1.  DEPLOYMENTS: Current technologies deployed:  Our focus for that last year has been on student focused research projects, thus we have had several deployments that have been up and down as the projects progress. 

We initiated six separate efforts:

     - During the summer, 2006 we sent three teams of students to Chile, Panama, and France to work with students at local universities to deploy honeynets.  These configurations were standardized across countries to evaluate the types of attacks against common configurations in different areas of the world.  The student experience was a success, with each location establishing a functional honeynet.  The students in Chile and Panama maintained the honeynets and continued the project into the academic year, however the project was not supported as part of the academic curriculum and was abandoned.

     - Foreign Visiting Student (undergrad, Chile): A student from Chile visited West Point (Feb 2007) to work on honeynet deployments and was successful in deploying a Gen II honeynet.  The deployment was placed on our external commercial ISP.  We deployed two versions of Roo (189 and the latest test version).  The student (Miguel) fixed a couple of errors in Walleye but was not at USMA long enough to fully evaluate the new Roo.

     - Foreign Visiting Student (undergrad, Panama):  Three students from Panama came to USMA for 4 weeks to learn how to deploy and monitor honeynets.  We spent the first two weeks getting them integrated into West Point and in weeks three and four deployed several different configurations (well - some were only attempted...). 

          o They successfully deployed a Gen II honeynet using Roo 189 and several virtual machine based honeypots. 

          o The team deployed a SCADA honeypot.

          o The team attempted to deploy a node in the GDH, however were not successful do mostly to lack of time as other requirements took precedence.

          o Finally, the team attempted to set up a Honeymole client pointing towards Lance's endpoint, however coordination was not successful due to a very high travel schedule in the week that the team had.

     - Dynamic Honeynets/Network Deception (undergrad, USMA): This student project implemented a prototype of a dynamic honeypot creater that used Honeyd to provide a "net" to capture scans and direct some of the traffic to a custom honeypot (using GRE tunnels).  The approach for dynamic honeypot generation in response to identified attacks is the automatic generation of virtual machines (VMs) in a robust and realistic manner for the hacker to interact with. A separate honeypot controller performs three functions. First, it starts a low-interaction honeypot to keep the attack engaged. Then, it directs a VMware server to generate the appropriate target VM. These VMs provide the operating system and applications (web server, FTP server, etc.) targeted by the attack. The controller then establishes a dedicated network tunnel and adjusts routing information so that the attack traffic is forwarded to the target VM for high interaction. (Design Document, National Conference for Undergraduate Research paper, Network Deception Future Work Paper)

     - Forward Looking Intrusion Prevention (undergrad, USMA): This team took Snort-inline and embedded it in a FPGA microcontroller and used co-processors to speed up the comparisons.  A partially functional prototype was completed.   A wide variety of attacks are widely available to exploit vulnerabilities of portable devices like laptops. One of the most common attack vectors today consist of application layer attacks that pass undetected through the firewalls. In order to detect these attacks, a computer must scan all incoming packets, expending system resources and subsequent degradation overall performance. Portable devices in particular do not have sufficient resources to run network intrusion detection software in the background capable of detecting application layer attacks. Ironically, even if they could, detection implies that an attack is caught only if it has already penetrated the system. An approach to overcome this problem is to build a separate hardware-based intrusion protection system module that effectively scans wired or wireless incoming packet within firmware using Snort-Inline® before this potentially hazardous traffic is sent to the host for processing. This plug n play filter not only alleviates the resources demanded of the mobile host, it provides enough processing power and memory for server-like security. In addition, tools have been built for the user to set security to different levels and to set triggers to pull as well as push all scan log reports from the module to the host for analysis and extraction within Basic Analysis and Security Engine software (BASE.) This research presents a unique design and proof-of-concept implementation of this forward looking intrusion protection system (FLIP) for mobile devices using Windows XP that detects and prevents application layer attacks and others from ever reaching the user’s laptop without any appreciable degradation in performance.  (Design Document, Snort-Inline updated install document, National Conference for Undergraduate Research paper, WorldComp paper)

     - HoneyTIC (masters, University of Detroit Mercy): The purpose of this project is to establish a unique and complete process for threat intelligence gathering malware collection and incident response. This project will address how members of the honeynet alliance can contribute to the process of gathering threat intelligence and collecting malware. Members of the honeynet alliance can participate and contribute malware collected with the help of nepenthes or any suspicious scripts being seeded in the honeynet they are monitoring. Access will be granted to all the collected malware and will be waiting for special process escalation to determine the uniqueness of the malware and if so, the appropriate IT security incident response government agencies and other organizations will be notified.

The Honeynet Threat Intelligence Center (HoneyTIC) will be introduced to manage the threat intelligence gathering malware collection and the incident response effectively. This center will be responsible for gathering threat intelligence such as new vulnerability, exploited or a Malware in the wild spreading through a newly discovered vulnerability. HoneyTIC will be responsible for analyzing, providing accurate prioritization of the threat being looked at and prioritizing the importance of the malware being captured and analyzed based on the threat intelligence findings. To make this process easy, it will be divided into three phases:

1. Discovering Phase

2. Investigating phase

3. Reporting Phase

(HoneyTIC report)

2.  FINDINGS:  Our findings are best described in the documents referenced in the research project documents.  Our focus for the past year has been on development of technologies, not monitoring honeypot traffic.  Any systems we have had up have been for experimentation - not data collection. 

3.  LESSONS LEARNED:  Our lessons learned focused on the deployment steps for honeynets.  Working with several teams of students, allowed us to re-write the deployment walk-through.  The document will be final when the new Roo is realeased.

4.  NEW TOOLS:   The research activities described above under "deployments", developed two novel technologies:

    - The embedded snort-inline project.

    - The Dynamic honeypot generation project .

5.  PAPERS AND PRESENTATIONS

Briefing:  "Dynamic Honeynet Deployments", Information Assurance Workshop, University of Alaska, Sept 2006

Briefing:  "Current Network Threats and Honeynet Deployments", International Information Management Association conference, Iona College, Oct 2006

Briefing:  "Advanced Honeynet Deployments", ReBl Conference, NSA, Nov 2006

Briefing:  "Honeynet Deployments", 1st Information Operations Command, U.S. Army, Nov 2006

Briefing:  "Network Deception using Honeynets and related technologies", Faculty Briefing, City University of New York, May 2007.

Briefing:  "Network Defense Fundamentals", Strategic Studies Group, Naval War College, May 2007.

Paper:  A step-by-step guide to installing a virtual roo: Updated. (report)

Paper:  Snort-inline installation guide. (report)

Paper:  HoneyTIC: a Threat Integration Center. (report)

Paper:  Automatic Honeypot Generation and Network Deception. (report)

Paper & Briefing:  Forward Looking Intrusion Protection (FLIP), Proceedings of the National Conference on Undergraduate Research, San Rafael, CA, 12-14 April 2007. (conference)

Paper & Briefing:  FLIP Forward Looking Intrusion Protection for Mobile Devices via Snort-Inline™ Hardware Implementation, Proceedings of the 2007 World Congress in Computer Science, Las Vegas, NV, 25-28 June 2007. (conference)

Paper & Briefing:  Dynamic Honeynet Generation, Proceedings of the National Conference on Undergraduate Research, San Rafael, CA, 12-14 April 2007. (conference)

6.  ORGANIZATIONAL: We remained level in our faculty membership.  Growth came in the form of student interest.  This coming year I expect some turbulence as one faculty member departs USMA and Ron Dodge transitions to an Associate Dean position.  The intent is to continue to support student research (although at a decreased level and increase the deployment of functional honeynets. added three faculty to facilitate the summer honeynet research.    

7.  GOALS:  Our goals for the coming year will focus on transitioning new personnel into the project.  The research center that has sponsored honeynet research will undergo a director change and specific goals will be determined over the summer. 

     - The outgoing director (Ron Dodge) will be moving to be the Associate Dean for the IT infrastructure at USMA.  We intend to leverage this position to increase the deployment of internal honeypots on the USMA .mil network.

     - The incoming director, Greg Conti, has been working on data visualization.  I hope to have him listed in our next report as an active member.

     - The research activities described above under "deployments", developed two exciting technologies that will be expanded in the following year:

         o The embedded snort-inline project will be evaluated to determine if efficiencies to the honeywall can be achieved by embedding additional functionality in firmware.

         o The Dynamic honeypot generation project will continue to "clean-up" the code and deplopy a prototype on a live network.

8.  MISC ACTIVITIES: 

1.  Ron Dodge has continued to serve on the steering committee.

2.  Ron Dodge has continued to serve as a KYE reviewer.

3.  The West Point hosted IEEE Information Assurance Workshop has again provided a call for papers that specifically included honeynet technologies.