Georgia Tech Honeynet Report (January-March 2004)

 

1.0  HONEYNET DEPLOYMENTS

=========================

      We are running a GEN II Honeynet with a variety of OSs of interest.  We continue to use live OSs instead of VMware or HoneyD.  Our web page with a diagram of our current setup is located at:  http://users.ece.gatech.edu/~owen/Research/HoneyNet/HoneyNet_home.htm.  We have recently deployed a Darknet within our Honeynet.

      Our focus continues to be the use of the Honeynet to help secure the campus network.   

 

2.0 FINDINGS

=============

      We had one Microsoft 2000 system compromised during the quarter. (The compromise report is located at:  http://users.ece.gatech.edu/~owen/Research/HoneyNet/Quarterly/quarterly.htm.) We also found 43 unique machines on the Georgia Tech campus that were compromised (and attempted to connect to the Honeynet).

      We currently use snort and ethereal to monitor our data; multiple members of our team analyze the data using various filters. 

 

3.0 MISC ACTIVITIES

====================

John Levine presented “Honeynets at Educational Institutions” at the Baltimore Department of Defense Conference.

 

4.0 ORGANIZATIONAL

==================

      LTC John Levine, PhD has completed his PhD and is moving to West Point, NY to teach at the United States Military Academy.  He is replaced as the project lead by Julian Grizzard.

 

5.0 LESSONS LEARNED

===================

      We have found the Honeynet to be a great tool for helping to secure the campus network.  Since all traffic to the Honeynet is suspicious, any packet to the Honeynet originating from within the Georgia Tech address range is from a compromised computer, a malicious user, or the campus IDS.  We send reports of all computers attempting to connect to the Honeynet to the campus network managers (OIT); they can then take action to keep the network secure by correlating our data with their IDS tools in order to reduce false positives.

 

 

6.0 GOALS

=========

      We plan to develop a toolkit to streamline the data analysis process during the summer semester.  We also have a member working on the development of a visualization monitor.