HoneyGT: The Georgia Tech Honeynet Project

Tools

TimeKeeper

TimeKeeper is an ongoing project involving the forensic analysis of honeypot file systems. It enables inode data to be archived so that honeypot adminstrators can more accurately ascertain what has transpired. TimeKeeper is not meant to act as a stand alone agent in the logging of data, but to work as a piece of a forensic framework.

VisualFirewall

VisualFirewall/IDS is a research-grade Firewall and IDS visualization tool that aims to provide a highly-informative interface of network activities that relate to system security. The program is designed with novice system security administrators in mind who need easy to learn representations of security information, but also need the power of forensic analysis on past attack.

RainStorm

We propose to design a visualization to show alarm activity within a network. The high amount of alarm data generated from IDS tools is cumbersome for network system administrators deal with. Often important details are overlooked and it is difficult to get an overall picture of what is occurring in the network by traversing alarm text logs. Our goal with this tool is to present alarm data in an overall view where a user can get a general sense of network activity, and easily see if there is some anomaly with the option of drilling down for details. The information is presented with IP address as the y-axis to show location of alarms, time on the x-axis to show the pattern of the alarms, and color to show severity and amount of alarms.

Each y-axis represents a range of Georgia Tech IP addresses, this rounds out to be 4 IP addresses per pixel. The x-axis represents time. If each pixel along this axis is 20 minutes, then 24 hours is represented.

Color represents alarm severity (green – low, yellow-medium, red-high). Color saturation will represent the alarm amount. A full saturation (which stands out against the black background) will indicate a large amount of alarms, as a lesser saturation (which can be seen, but will not stand out as much) will represent a low count.

FlowTag

Current tools for forensic analysis require many hours to understand novel attacks, causing reports to be terse and untimely. We apply visual filtering and tagging of flows in a novel way to address the current limitations of post-attack analysis, reporting, and sharing. We discuss the benefits of visual filtering and tagging of network flows and introduce FlowTag as our prototype tool for the Honeynet researchers. We argue that online collaborative analysis benefits security researchers by organizing attacks, collaborating on analysis, forming attack databases for trend analysis, and in promoting new security research areas. Lastly, we show three attacks on the Georgia Tech Honeynet and describe the analysis process using FlowTag.