Forschungsgruppe Network Security
(Prof. Dr. Heer)
Zurück zur Liste

Scan or be Scanned – Honeypot meets Patchwatch

Forschungsprojekt
In Bearbeitung

In today’s Internet, a plethora of services are, intentionally or unintentionally, publicly accessible. Further, many publicly accessible services are not sufficiently updated. This puts them at risk as attackers that use Internet-wide port scanning to discover such services can exploit vulnerabilities in old software.

Honeypots are purposely insecure systems, placed on the Internet to lure attackers and collect information. We set up a infrastructure consisting of six AWS honeypot instances and an analysis VM. We log and analyze who is scanning the Internet, particularly Internet of Things (IoT) services. So far, we identified multiple scanners and their tools used, and classified different scanning behaviors.

With Patchwatch, we collect data to analyze how different sectors handle the patching process of services. We actively scan the IPv4 space for hosts with Internet-connected services, collecting version information. We use fingerprinting, e.g., certificate information, to track hosts with dynamic IPs. So far, we analyzed, e.g., the update frequency of different services and possible vulnerabilities.

Aufgabe und Fragestellungen

We aim to conduct advanced analyses focusing on correlations between scanning activities logged on our honeypots and the scanning picture obtained through active scans. By merging our Honeypot and Patchwatch data, we aim to gain a better understanding of overall scanning activities:

  • Using the existing honeypot infrastructure, can we find specific interests of scanners, e.g., scanned services, service settings, and versions?
  • Can we investigate further details on the scanners interest through additional application insights?
  • Is there a correlation between the scanning interests logged by our honeypots and the version changes observed in Patchwatch?

Task Outline:

  • Enhance honeypots to log scans for application specific data, e.g., service settings and versions.
  • Conduct trend analyses on gathered data, e.g., changes in the scanning frequency of individual scanners for specific services over time.
  • Find and analyze correlations between Honeypot and Patchwatch data.

Kontakt