NoAH floats its ideas at TNC 2008

The 2nd NoAH workshop was held on 20 May 2008 in Bruges, Belgium. This was organised as two parallel sessions within the wider TERENA Networking Conference (TNC 2008), and attracted more than 60 participants. The objective was to present the current activities of the European Commission-funded NoAH project, as well as other relevant work related to honeypots.

The opening presentation by Spiros Antonatos (FORTH) focused on honey@home, an application developed by the NoAH project that can be installed on a Windows or Linux PC. The application allocates an unused IP address in order to collect information about potential cyberattacks; forwarding it to a remote NoAH honeypot for further analysis. As a result, the geographical coverage of the NoAH infrastructure is greatly extended.

The second presentation by Stefano Zanero (Politecnico di Milano) examined the usefulness of intrusion detection systems (IDS) compared with honeypots. Whereas a honeypot actually needs to be comprised in order to be useful, an IDS is able to detect security violations on any system. This in principle allows better collection of attack data, and this can be taken a step further to develop anomaly detection systems, which learn by contrast with normality.

The third presentation by Pascal Gamper (ETHZ) focused on improved methods for signatures for generating zero-day attacks. Time is critical when dealing with such attacks, which means fast automated methods are necessary if they are to be useful in IDSs.

There then followed an talk by Melanie Rieback (VU) on the issues related to RFID (Radio Frequency Identity) technology. This provided an interesting historical overview about the development of the technology, but also the security issues and concerns that it currently presented.

It was then back to more NoAH developments, with a presentation from Asia Slowinska (VU) on the Argos secure system emulator that provides a secure containment environment for running a honeypot system. Whenever potential malicious use is detected, the unsafe data is saved for off-line processing and the emulator terminates its execution. The aim is to prevent the honeypot systems from themselves being compromised, and to ensure that early-warning information can be forwarded to other systems.

The final presentation was given by Marc Dacier (Symantec) on the Leurré.com distributed honeynet. This is a network of low interaction honeypots based on the honeyd software. Currently there are around 50 platforms deployed in 30 countries around the globe. The software can be installed on a low-specification PC from a CD available from Eurecom, and also provides access to the entire SQL database of collected traffic traces. In fact, the success of the system in collecting useful data, encouraged the establishment of the three-year EC-funded WOMBAT project to establish a worldwide observatory of malicious behaviours and attack threats.

The feedback received about the workshop was very positive, and the speakers were highly rated by those attendees completing feedback forms. The presentations from the workshop are available online from the NoAH website.

Tags: , , ,

Leave a Reply