|
|
@@ -210,12 +210,27 @@ Early research on Mobile Honeypots focused only on Bluetooth communications[5,1
|
|
|
//Write about Mobile Honeypots
|
|
|
There has been existing work that focused on detection of mobile specific malware. The first to discuss the idea of a Honeypot for smartphones were Mulliner et al., by providing the initial ideas, challenges and an architecture for their proposed system\cite{mulliner2011poster}. Nomadic Honeypots\cite{Liebergeld_nomadichoneypots:} concentrates on mobile specific malware and also trades off with a lot of personal information.
|
|
|
|
|
|
- //List about HosTaGe and other related work on mobile Honeypots
|
|
|
+\begin{itemize}
|
|
|
+
|
|
|
+\item\textbf{HoneyDroid}(cite HoneyDroid) HoneyDroid is a smartphone Honeypot for Android operating system which claims to be the first ever Honeypot in the Mobile Honeypots category which makes use of smart phone hardware to host the Honeypot.It is built on a Linux micro-kernel and is customized to impose restrictions on the Android operating system for monitoring its activities. The architecture is comprised of a Event Monitor, to monitor active connection requests and also system calls in the kernel level; Filters to mitigate any attempts of malware trying to affect the system and a log software to log all the activities. This Honeypot is also focused on detecting attacks from apps installed in the device which try to infiltrate the kernel for gaining unauthorized access. The system also involves virtualization which enables simulation of various services.
|
|
|
+This could also result in an overhead, hereby causing a signature which can be detected by attackers and malware. However, the direction of HoneyDroid was to introduce the concept of Mobile Honeypots.
|
|
|
+
|
|
|
+
|
|
|
+\item\textbf{Cellpot:} (cite Cellpot) Cellpot concentrates on detection and defence of attacks in the cellular network. It comprises of a collection of Honeypots, or Honeynets that are deployed on mobile phones. Cellpot consists of applications like SMS spam prevention, mobile phone theft and malware protection. The Honeypot mainly is concentrated towards Small Cells(cite from paper), wireless infrastructure deployed in customers site and operated in licensed bands. The main use of Small cells is to support the need of coverage and capacity. These points are a good place to deploy the Honeypots to detect malware and other intrusion attacks. Denial Of Service is the most common category of attack in the area of cellular networks, and with the help of few devices,this attack can be executed successfully. Introducing a Honeypot approach for detecting such attacks at small cells is a feasible solution.The concept of Cellpot is to detect, collect intelligence and
|
|
|
+mitigate threats against the cellular network directly on the base stations. Further, it has the ability to
|
|
|
+deploy countermeasures against detected threats, and enables
|
|
|
+a wide area of applications. It provides a good platform
|
|
|
+for mobile network operators to deploy and run additional
|
|
|
+applications to reduce signaling.
|
|
|
+
|
|
|
+\item\textbf{Nomadic Honeypots:}
|
|
|
+
|
|
|
+\item\textbf{HosTaGe:}\cite{Vasilomanolakis:2013:TNI:2516760.2516763},\cite{Vasilomanolakis:2014:HMH:2659651.2659663} is an Android App which acts as a Mobile Honeypot, determined to detect malicious networks and probe for attacks. It is user centric and aims at creating security awareness to its users. The results obtained in this process are synchronised with a global repository and also can be shared locally through bluetooth. The current version has capabilities of emulating as Windows, Unix, Apache Server, SQL and Paranoid host. Attacks through HTTP, SMB, SSH, HTTPS, Telnet and FTP can be identified.
|
|
|
+
|
|
|
+
|
|
|
+\end{itemize}
|
|
|
|
|
|
- HosTaGe\cite{Vasilomanolakis:2013:TNI:2516760.2516763},\cite{Vasilomanolakis:2014:HMH:2659651.2659663} is an Android App which acts as a Mobile Honeypot, determined to detect malicious networks and probe for attacks. It is user centric and aims at creating security awareness to its users. The results obtained in this process are synchronised with a global repository and also can be shared locally through bluetooth. The current version has capabilities of emulating as Windows, Unix, Apache Server, SQL and Paranoid host. Attacks through HTTP, SMB, SSH, HTTPS, Telnet and FTP can be identified.
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
+
|
|
|
\subsection{SCADA Honeypots}
|
|
|
|
|
|
Analysing the security concerns of ICS SCADA systems and the advantages of Honeypots, a solution could be implemented to combine the needs and features. SCADA Honeypots could be deployed in ICS Networks for monitoring and analysis. They act as an additional line of defense providing warnings and notifications for attacks. Designing a SCADA Honeypot involves studying the architecture of the SCADA systems and the components, protocols involved in communication and processing of data. Further, as discussed before, SCADA networks comprise of hardware devices like PLCs and RTUs which play a very critical role in processing and communication of data. SCADA systems rely on PLCs for data processing. If PLCs are targeted by attackers to compromise their working, it could bring down the entire plant, hereby resulting in a huge catastrophe. Modern day PLCs offer TCP/IP communication which can used to control and manage the data flow between other PLCs and control servers. On investigating attacks that have occured in the past, STUXNET a malware, was found to be injected in a Nuclear Enrichment Facility in Iran. STUXNET was found to be injected into the network using a USB drive to one of the host control systems. The malware spread from that system to other systems through intranet and remained hidden from operators. STUXNET was able to interfere with the working of a PLC that controlled centrifuges and managed to compromise the conditions on which the PLC depends. It was only by the observation of an operator that the PLC was causing the centrifuges to run more fast than usual was detected. But nobody could determine what caused the centrifuges run abnormally.
|
|
|
@@ -290,7 +305,9 @@ This PLC uses communication protocols such as PROFINET, an advanced version of M
|
|
|
|
|
|
|
|
|
|
|
|
-The S7 200 is also widely used for variousl applications because of its flexibility, usablilty and comptibility.
|
|
|
+
|
|
|
+
|
|
|
+The S7 200 is also widely used for various applications because of its flexibility, usablilty and comptibility.
|
|
|
|
|
|
\begin{itemize}
|
|
|
|
|
|
@@ -323,7 +340,7 @@ Open Communication
|
|
|
\subsection{Vulnerabilities}
|
|
|
\subsection{Attacks Log}
|
|
|
\subsection{Challenges}
|
|
|
- \subsection{Detection of Multistage Attack approach}
|
|
|
+ \subsection{Detection of Multistage Attack Approach}
|
|
|
\subsection{Detecting malware}
|
|
|
|
|
|
\section{Evaluation and Results}
|
