Final Report Summary - NoAH (NoAH: a European Network of Affined Honeypots)
Over the past decade, we have witnessed an increasing number of cyber-attacks on the internet. Viruses, trojans, and other types of malicious software are discouraging the effective use of the internet and are crippling the global IT infrastructure. In recent years, outbreaks have demonstrated that attackers already have the capability to compromise a large part of the Internet within minutes. To make matters worse, laboratory studies suggest that it is possible to craft carefully designed attacks that can compromise tens of thousands of internet-connected computers within seconds, and that the damage of such an attack could reach more than USD 50 billion. At these time scales, human reaction to an attack may be impossible. To successfully combat such threats, we need an infrastructure to assist in detecting and containing such attacks.
The main goal of the 'European Network of Affined Honeypots' (NoAH) project has been to produce a design study and perform the necessary technical work towards the development of an infrastructure for security monitoring based on honeypot technology. Honeypots are computer systems that do not provide real production services. Instead, they are intentionally vulnerable, and at the same time closely monitored systems, that wait to be compromised by attackers. Once hit honeypots can be used to analyse attacks: where did the attacker come from, how did he enter the system, what did he try to do after entering, etc. We expect that by gathering and correlating data from geographically dispersed honeypots, NoAH will be able to detect cyber-attacks before they have the chance to do any major damage. To achieve this, NoAH has explored the potential for automated generation of attack signatures or other containment-related information that may be used by reactive security systems. Additionally, NoAH has the goal of facilitating a distributed security analysis infrastructure for internet service providers (ISPs), national research and education networks (NRENs) and security organisations.
More specifically, NoAH had the following key objectives:
- Design an infrastructure of affined honeypots that will gather and correlate data about attackers, their methods, and actions on the internet.
- Develop techniques for the automatic identification of novel attacks and for the automated generation of corresponding signatures, enabling the effective containment of the spread of an attack.
- Install and operate a pilot NoAH infrastructure to demonstrate the effectiveness and utility of a full-scale NoAH infrastructure.
- Provide sanitised attack information to the security research community on a pilot basis. Such a repository of information has the potential of boosting research and development in the area of attack detection and containment.
- Extend the participation in the infrastructure to ISPs, NRENs, and security organisations outside the NoAH consortium.
- Disseminate the results of the project to researchers and security analysts.
The NoAH project successfully carried out a design study towards a security research infrastructure, demonstrating that it is feasible to provide a public and shared system for obtaining security related data feeds and carrying out security-related experiments. One possible exploitation direction would be to operate this infrastructure at a larger scale.
The most important contribution was in demonstrating the feasibility of a research infrastructure to support the European scientific community. With an open architecture and low operational costs, NoAH is expected to continue operation after the end of the project, providing infrastructure access and valuable datasets for security research in Europe. Furthermore, the lessons learned from the NoAH experience are likely to help guide future efforts, including those of other projects in this space such as Forward and WOMBAT.
The main goal of the 'European Network of Affined Honeypots' (NoAH) project has been to produce a design study and perform the necessary technical work towards the development of an infrastructure for security monitoring based on honeypot technology. Honeypots are computer systems that do not provide real production services. Instead, they are intentionally vulnerable, and at the same time closely monitored systems, that wait to be compromised by attackers. Once hit honeypots can be used to analyse attacks: where did the attacker come from, how did he enter the system, what did he try to do after entering, etc. We expect that by gathering and correlating data from geographically dispersed honeypots, NoAH will be able to detect cyber-attacks before they have the chance to do any major damage. To achieve this, NoAH has explored the potential for automated generation of attack signatures or other containment-related information that may be used by reactive security systems. Additionally, NoAH has the goal of facilitating a distributed security analysis infrastructure for internet service providers (ISPs), national research and education networks (NRENs) and security organisations.
More specifically, NoAH had the following key objectives:
- Design an infrastructure of affined honeypots that will gather and correlate data about attackers, their methods, and actions on the internet.
- Develop techniques for the automatic identification of novel attacks and for the automated generation of corresponding signatures, enabling the effective containment of the spread of an attack.
- Install and operate a pilot NoAH infrastructure to demonstrate the effectiveness and utility of a full-scale NoAH infrastructure.
- Provide sanitised attack information to the security research community on a pilot basis. Such a repository of information has the potential of boosting research and development in the area of attack detection and containment.
- Extend the participation in the infrastructure to ISPs, NRENs, and security organisations outside the NoAH consortium.
- Disseminate the results of the project to researchers and security analysts.
The NoAH project successfully carried out a design study towards a security research infrastructure, demonstrating that it is feasible to provide a public and shared system for obtaining security related data feeds and carrying out security-related experiments. One possible exploitation direction would be to operate this infrastructure at a larger scale.
The most important contribution was in demonstrating the feasibility of a research infrastructure to support the European scientific community. With an open architecture and low operational costs, NoAH is expected to continue operation after the end of the project, providing infrastructure access and valuable datasets for security research in Europe. Furthermore, the lessons learned from the NoAH experience are likely to help guide future efforts, including those of other projects in this space such as Forward and WOMBAT.
