Ludus is a joint project between the Stratosphere Research Laboratory and CZ.NIC. Our goal is to apply Game Theory to honeypot deployment in order to increase the security of the users.
The main idea of the project is to apply collaborative defence strategies to make it harder for attackers to hit the services users run in their devices. Based on the anonymous data obtained from the routers, we design a Game Theoretical model used for choosing the optimal honeypot setup. This model is distributed to all routers and applied based on the usage of the individual devices. Afterwards, the strategy is evaluated and improved so it can react on new trends in the attackers' actions.
Ludus focuses on attacks coming from the internet to the routers.Local comunication as well as content of packets in any level are excluded from data gathering
Our system aims at fully automated honeypot deployment. First step is the analysis of the incoming traffic. This data helps us to obtain "Security Measure" which is a metric showing how endangered the particular device is. Next step is to deploy honeypots according to probabilistic model which uses Game Theory for maximizing the cost for attackers. Final step is evaluation of the strategy and visualization. Currently, there are two available visualizations:
- Local data (Data from individual routers showing the metric of the device. Available only for the user)
- The big picture - Aggregated data from all routers showing the impact of the collective defence strategy - Kibana dashboard
Components of Ludus system
Ludus System consists of several tools. Main source of information is SuricataIDS, open-source intrusion detection tool. Suricata is used for getting the statistic of port usage as well as source of alerts.
Apart from Suricata, Ludus analyses the iptables of the routers to find out which ports are being used (and subsequently in need of protection) as well as ports which are available for deploying honeypot.
What data is being collected?
Ludus analyses traffic coming from the internet. That means local network is completely excluded. Our system is based on Netflows. In each connection source IP, source port, destination port, protocol, amount of bytes and packets in each direction and timestamp are collected. This information is valuable for estimation of probabiliy of port being attacked and also provides insight about how the destination port are being used. Using this data, we can improve the Game theoretical model and adapt it so it better captures the behaviour of the attackers. All the data is anonymized which means that CTU does not know which data belongs to which user.Public Ip of the routers are stored localy and used only for filtering the extternal traffic.
- Sebastian García (CTU) - firstname.lastname@example.org
- Ondřej Lukáš (CTU) - email@example.com
- Kalin Ivanov (CTU) - firstname.lastname@example.org
- Karel Durkota (CTU) - email@example.com
- Jan Pavlínec (NIC.CZ) - firstname.lastname@example.org