Computer Laboratory

Alexander Vetterl

Alexander Vetterl

I'm a PhD student working with Richard Clayton and Ross Anderson in the Security Group. My research is funded by the German Academic Exchange Service (DAAD) and the Computer Laboratory. I am a member of the Cambridge Cybercrime Centre and Churchill College.

My research interests include honeypot architectures, intrusion detection systems and cybercrime, with a particular focus on the Internet of Things.

Research

  • Honware: A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days
    Alexander Vetterl and Richard Clayton, Proceedings of the 14th Symposium on Electronic Crime Research (eCrime ‘19) [PDF] [PDF IEEE] [Slides]
    We present honware, a high-interaction honeypot framework which can emulate a wide range of devices without any access to the manufacturers' hardware. Honware automatically processes a standard firmware image (as is commonly provided for updates), customises the respective filesystem and runs the system with a special pre-built linux kernel. It then logs attacker traffic and records which of their actions led to a compromise. We provide an extensive evaluation and show that our framework is better than existing emulation strategies which are limited in their scalability, and that honware is significantly better in providing network functionality and in emulating the devices' firmware applications. Honware's design precludes most honeypot fingerprinting attacks, and its performance is comparable to that of real devices and so fingerprinting with timing attacks can be made far from trivial.
  • We know where you live: Systematically Fingerprinting Low- and Medium-interaction Honeypots at Internet Scale
    Alexander Vetterl, 31st Annual FIRST Conference on Computer Security Incident Handling (FIRST ’19) [Slides]
    Honeypots are intended to be covert and therefore little is known about how many are deployed or who is using them. We present a generic technique for systematically fingerprinting low- and medium interaction honeypots at Internet scale with just one packet. We conduct Internet-wide scans and identify 7,605 honeypot instances across nine different honeypot implementations for the most important network protocols SSH, Telnet, and HTTP. Since the probes do not leave meaningful log entries in any of our tested honeypots, operators will not be aware that their honeypot has been detected. We further show that these deployments are not kept up to date – 27% of the honeypots have not been updated within the last 31 months and only 39% incorporate improvements from 7 months ago. We believe the findings to be a ‘class break’ in that trivial patches to the current generation of honeypots cannot address the issue.
  • Counting Outdated Honeypots: Legal and Useful
    Alexander Vetterl, Richard Clayton, Ian Walden, Proceedings of the 4th International Workshop on Traffic Measurements for Cybersecurity (WTMC ’19) [PDF] [Slides]
    We conduct several Internet-wide scans over a one year period to determine which particular versions of Kippo and Cowrie honeypots are being run on the Internet. By logging in to these SSH honeypots and sending specific commands, we not only revealed their patch status, but also show that many systems were not up to date: a quarter or more were not fully updated and by the time of our last scan 20% of honeypots were still running Kippo, which had last been updated several years earlier.
    We further provide a detailed legal analysis and an extended ethical justification for our research to show why we did not infringe cybersecurity laws by accessing and logging in to honeypots.
  • Bitter Harvest: Systematically Fingerprinting Low- and Medium-interaction Honeypots at Internet Scale
    Alexander Vetterl and Richard Clayton, Proceedings of the 12th USENIX Workshop on Offensive Technologies (WOOT ’18) [PDF] [Slides]
    We present a generic technique for systematically fingerprinting low- and medium interaction honeypots at Internet scale with just one packet and an ERR (Equal Error Rate) of 0.0183. We conduct Internet-wide scans and identify 7,605 honeypot instances across nine different honeypot implementations for the most important network protocols SSH, Telnet, and HTTP.

Teaching

Supervisions 2016/17:


Contact

Alexander Vetterl
University of Cambridge
Computer Laboratory
15 JJ Thomson Avenue
Cambridge CB3 0FD
United Kingdom
Phone: +44 1223 7-63695
Email: forename.lastname@cl.cam.ac.uk