Biblio

Open-source honeypots are a vital component in the protection of networks and the observation of trends in the threat landscape. Their open nature also enables adversaries to identify the characteristics of these honeypots in order to detect and avoid them. In this study, we investigate the prevalence of 14 open- source honeypots running more or less default configurations, making them easily detectable by attackers. We deploy 20 simple signatures and test them for false positives against servers for domains in the Alexa top 10,000, official FTP mirrors, mail servers in real operation, and real IoT devices running telnet. We find no matches, suggesting good accuracy. We then measure the Internet-wide prevalence of default open-source honeypots by matching the signatures with Censys scan data and our own scans. We discovered 19,208 honeypots across 637 Autonomous Systems that are trivially easy to identify. Concentrations are found in research networks, but also in enterprise, cloud and hosting networks. While some of these honeypots probably have no operational relevance, e.g., they are student projects, this explanation does not fit the wider population. One cluster of honeypots was confirmed to belong to a well-known security center and was in use for ongoing attack monitoring. Concentrations in an another cluster appear to be the result of government incentives. We contacted 11 honeypot operators and received response from 4 operators, suggesting the problem of lack of network hygiene. Finally, we find that some honeypots are actively abused by attackers for hosting malicious binaries. We notified the owners of the detected honeypots via their network operators and provided recommendations for customization to avoid simple signature-based detection. We also shared our results with the honeypot developers.

The malicious JavaScript is a common springboard for attackers to launch several types of network attacks, such as Drive-by-Download and malicious PDF delivery attack. In order to elude detection of signature matching, malicious JavaScript is often packed (so-called "obfuscation") with diversified algorithms therefore the occurrence of obfuscation is always a good pointer for potential maliciousness. In this investigation, we propose a light weight approach for quickly filtering obfuscated JavaScript by a novel method of tokenizing JavaScript text at letter level and information-theoretic measures, based on the previous work in the domain of detecting obfuscated malicious code as well as the pattern analysis of natural languages. The new approach is apparently time efficient compared to existing systems since it processes much less objects while it is also proved to be able to reach the acceptable detection accuracies.

In the age of the IoT (Internet of Things), a random number generator plays an important role of generating encryption keys and authenticating a piece of an embedded equipment. The random numbers are required to be uniformly distributed statistically and unpredictable. To satisfy the requirements, a physical true random number generator (TR-NG) is used. In this paper, we implement a TRNG using an SR latch on 40 nm CMOS ASIC. This TRNG generates the random number by exclusive ORing (XORing) the outputs of 256 SR latches. We evaluate the random number generated using statistical tests in accordance with BSI AIS 20/31 and using an IID (Independent and Identically Distributed) test, and the entropy estimation in accordance with NIST SP800-90B changing the supply voltage and environmental temperature within its rated values. As a result, the TRNG passed all the tests except in a few cases. From this experiment, we found that the TRNG has a robustness against environmental change. The power consumption is 18.8 micro Watt at 2.5 MHz. This TRNG is suitable for embedded systems to improve security in IoT systems.