Illinois researchers sweeten “honeypot” to catch, blacklist hackers

04.23.19 -

by Allison Arp, Coordinated Science Laboratory

"The supreme art of war is to subdue the enemy without fighting" - Sun Tzu.

This quote inspired Coordinated Science Laboratory (CSL) student Phuong M. Cao and a team from the National Center for Supercomputing Applications (NCSA) to conduct research to understand how programs were being attacked. A paper about that research was accepted by the prestigious USENIX Symposium on Networked Systems Design and Implementation (NSDI).

In order to protect a system from an attack, the defender must know what it's protecting against. By planting "honeypots," the researchers were able to attract hackers by setting up phony machines on a large IP space to mimic more than 65,000 servers. Using this method, the group was able to draw in 405 million attack attempts to the honeypot and learn from them.

"Their strategy brought in a lot of the bad guys and after a quick analysis many had their router blacklisted by the NCSA security team," said Cao's advisor Ravi Iyer, CSL and Electrical and Computer Engineering (ECE) professor and George and Ann Fisher Distinguished Professor of Engineering. "The clever thing was the students took this information and decided to use the attacks being generated to discover how our system can withstand these attacks."

The information collected about the attack techniques has already been integrated into security systems at NCSA. Justin Azoff and Alex Withers, both NCSA staff, are working closely with Cao and others to continuously audit and update the technology against ongoing attacks. This partnership shows how practical cybersecurity operations can support research and vice-versa.

"Many people overlook the potential impact of a brute force attack," said Cao, an ECE graduate student. "Well known data breaches, Citrix for example, are the direct result of an unsecured server being exposed by this type of attack."

In the case of the Citrix data breach, attackers were able to hack one or more weak passwords within the system that resulted in terabytes of data being exposed. Previously, hackers would use a dictionary and try different words repeatedly until an account was breached; now, Cao says, 6.5 billion passwords are publicly available and used in this brute-force attack styles.

Iyer believes finding a solution to such a common and costly problem was one of the reasons Cao's paper, written with Subho S. Banerjee, a computer sciences graduate student, Yuming Wu, a fellow ECE student, and Zbigniew Kalbarczyk, an ECE research professor, was accepted by the NSDI symposium committee.

"They demonstrated on an attack style that is very common and now it can be expanded to look at a whole range of potential attacks," said Iyer. "I think the research is very important and a reason it was accepted at NSDI, which has a notoriously low acceptance rate."

The NDSI Symposium only selected 49 out of 332 submitted papers. Cao presented the paper and Wu presented a poster on the same project, all of which received wide industry recognition.

"People from Fortune 500 companies were interested in the work," said Wu. "We had discussions about the details of the work, interest in the deployment of the infrastructure, and interest in future work inspired by this research."

The original framework for the honeypot, developed by Azoff, is open-sourced and available on NCSA's GitHub. So far the project has gained more than 400 positive reactions from the online community.

While industry partners are interested in future work, the University of Illinois at Urbana-Champaign's online network is already benefiting from the software. In a single year, the team's software has analyzed 405 million attack attempts and at one point prevented more than 57 million in one day. This has resulted in them having the largest dataset of analyzed brute-force attacks to date.

Attacks on Illinois' network are local, but the analysis of the dataset has been shared with national laboratories and an international university via NCSA's Shared Intelligence Platform for Protecting our National Cyberinfrastructure (SDAIA). Alerting and collaborating with other sites allows all locations to defend against attacks that have happened at other locations. The honeypot that the team is currently operating has observed attacks coming from 73% of the autonomous systems on the internet. Three-fourths of the internet seems like a lot, but Cao isn't done yet.

"The future of this work is that we would gain a much larger adoption from other sites, not just in academia but also on the industry sites," said Cao. "With the expansion of our shared intelligence platform we hope to cover the entire space of the internet. The future of our work is to look at how our approach can be applied to monitor more sophisticated attack activities across all the internet."