Politecnico di Torino (logo)

Cannypot: a Reinforcement Learning based adaptive SSH honeypot.

Lorenzo Del Sordo

Cannypot: a Reinforcement Learning based adaptive SSH honeypot.

Rel. Marco Mellia, Luca Vassio, Idilio Drago. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2021

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (2MB) | Preview

Cyber-threats has grown fast during the last decades. The heterogeneity of protocols, the increasing number of devices continuously connected to the Internet and the presence of unknown vulnerabilities hidden in systems are just some of the aspects that make the attackable surface wider. Cyber-defensive strategies are able to react to an amount of threats, but they often need knowledge about attackers nature to be designed properly. For this reason, collecting information about malicious users intentions has become one major activity in the cyber-security field. In this thesis, we focused on one of the possible mechanisms able to collect insights about attacker patterns and behaviour: the honeypot. Honeypots are systems exposed to attackers with the final goal of being exploited and capturing activities performed by intruders. We tried to improve the performance of an already existent SSH honeypot, called Cowrie, with the aim of maximising the engagement with attackers. We designed a system, called Cannypot, able to adapt to different attackers. Selecting answers offered to intruders, our solution tries to push them remaining connected to our system and sending more commands. In order to produce this adaptive system, we used a Machine Learning technique called Reinforcement Learning. This approach allows our system to learn how to answer through the interaction with attackers. Before applying such techniques in a real world scenario, we built a laboratory case to test our algorithm in a controlled environment. We designed an application able to mimic the behaviour of different types of attacker with the final goal of studying the performance of Reinforcement Learning facing the problem described. The results showed that our learning module is able to learn how to correctly reply after a limited amount of interactions with attackers. Moreover, our learning system can distinguish among different situations and select the output that makes the attacker sending the largest number of commands before ending the communication. The learning core of our architecture chooses the output from a database of plausible answers. For this reason a collection of possible outputs for different commands is needed. We designed a service running in the back-end of our system that is able to interact with several virtual machines collecting outputs for commands. The communication between Cannypot and the back-end service is automatic. When Cannypot receives a command for which there is no answer in the database, it is stored and sent to the back-end service. The latter executes the command in the connected machines and adds the list of outputs in the database. In this way, no human intervention is needed in the population of the database. We deployed Cannypot in a real world scenario, exposing it to attackers for a month. The data collected during this period show that Cannypot is exploited by longer sequences of commands respect to a static honeypot used as baseline.

Relators: Marco Mellia, Luca Vassio, Idilio Drago
Academic year: 2020/21
Publication type: Electronic
Number of Pages: 98
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: Politecnico di Torino- SmartData@PoliTo
URI: http://webthesis.biblio.polito.it/id/eprint/19256
Modify record (reserved for operators) Modify record (reserved for operators)