HoneyPort - a scalable meta-honeypot system for security applications

The internet has become almost essential in everyday life over the past fifteen years. Some researches state that there will be around 30 billion active networked devices around the world by 2020. The main drawback of this trend is the continuous sharing of private information among these networked devices that could lead to critical privacy and security issues that can not be more neglected. Moreover, several cyber attacks have exploited vulnerabilities in tens of thousands of IoT (Internet of Things) devices to send a crippling amount of service requests to unaware websites. One of the most effective ways to gather information about hacking attempts is the implementation of Honeypots. Honeypots are architectures that serve as a decoy-based technology which entices attackers with low vulnerabilities system, in order to analyze their activities from the start. In most of the literature on honeypots, the goal is to recreate a vertical system capable of reproducing a specific service protocol linked to a communication endpoint called port. One example is the open-source project Cowrie, maintained by Michel Oosterhof, that mimics the SSH protocol service listening on port 22. Since nowadays a hacker typical behavior is to attack the networked devices on settings backdoors, it has become necessary to develop a honeypot system capable of handling horizontal requests on all possible TCP/UDP ports. To solve the problem of honeypots low visibility (in terms of port coverage), some research groups have employed the strategy of placing different honeypots in a single machine allowing them to listen to different predetermined or random ports. This solution is a good starting point, but it does not ensure complete coverage on all possible endpoints, not to mention the lack of scalability and flexibility that different environments would require. My research contribution was to enhance honeypot architecture by making it more flexible and scalable while keeping the ability to simulate a specific service. I developed a meta-honeypot aggregator called HoneyPort, able to classify the protocol requests from all the 65535 ports and to redirect the traffic to the most suitable honeypot through well-established proxy functions. The requests are firstly aggregated in a single endpoint and analyzed through a classifier in order to identify the service demanded by the attacker. Then a connection is settled toward the most suitable honeypot, optimizing the number of occupied sockets. The proxy classifier inside the HoneyPort yields to reach great flexibility because it adds a level of isolation between honeypot and endpoint, solving in that way the low visibility problem. The microservices approach used during the development of HoneyPort allows the administrator to instantiate or deactivate honeypots based on his needs, making the system scalable. The examination of the data packet between a stand-alone implementation of honeypots and a real deployment of the HoneyPort allowed comparing the two methodologies through a Big Data approach. The data collected by the HoneyPort framework showed a marked increase in the variety and quantity of attacks that the Host is capable of dealing with, compared to convectional honeypot systems. These results highlight the fact that the HoneyPort is a promising proof of concept that, through further improvement, could represent a new frontier in cybersecurity research.