Computer Laboratory

Alexander Vetterl

Alexander Vetterl

I'm a PhD student working with Richard Clayton and Ross Anderson in the Security Group. My research is funded by the German Academic Exchange Service (DAAD) and the Computer Laboratory. I am a member of the Cambridge Cybercrime Centre and Churchill College.

My research interests include honeypot architectures, intrusion detection systems and cybercrime, with a particular focus on the Internet of Things.

Research

  • We know where you live: Systematically Fingerprinting Low- and Medium-interaction Honeypots at Internet Scale
    Alexander Vetterl, 31st Annual FIRST Conference on Computer Security Incident Handling (FIRST ’19) [tba Jun 19]
    Honeypots are intended to be covert and therefore little is known about how many are deployed or who is using them. We present a generic technique for systematically fingerprinting low- and medium interaction honeypots at Internet scale with just one packet. We conduct Internet-wide scans and identify 7,605 honeypot instances across nine different honeypot implementations for the most important network protocols SSH, Telnet, and HTTP. Since the probes do not leave meaningful log entries in any of our tested honeypots, operators will not be aware that their honeypot has been detected. We further show that these deployments are not kept up to date – 27% of the honeypots have not been updated within the last 31 months and only 39% incorporate improvements from 7 months ago. We believe the findings to be a ‘class break’ in that trivial patches to the current generation of honeypots cannot address the issue.
  • Counting Outdated Honeypots: Legal and Useful
    Alexander Vetterl, Richard Clayton, Ian Walden, Proceedings of the 4th International Workshop on Traffic Measurements for Cybersecurity (WTMC ’19) [PDF] [Slides]
    We conduct several Internet-wide scans over a one year period to determine which particular versions of Kippo and Cowrie honeypots are being run on the Internet. By logging in to these SSH honeypots and sending specific commands, we not only revealed their patch status, but also show that many systems were not up to date: a quarter or more were not fully updated and by the time of our last scan 20% of honeypots were still running Kippo, which had last been updated several years earlier.
    We further provide a detailed legal analysis and an extended ethical justification for our research to show why we did not infringe cybersecurity laws by accessing and logging in to honeypots.
  • Bitter Harvest: Systematically Fingerprinting Low- and Medium-interaction Honeypots at Internet Scale
    Alexander Vetterl and Richard Clayton, Proceedings of the 12th USENIX Workshop on Offensive Technologies (WOOT ’18) [PDF] [Slides]
    We present a generic technique for systematically fingerprinting low- and medium interaction honeypots at Internet scale with just one packet and an ERR (Equal Error Rate) of 0.0183. We conduct Internet-wide scans and identify 7,605 honeypot instances across nine different honeypot implementations for the most important network protocols SSH, Telnet, and HTTP.

Teaching

Supervisions 2016/17:


Contact

Alexander Vetterl
University of Cambridge
Computer Laboratory
15 JJ Thomson Avenue
Cambridge CB3 0FD
United Kingdom
Phone: +44 1223 7-63695
Email: forename.lastname@cl.cam.ac.uk