School of Science

Warren Zezito Cabral

Overview of thesis

Honeypots are progressively becoming a fundamental cybersecurity tool to detect, prevent, and record new threats and attack methodologies used by attackers to penetrate systems. A honeypot is a deceptive or fake computer system that presents itself as a real computer system with actual sensitive information. A range of open-source honeypots are available today, such as Cowrie and Conpot, which can be easily downloaded and deployed within minutes—with default settings. Cowrie is a medium-interaction secure shell (SSH) and Telnet honeypot intended to log brute force and shell interaction attacks. In contrast, Conpot is a low-interaction SCADA honeypot, which attempts to mimic an active SCADA system. These honeypots operate on a standardised configuration file that encompass options for deployment such as hostnames, IPs, network services, protocols, applications, and fingerprint information. These options are convoluted and must be used in an integrated and granular fashion to make the deception presented by the honeypot to be plausible and effective. The current issue with the default configurations is that it is easily detected by adversaries using default parameters, automated scripts and scanners such as Shodan and NMAP. Nonetheless, cybersecurity specialists deploy most honeypots with default configurations. This is because modern systems do not provide a standard framework for optimal deployment of these honeypots based on the various configuration options available to produce a non-default configuration. Hence, default honeypot deployments are counterproductive and a surplus network resources and personnel.

A quantitative empirical learning approach driven by a quasi-experimental methodology was undertaken to develop a solid understanding about the deceptive capabilities of the Cowrie and Conpot honeypots. This was accomplished by developing a framework created from the analysis of numerous Cowrie and Conpot configurations and linking these artefacts to their deceptive potential. This framework provides for customised honeypot configuration, thereby enhancing their functionality to achieve a high degree of deceptiveness and realism. Thereafter, these configured honeypots were then deployed in association with banners and firewall rules to prevent Shodan and NMAP detections and to prevent attackers from acknowledging default parameters.

The results of these deployments show an exponential increase in attacker-honeypot interaction in comparison to their subsequent default implementations. In turn, they inform and educate cybersecurity audiences how important it is to deploy honeypots with advanced deceptive configurations to bait cybercriminals and mitigate counterproductive distributions.

Qualifications

• Master of Computing and Security by Research – Edith Cowan University -  Aug 2019-Present
• Bachelor of Science (Cyber Security) – Edith Cowan University - 2019

Scholarships and Awards

• 2019 Master’s Research Scholarship | Cyber Security Cooperative Research Centre
• Awarded a $100,000 research scholarship grant which entails research on the configuration and deployment of honeypot architecture.
• 2019 Vice-Chancellor’s Award for Student Engagement | Edith Cowan University
• Awarded a $5000 scholarship for demonstrating outstanding engagement with the community, including acting as a peer mentor to high school students through the i3 Program, offering free tutoring as part of CASSA and promoting ECU and cybersecurity
• 2016 Dr Peter Larsen Award for Academic Excellence | Edith Cowan College
• Awarded a $2000 scholarship for achieving the highest academic average in the Diploma of Science (Computing and IT).

Supervisors

• Dr Leslie F Sikos – Edith Cowan University

Contact