1.
Javier R Franco, Ahmet Aris, Leonardo Babun, Selcuk Uluagac
S-Pot: A Smart Honeypot Framework with Dynamic Rule Configuration for SDN Conference Paper
In the Proceedings of the 37th IEEE Global Communications Conference (GLOBECOM), Rio de Janeiro, Brazil, 2022.
Abstract | Links | BibTeX | Tags: Honeypot/Honeynet, SDN Security
@conference{franco2022s-pot,
title = {S-Pot: A Smart Honeypot Framework with Dynamic Rule Configuration for SDN},
author = {Javier R Franco and Ahmet Aris and Leonardo Babun and Selcuk Uluagac},
url = {https://ieeexplore.ieee.org/abstract/document/10000682/},
year = {2022},
date = {2022-12-01},
urldate = {2022-12-01},
booktitle = {In the Proceedings of the 37th IEEE Global Communications Conference (GLOBECOM)},
address = {Rio de Janeiro, Brazil},
abstract = {Enterprise networks are becoming increasingly heterogeneous where enterprise devices and IoT devices coexist, requiring tools for effective management and security. Software Defined Networking (SDN) has emerged in response to such needs of modern networks. SDN lacks adequate security features and Intrusion Detection and Protection Systems (IDPS) have been used to protect SDN from attacks. However, they have limited knowledge of zero day attacks. Machine Learning (ML) has become a valuable tool against these limitations and improve (SDN) network security. However, the solutions that solely rely on ML can struggle to discriminate benign traffic from malicious, and suffer from false negatives. To solve these problems and improve security of SDN-based enterprise networks, we propose S-Pot, an open-source smart honeypot framework. S-Pot uses enterprise and IoT honeypots to attract attackers},
keywords = {Honeypot/Honeynet, SDN Security},
pubstate = {published},
tppubtype = {conference}
}
Enterprise networks are becoming increasingly heterogeneous where enterprise devices and IoT devices coexist, requiring tools for effective management and security. Software Defined Networking (SDN) has emerged in response to such needs of modern networks. SDN lacks adequate security features and Intrusion Detection and Protection Systems (IDPS) have been used to protect SDN from attacks. However, they have limited knowledge of zero day attacks. Machine Learning (ML) has become a valuable tool against these limitations and improve (SDN) network security. However, the solutions that solely rely on ML can struggle to discriminate benign traffic from malicious, and suffer from false negatives. To solve these problems and improve security of SDN-based enterprise networks, we propose S-Pot, an open-source smart honeypot framework. S-Pot uses enterprise and IoT honeypots to attract attackers
2.
Muhammad A Hakim, Hidayet Aksu, A Selcuk Uluagac, Kemal Akkaya
U-pot: A honeypot framework for upnp-based iot devices Conference Paper
In the Proceedings of the IEEE 37th International Performance Computing and Communications Conference (IPCCC), 2018.
Abstract | Links | BibTeX | Tags: Honeypot/Honeynet, IoT Security
@conference{hakim2018u,
title = {U-pot: A honeypot framework for upnp-based iot devices},
author = {Muhammad A Hakim and Hidayet Aksu and A Selcuk Uluagac and Kemal Akkaya},
url = {https://ieeexplore.ieee.org/document/8711321},
year = {2018},
date = {2018-01-01},
urldate = {2018-01-01},
booktitle = {In the Proceedings of the IEEE 37th International Performance Computing and Communications Conference (IPCCC)},
abstract = {The ubiquitous nature of the IoT devices has brought serious security implications to its users. A lot of consumer IoT devices have little to no security implementation at all, thus risking user's privacy and making them target of mass cyber-attacks. Indeed, recent outbreak of Mirai botnet and its variants have already proved the lack of security on the IoT world. Hence, it is important to understand the security issues and attack vectors in the IoT domain. Though significant research has been done to secure traditional computing systems, little focus was given to the IoT realm. In this work, we reduce this gap by developing a honeypot framework for IoT devices. Specifically, we introduce U-PoT: a novel honeypot framework for capturing attacks on IoT devices that use Universal Plug and Play (UPnP) protocol. A myriad of smart home devices including smart switches, smart bulbs, surveillance cameras, smart hubs, etc. uses the UPnP protocol. Indeed, a simple search on Shodan IoT search engine lists 1,676,591 UPnP devices that are exposed to public network. The popularity and ubiquitous nature of UPnP-based IoT device necessitates a full-fledged IoT honeypot system for UPnP devices. Our novel framework automatically creates a honeypot from UPnP device description documents and is extendable to any device types or vendors that use UPnP for communication. To the best of our knowledge, this is the first work towards a flexible and configurable honeypot framework for UPnP-based IoT devices. We released U-PoT under an open source license for further research on IoT security and created a database of UPnP device descriptions. We also evaluated our framework on two emulated deices. Our experiments show that the emulated devices are able to mimic the behavior of a real IoT device and trick vendor-provided device management applications or popular IoT search engines while having minimal performance ovherhead.},
keywords = {Honeypot/Honeynet, IoT Security},
pubstate = {published},
tppubtype = {conference}
}
The ubiquitous nature of the IoT devices has brought serious security implications to its users. A lot of consumer IoT devices have little to no security implementation at all, thus risking user's privacy and making them target of mass cyber-attacks. Indeed, recent outbreak of Mirai botnet and its variants have already proved the lack of security on the IoT world. Hence, it is important to understand the security issues and attack vectors in the IoT domain. Though significant research has been done to secure traditional computing systems, little focus was given to the IoT realm. In this work, we reduce this gap by developing a honeypot framework for IoT devices. Specifically, we introduce U-PoT: a novel honeypot framework for capturing attacks on IoT devices that use Universal Plug and Play (UPnP) protocol. A myriad of smart home devices including smart switches, smart bulbs, surveillance cameras, smart hubs, etc. uses the UPnP protocol. Indeed, a simple search on Shodan IoT search engine lists 1,676,591 UPnP devices that are exposed to public network. The popularity and ubiquitous nature of UPnP-based IoT device necessitates a full-fledged IoT honeypot system for UPnP devices. Our novel framework automatically creates a honeypot from UPnP device description documents and is extendable to any device types or vendors that use UPnP for communication. To the best of our knowledge, this is the first work towards a flexible and configurable honeypot framework for UPnP-based IoT devices. We released U-PoT under an open source license for further research on IoT security and created a database of UPnP device descriptions. We also evaluated our framework on two emulated deices. Our experiments show that the emulated devices are able to mimic the behavior of a real IoT device and trick vendor-provided device management applications or popular IoT search engines while having minimal performance ovherhead.
3.
Albert Brzeczko, A. Selcuk Uluagac, Raheem Beyah, John Copeland
Active deception model for securing cloud infrastructure Conference Paper
In the proceedings of IEEE Conference on Computer Communications Workshops (INFOCOM), 2014.
Abstract | Links | BibTeX | Tags: Cloud Security, Honeypot/Honeynet
@conference{BrzeczkoActiveIEEE2014,
title = {Active deception model for securing cloud infrastructure},
author = {Albert Brzeczko and A. Selcuk Uluagac and Raheem Beyah and John Copeland},
url = {https://ieeexplore.ieee.org/abstract/document/6849288/},
year = {2014},
date = {2014-01-01},
urldate = {2014-01-01},
booktitle = {In the proceedings of IEEE Conference on Computer Communications Workshops (INFOCOM)},
abstract = {The proliferation of cloud computing over the past several years has led to a variety of new use cases and enabling technologies for enterprise and consumer applications. Increased reliance on cloud-based platforms has also necessitated an increased emphasis on securing the services and data hosted within those platforms. From a security standpoint, an advantage of cloud platforms over traditional production networks is that they have a dynamic, mutable structure that can change as a result of a variety of factors, so reconnaissance on the part of an attacker is far less predictable. In this work, we propose a novel technique that leverages the amorphous nature of cloud architectures to deceive and redirect potential intruders with decoy assets implanted among production hosts. In this way, attackers encounter and probe decoys that lead them to reveal their motives and cause them to be less likely to compromise their intended target, particularly once they have revealed their tactics against decoy assets. We show that our technique, after having been exposed to live traffic for approximately one month, detected 1,255 highly malicious hosts and was able to divert 97.5% of malicious traffic from these hosts. This traffic would have otherwise reached production hosts and potentially led to compromise.},
keywords = {Cloud Security, Honeypot/Honeynet},
pubstate = {published},
tppubtype = {conference}
}
The proliferation of cloud computing over the past several years has led to a variety of new use cases and enabling technologies for enterprise and consumer applications. Increased reliance on cloud-based platforms has also necessitated an increased emphasis on securing the services and data hosted within those platforms. From a security standpoint, an advantage of cloud platforms over traditional production networks is that they have a dynamic, mutable structure that can change as a result of a variety of factors, so reconnaissance on the part of an attacker is far less predictable. In this work, we propose a novel technique that leverages the amorphous nature of cloud architectures to deceive and redirect potential intruders with decoy assets implanted among production hosts. In this way, attackers encounter and probe decoys that lead them to reveal their motives and cause them to be less likely to compromise their intended target, particularly once they have revealed their tactics against decoy assets. We show that our technique, after having been exposed to live traffic for approximately one month, detected 1,255 highly malicious hosts and was able to divert 97.5% of malicious traffic from these hosts. This traffic would have otherwise reached production hosts and potentially led to compromise.
Citations: 8413
h-index: 44
i10-index: 107
