How does Nova work?
Web-based interface - Quasar
The Quasar web interface of Nova provides easy access to configuration and monitoring of the system from your standard web browser.
From Quasar, it is possible to configure the Haystack - a large set of lightweight honeypots (powered by Honeyd). These honeypots can be configured to match the operating systems and services that are already on your network, making it difficult for attackers to distinguish them from real machines. These honeypots will appear just like real machines when scanned with standard network reconnaissance tools.
Nova also includes the ability to create a haystack configuration automatically by scanning your network and configuring the honeypot operating systems and services to match as close as possible to the real network configuration.
Determining Hostile Activity
Once the honeypots are running, Nova alerts network administrators of potentially hostile activity by email, rsyslog, or by the web interface. The detection of this activity is accomplished as follows:
- First, Nova uses machine learning algorithms to attempt to match patterns of hostile network traffic based on statistics gathered about packet sizes, distributions, and TCP flag ratios.
- Second, Nova will trigger an alert if one of the statistical features gathered surpasses a certain threshold. The most common setting for this is to trigger an alert if an IP address contacts more than a certain number of honeypots or ports on a single honeypot.
- Finally, the services running on the honeypots have the ability to monitor for login attempts and trigger alerts. For instance, if someone attempts to log into a honeypot's telnet or FTP service, this can be assumed to be hostile, because the honeypot serves no actual users and any attempts to utilize or probe its services are likely for the sake of reconnaissance or attack.
Hostile Suspect Drill Down Information
Once suspicious activity is detected, Nova provides information gathered on the honeypots in a number of charts, graphs, and tables, which give security analysts and systems administrators the needed data to dive into alerts and distinguish between false positives and actual threats.