP1 and HP3 are deactivated. The attacker can now search for the active honeypot using HPTA. To Fig. 4 Football Formation mapped in Honeypot Environment accomplish this, the attacker successively tries to connect to the honeypots. Once the attacker finds the active honeypot V. IMPLEMENTATION and EXPERIMENT (i.e., activeData is true), the manager deactivates that honeypot (i.e., activeData is set to false) and then activates We ran an experiment using a framework we implemented the next honeypot in the sequence. Then, the attacker in Java 8. searches for the next active honeypot and the process continues per Fig. 4. A. Implementation Table 1 shows the result from this experiment. The attacker To show a proof of concept, we developed the following does follow the sequence of the play in Fig. 4 when three programs: accessing active data items. As we proposed, we could

gather information from the malicious user in Msg 2 at HP2, HoneypotServer (HPTS) – is a program that • in Msg 4 at HP1, in Msg 7 at HP3 and in Msg 8 again at simulates the honeypot. The program uses a HP2. That is, we can gather reconnaissance information Boolean variable (e.g., activeData) to simulate from a malicious user at a given machine at a specified time. access to the sensitive data (i.e., the honey). If

activeData is true, then the access to sensitive data C. Discussion is available via HPTS; otherwise, if activeData is false, then the sensitive data is currently not The experiment shows that our approach is feasible. Our available via access of this machine. That is, the approach provides a guaranteed time interval for which we sensitive data access has moved to a different can evaluate malicious activity. In particular, we can machine. evaluate malicious activity when accessing an active

honeypot and/or when searching for an active honeypot. access times (1) and a set of time intervals to search for an Based on Table I, we have extracted a set of active Honeypot active Honeypot (2).

TABLE I EXPERIMENTAL RESULTS WITH TIMES IN MILLISECONDS

Msg# HP# Active IP Address ArrivalTime DepartureTime 1 1 N 192.168.1.100 1463775948262 1463775948262 2 2 A 192.168.1.100 1463775950737 1463775950737 3 3 N 192.168.1.100 1463775957258 1463775957258 4 1 A 192.168.1.100 1463775958262 1463775958262 5 2 N 192.168.1.100 1463775966977 1463775966977 6 1 N 192.168.1.100 1463775967575 1463775967575 7 3 A 192.168.1.100 1463775970534 1463775970534 8 2 A 192.168.1.100 1463775979379 1463775979379

We define TFoundHoneypot as a set of access arrival times for which a message arrives at an active Honeypot. We define TSearchingForHoneypot as a set of time intervals in which the attacker is searching for the active Honeypot. REFERENCES

1) TFoundHoneypot = {Msg2.ArrivalTime, [1] Cosmell, H. (2011). 9 Football Formations Every Man Msg4.ArrivalTime, Msg7.ArrivalTime, Should Know. Retrieved February 18, 2016, from Msg8.ArrivalTime} http://www.totalprosports.com/2011/07/26/9-football- formations-every-man-should-know/ 2) TSearchingForHoneypot = {[Msg1.ArrivalTime, Msg2.ArrivalTime], [Msg3.ArrivalTime, [2] Mokube, I., & Adams, M. (2007). Honeypots: Concepts, Msg4.ArrivalTime], [Msg5.ArrivalTime, Approaches, and Challenges. North Carolina: Winston- Msg7.ArrivalTime]} Salem.

We defined sets of times which potentially provide more [3] Schneier, B. (2000). Secrets and Lies: Digital security in reconnaissance information than conventional Honeypot a networked world. New York: John Wiley & Sons. solutions [4] Spitzner, L. (2002). Honeypots: Tracking Hackers. VI. CONCLUSION Addison-Wesley Professional.

We have shown how a football formation can be used to [5] Whitman, M. E., & Mattord, H. J. (2011). Principles of configure a Honeypot environment to gather information Information Security. Cengage Learning. about cyber-attacks. We have also provided a proof of concept experiment to show that our approach is feasible. Our novel approach can be used to gather valuable reconnaissance information about single and ultimately coordinated attacks using well established football plays.

Future research will show, how organizations may use these sets of times to either prevent attacks and/or catch attackers. We further propose that we can use plays from other sports in a Honeypot environment.

ACKNOWLEDGEMENT

The authors would like to thank Lt. J. Bernard Brewton for his invaluable help in this paper. The authors would also like to thank Dr. Frank Li, Dr. Jerome Lewis, and the Division of Mathematics and Computer Science for the use of their Networking Lab.