GSoC/GCI Archive
Google Summer of Code 2009

The Honeynet Project

Web Page: http://www.honeynet.org/gsoc

Mailing List: https://public.honeynet.org/mailman/listinfo

Founded in 2000, the Honeynet Project is a non-profit research organization dedicated to improving the security of the Internet. For the past ten years everything we have done and continue to do is based on the principles of opensource and volunteer efforts. Our bylaws specifically state any software or documents developed and published by the organization must be licensed as open source and made freely available to the public. Our goal is to help coordinate the development, deployment, advancement and research findings of honeypot related technologies. With over thirty chapters, numerous universities, one hundred members and twenty opensource research projects around around the world, we are a highly diverse and international organization.

Projects

  • Developing a Hybrid Honeypot Architecture The goal of this project would be to complete the development of a open source Hybrid honeypot framework. This project would be built to facilitate the deployment of honeynet in large networks. Through a Decision Engine and a Redirection Engine that can drop or replay interesting attack sessions in real time, it would provide a scalable solution to help honeypot researchers and network operators to manage their honeynet.
  • Developing and improving a Web Application Honeypot Glastopf is a minimalistic web server emulator, written in Python. Glastopf collects web application based attack information like remote file inclusions, SQL-inclusions and local file inclusions. The attack data is stored in a MySQL-database that can be browsed via a web interface. Recently, a very early, stable version of Glastopf was released. The unstable branch has a lot more features, but most of them are lacking some love. I am planning a new stable release within the next weeks.
  • Further DOM Simulation and other Improvements to PHoneyC We already know that phoneyc is a low interaction client honeypot which is designed for the deobfuscation and detection of malicious content in the wild. But since its framework is quite different from a browser, this limits its ability to do the deobfuscation. In order to do further improvements on PHoneyC, first we must simulate DOM objects in javascript, and then solve other problems of real-time interaction. We wish to focus on these in the GSoC project.
  • Google summer code application - Honeynet Project Project 4: Developing a solution for managing client honeypots. I am well suited to perform this project because of my interest in web development and IT security (especially honeypots). I left my country to work on honeypots for one year in the United States, in a specialized laboratory at the university of Maryland, and I am really enjoying it. So I would be very interested in working on this project. I have a lot of time to invest into, and plenty of ideas.
  • Improving high interaction client honeypots (Capture-HPC and Capture-BAT) This project will do further developments of Capture-HPC and CaptureBAT. These developments include improving data logging and operational management, improving stateful operations, adding network API hooking. Emigrating result data storage from flat file to a suitable database is also covered on this project.
  • Improving Picviz to dynamic and visual log data analysis This proposal try to improve the picviz, changing some features and adding new features for it. It addresses some possible improvements in a graphical tool for creating PCP (parallel coordinate plot). Graphics of this type are generally confusing to understand, there are some techniques in studies of PCPs can be applied to optimize the recognition of information in the graphics.Some these techniques will be used in order to turn more easy and efficient analysis of log data using picviz.
  • Proposal for Project 1: Improving phoneyc Nowadays, the web-based malware(AKA:drive-by downloads) has threatened the Internet and web client security seriously. pHoneyC, as a low interactive honeyclient, has done well in the malscript deobfuscation and detection, however, it needs further enhancement. This proposal mainly discuss the main ideas about integrating the phoneyc and libemu library to enable the shellcode detection and emulation, and it also presents a way to collect the downloads downloaded by the shellcode or other scripts.
  • Qebek: QEMU based Sebek Data capture on high interaction honeypot is still of great value, but current de-facto high interaction honeypot monitoring tool Sebek is not good enough, especially for Win32 client. In order to improve its stealthy, stability and data correlation, during the GSoC I intend to implement a VMI-based honeynet monitoring tool, Qebek (aka QEMU based Sebek), for data capture on high interaction honeypots. This tool is based on QEMU and targets at Windows based honeypot. The deliverables include the GPL licensed source code for this functionality, and a working demonstration system running in my lab at Peking University.
  • Sebek Time Series Visualization In the security visualization field there are few tools that show data that occur over a series of definite time steps. Most are either graphs with a time axis or a network visualization that views network traffic in real time. This project seeks to create or augment an existing tool to display Sebek data over a series of time steps, at the single instance and network level, to help researchers analyze trends.