The Q-Hpot® is a honeypot running on an extremely small form factor, ultra-low-power-consumption server, and built upon three open source packages: Honeyd and NOVA ("Network Obfuscation and Virtualized Anti-Reconnaissance"), plus HoneyBadger, a comprehensive TCP attack inquisitor capable of detecting and recording a variety of TCP stream injection attacks, including 0-Day (“Zero Day”) attacks. HoneyBadger has been combined with geolocation to identify the location of the attacker.
A honeypot is a decoy server which is used for network obfuscation, denying the attacker access to actual network data while giving the attacker false information on the number and types of systems on the network. The combination of these two honeypot packages, which includes an update to Honeyd, enables the creation of multiple virtual, realistic, decoy servers. These virtual servers offer attack surfaces for hackers, and emulate almost any operating system and network service, with any desired open ports, and for any network topology. The Q-Hpot can give a network the appearance of having literally 100 or more additional servers, in addition to the actual servers on the network it is protecting, thereby providing network obfuscation and concealment of the actual network servers. The only limitation on the number of decoy servers is the number of available LAN IP addresses.
The addition of HoneyBadger gives administrators using the Q-Hpot, unlike other honeypot systems, the ability to fight back by identifying the attacker’s location via geolocating the attacker’s IP address(es), as well as prevent TCP injection attacks, including 0-day (Zero Day) attacks.
As a result, the Q-Hpot greatly increases the likelihood of an attack being caught before servers or workstations are compromised, and data, exfiltrated.
NOVA includes machine learning algorithms in order to determine which network nodes are hostile or benign. NOVA also allows the white listing of network objects to prevent false positives. The machine learning algorithms process aggregate flow data, which includes packet sizes, destination addresses, and the contacted TCP and UPD ports. This enables NOVA's machine learning algorithms to work effectively even if encryption is used by an attacker to evade Deep Packet Inspection (DPI). If an attack on any of the NOVA virtual servers is detected, network admins are notified via e-mail, libnotify messages, and syslog entries. NOVA's warnings are also integrated with Nagios® on the Q-Box® as an additional monitoring and notification mechanism. NOVA provides a Web interface for monitoring the Q-Hpot's security status, and integrates with the Q-Box for centralized monitoring.