A honeynet framework to promote enterprise network security

INTERNATIONALComputer EngineeringCOMPUTER ENGINEERING
International Journal of JOURNAL OF and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
& TECHNOLOGY (IJCET)
ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online)
Volume 4, Issue 1, January- February (2013), pp. 404-413
IJCET
© IAEME:www.iaeme.com/ijcet.asp
Journal Impact Factor (2012): 3.9580 (Calculated by GISI) ©IAEME
www.jifactor.com

A HONEYNET FRAMEWORK TO PROMOTE ENTERPRISE
NETWORK SECURITY

Mumtaz M.A. AL-Mukhtar1, Badour W. Kasim2
1
(Information Engineering College, AL-Nahrain University, Iraq)
2
(Information Engineering College, AL-Nahrain University, Iraq)

ABSTRACT

This research introduces a mechanism of intrusion detection based on high
interaction honeypots to assist efficiently in gathering information concerning intruders
attacking an enterprise network via Internet. High interaction honeypots are implemented as
honeynet, which consists of a network of two servers with controlled services. Controlling
the data is performed by means of data capturing and restriction the traffic that enters and
leaves the network. The proposed system consists of five constituents' modules: Honeypots,
Sniffing, Tracing, Alert and Control. Honeypots provide real operating system files and
services. The decoy implemented is based on honeyfiles and setting service configuration to
reduce the cost of maintaining honeypots as well as to improve the accuracy in threat
detections. Data transfer between honeypots’ modules is accomplished using Windows
Communication Foundation (WCF) services that assist in conveying data in a secure way.
The main aim of this work is to identify the best traffic features or parameters that can be
used to identify intruders and in profiling attacks and attackers.

Keywords: Attack Monitoring, High-Interaction Honeypot, Honeynet, Intrusion Detection
System, Network Security.

1. INTRODUCTION

The challenges of securing enterprise networks in the face of intruders armed with
the tools of compromise have become overwhelming and are still growing. With security
administrators supporting an ever-growing number of users, such consistent interaction with
security mechanisms has become impractical. Therefore, today’s enterprise requires a
security solution that will not only prevent the most advanced intruder, but will as well
accomplish this with minimal configuration and supervision [1].

404

International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-

There have been several attempts to identify originators of attack packets on the network. A
common technique is a honeypot and is defined as "a security resource whose value lies in being
probed, attacked or compromised" [2]. Honeypots, according to their level of interaction, can be
classified into low-interaction, medium-interaction, and high-interaction honeypots [3].
Normally, low interaction Honeypots work exclusively emulating operating systems and services.
The attacker’s activities are limited to the honeypot’s level and quality of emulation [4]. Medium-
interaction honeypots are slightly more sophisticated than low interaction honeypots. Medium-
interaction honeypots provide the attacker with a better illusion of an operating system since there
is more for the attacker to interact with. More complex attacks can therefore be logged and
analyzed [5].
High Interaction Honeypots constitute a complex solution because they involve the utilization of
operating systems and real applications implemented in real hardware, without using emulation
software, running in a normal way; many times directly related to services such as databases and
shared folders [6].
A honeynet is simply a network that contains one or more honeypots [7]. More precisely, it is a
high-interaction honeypot that is designed to be attacked with the actual intention for providing
extensive information on threats and provides real systems, applications, and services for
attackers to interact with, and detect new malicious attempts [8].
The remaining part of this paper is organized as follows: Section 2 reviews related literature.
Section 3 gives overall system layout. Section 4 explains the system design and implementation
of constituent modules. Finally, section 5 describes the concluding remarks

2. RELATED LITERATURE

Previous research in high-interaction-honeypot include detecting threats and improving
network security [9,10], designing a honeypot capable of learning from attackers and capable of
dynamically changing its behavior using a variant of reinforcement learning [11], utilizing high-
interaction honeypot for SQL injection analysis [12], improving the detection speed and attack
collection scheme of high-interaction client honeypots [13, 14].
Different aspects of honeynet architectures are brought out in the literature. Honeynet have been
used in assessing network security and as proactive security system [15, 16]. Aspects of using
honeynets in educational areas are tackled in [17, 18]. Deployment of honeynet for forensic
analysis of attacks from the internet is discussed in [19, 20]. Detecting and removing Internet
worms and innocuous traffic related packets is proposed in [21, 22]. Detecting and defending
Botnet is highlighted in [23]. Managing honeynet as a distributed architecture is disclosed in [24].
Using virtual technology to construct honeynet is enlightened in [25, 26].
In contrast with recent generation of high interaction honeypots, our work goes one step further.
We improve the administration and the security enforcement to get an automated protection
system serving as an early-warning and advanced security surveillance tool, minimizing the risks
from attacks on enterprise networks and ensuring that honeypots retain their usefulness as
profiling tools.

3. SYSTEM OVERVIEW

System layout is depicted in figure 1. The devised network compromises a pair of nodes
configured as honeynet connected by switch to another node which is configured as monitoring
station. Each node in the honeynet acts as a high interaction honeypot, using real operating
systems and services with decoy files. A firewall is also configured at the monitoring station to
accept connections only from honeypots devices as a security issue for the monitoring station.

405


Honeypots provide real services for attracting attackers. Once an attacker attempts to access
the honeypot server, its data is captured and stored in a database. Then these stored packets
are transferred to the monitoring station using web services effectively in a secure way. The
monitoring station reads the information acquired to prepare a report as an Extensible
Markup Language (XML) file which is sent by an e-mail to the administrator of the network
as an alert. It also provides a Graphical User Interface (GUI) to monitor the extracted
information.

Fig.1- System Layout

4. SYSTEM DESIGN

The designed Honeynet contains two Honeypots, which are servers connected to the
Internet and expressly set up to attract intruders. The designed system comprises several
cooperating modules organized within the honeypots and the monitoring station. The
function of these modules is illustrated in figure 2.

Fig.2- System Modules

406


4.1 Sniffing Module
It runs in a network attached device that passively receives all data link layer frames
passing through the device’s network adapter. The packet sniffer captures the data that is
addressed to the honeypot machine, saving it for later analysis. Using the information captured by
the packet sniffer, malicious packets can be identified to help maintain network traffic
information. The sniffer is designed with four components:
A. The hardware: Network Interface Card (NIC) is configured in promiscuous mode.
B. Capture Driver: It captures the network traffic from the wire, filters it for the particular
traffic.
C. Buffer: Once the frames are captured from the network, they are stored in a buffer.
D. Decode: This displays the contents of the network traffic with descriptive text.
Operation steps of this module are shown in figure (3).

Fig.3- Sniffer Operation
The capture process takes place in the kernel level while packet processing is performed at user
level. When the kernel gets a packet from the network interface, it copies it from kernel interface
space to the user space. The filtering step is used if the system is interested in capturing specific
type of packets by instructing the kernel to get a copy of the packets that match a filter
expression.
Packet processing operation is used to extract packet information and storing it into the database.
Thereafter all required packets are sent to the monitoring station to be analyzed. The steps are
illustrated in figure (4).

Fig.4- Packet Processing at Sniffing Module

407


4.2 Honeypot Servers
These servers are designed to allure intruders by providing a web interface
through Internet. One server is configured with windows 2012 server operating system
while the other is configured with Ubuntu linux operating system providing different web
services (HTTP, FTP, SMTP, SSH, and Telnet). Each Honeypot runs two modules: web
interface module for connecting with intruders and the sniffing module which is used for
capturing network traffic.
Service configuration can be done either by using a fake server or by decoy real services.
This system is based on honeynet using real services. The decoy method is based on
providing honeyfiles. A honeyfile is a bait file that is intended for hackers to open, and
when the file is accessed, data is captured and an alarm is triggered.

4.3 Application Server
The application server provides an interface with outside networks clients. It is
built in order to advertise web services. All requests received by this server are logged
into the database. Figure (5) shows a block diagram of application server operation. When
attackers access the application server, their browsers send number of headers to the
honeypot server. These headers occur during a negotiation process that help the browsers
and the honeypot server to determine the best way to provide the requested information.
The request parser is used for analyzing these headers to identify the information related
to users accessing the server. This information is extracted from http request properties,
which contain tokens that provide specific details about the users activating the request
including IP address, date, operating system versions, hosting services and time duration
of the interaction. Figure (6) shows steps of information extracting process carried out by
the application server.

Fig.5- Application Server Operation

408


Fig.6- Information Extracting by the Application Server

4.4 Information Transfer
To provide a secure way for analyzing data and gather more information about
malicious traffic, all data stored inside honeypots database servers are transferred to the
monitoring machine. Windows Communication Foundation (WCF) is used to transfer
information from the honeypots servers to the monitoring station. In the current design WCF
sends data as asynchronous messages from one service endpoint to another. The designed
WCF service consists of two components:

409


A. Endpoint: Endpoints provide clients access to the functionality offered by a WCF service.
Each endpoint consists of three properties:
• An address that indicates where the endpoint is found.
• A binding that specifies how the monitoring machine can communicate with the service
endpoint.
• A contract that identifies the operations available by WCF.
B. Service Host: Service Host object is part of the process of hosting the WCF service inside
the application server within honeypots and registering endpoints.
Figure (7) shows the architecture of the designed WCF.

Fig.7- The Architecture of the Designed WCF

4.5 Control Module
This is the central module located in the monitoring station. It provides GUI to control
and monitor system data and functions. Two modules are integrated inside this module: the
Tracing Module and Alert Module.

4.6 Tracing Module
The tracing module collects information extracted from honeypots servers concerning
each intruder. This information is logged into the system database. Its main function is to analyze
information in separate background functions. Each background function analyzes part of the
received information in a separate thread. A background function provides a responsive user
interface even with long delays associated with such operations. Three backgrounds functions
deal with downloading and collecting information received from honeypots devices. Each
background deals with a part of honeypot database tables. These background are :

A. UsersBackup
It is implemented to download and update users information received from TheUsers
database table located at honeypots. UsersBackup contains an IpInfo() function that gets a
location information from Whois and IP2Location databases. Information collected from this
background is: IP, country, city, region, latitude, longitude and ISP of the intruder machine. This
is carried out by initiating two connections to the remote location database (Whois and
IP2Location databases). The connection to the IP2Location database is established by using
HTTP request to the database server while the connection to the whois database is established as
TCP connection.

410


B. SessionsBackup
Second background is implemented to download and updates sessions information
received from TheSession database table located at honeypots. Information collected from
this background is: IP, HostingSerivce, OS (Operating System), EntryDateTime,
ConnectionDuration and OpenPorts.
Port scanning is invoked using Asynchronous JavaScript and XML (AJAX) service to
determine open ports. Port scan uses AJAX service with WebGetAttribute to send requests
to a range of ports at the intruder machine and is configured to use the JavaScript Object
Notation (JSON) data format for responses.

C. PacketsBackup
Third background is implemented to download and update packets information
received from ThePacket database table located at honeypots. Information collected from this
background is: IP, Protocol and Data.
All data packets during each session related to a single user are saved for future analysis by
the system administrator.

4.7 Alerting Module
Two methods are implemented through this module: logging and alert. The logging
method collects and processes data from other modules and make it available as an XML file
format. The collected information is used to generate reports and is used by the alert method.
The alert method generates alerts via an administrator e-mail at pre-defined time intervals.
The frequency of emails and their sender and the recipient can be configured.

5. CONCLUSIONS

In this work, we exploited the concept of high-interaction honeypots in depth to
capture and analyze intruder's data, help to observe intruder's behavior, providing versatile
information concerning security threats and their behavior. However, it can be customized to
capture specific data. As honeypots capture the malicious traffic, they also capture the new
tools used by the blackhats. Moreover, the geographical location of intruders is explored by
utilizing the Whois and IP2Location databases. IP GeoLocation depends on semantic
approaches, and therefore could be accurate.
The system uses javascript code to scan ports to gain access to the intruder machine even if
the firewall running. This enhances system ability to be hosted in different environment (.Net
and JavaScript). System testing shows that the developed honeynet can successfully remedy
the deficiencies of existing monitoring systems and improve the performance of the safety
defense systems.

REFERENCES

[1] Kuwatly Iyad, Sraj Malek, Al Masri Zaid, and Artail Hassan, “A Dynamic
Honeypot Design for Intrusion Detection”, Proceedings of the IEEE/ACS International
Conference on Pervasive Services (ICPS’04), pp. 1-10, 2004.
[2] Spitzner, L. Honeypots: Tracking Hackers. Addison Wesley, 2003.

411


[3] Iyatiti Mokube and Michele Adams, "Honeypots: Concepts, Approaches, and
Challenges", Proceeding Of The 45th Annual Southeast Regional Conference (ACMSE'07),
pp. 321-326, 2007.
[4] Abhishek Mairh, Debabrat Barik, and Kanchan Verma, "Honeypot in Network
Security: A Survey", Proceedings of the 2011 International Conference on Communication,
Computing & Security (ICCCS '11), pp.600-605, 2011.
[5] Pei-Sheng Huang, Chung-Huang Yang, and Tae-Nam Ahn, " Design And
Implementation Of A Distributed Early Warning System Combined With Intrusion Detection
System And Honeypot", International Conference on Convergence and Hybrid Information
Technology (ICHIT '09), pp.232-238, 2009.
[6] Briffaut Jeremy, Lalande Jean-Francois, and Toinard Christian, "Security and
Results of a Large-Scale High-Interaction Honeypot", Journal of Computers, Vol. 4, No. 5,
pp. 395-404, 2009.
[7] Yang Y., Yang H., and Mi J., "Design of Distributed Honeypot System Based on
Intrusion Tracking", IEEE 3rd International Conference on Communication Software and
Networks (ICCSN), pp. 196-198, 2011.
[8] Ritu Tiwari, and Abhishek Jain, "Improving Network Security and Design using
Honeypots, Proceedings of the CUBE International Information Technology Conference
"CUBE '12", pp. 847-852, 2012.
[9] Briffaut J., Rouzaud-Cornabas J., Toinard C., and Zemali Y., "A New Approach to
Enforce the Security Properties of a Clustered High-Interaction Honeypot", International
Conference on High Performance Computing & Simulation (HPCS '09), pp. 184, 192, 2009.
[10] Bhumika, and Vivek Sharma, "Use of Honeypots to Increase Awareness Regarding
Network Security", International Journal of Recent Technology and Engineering (IJRTE),
Vol.1, Issue 2, pp. 171-175, 2012.
[11] Gerard Wagener, Radu State and Thomas Engel, Alexandre Dulaunoy, "Adaptive
and Self-Configurable Honeypots"12th IFIP/IEEE International Symposium on Integrated
Network Management, pp. 345-352, 2011.
[12] Jiao Ma, Kun Chai, Yao Xiao, Tian Lan, and Wei Huang, "High-Interaction
Honeypot System for SQL Injection Analysis" International Conference on Information
Technology, Computer Engineering and Management Sciences (ICM), pp. 274-277, 2011.
[13] Hong-Geun Kim, Dong-Jin Kim, Seong-Je Cho, "An Efficient Visitation Algorithm
to Improve the Detection Speed of High-Interaction Client Honeypots", Proceedings of the
ACM Symposium on Research in Applied Computation (RACS '11) , pp.266-271, 2011.
[14] Yagi Takeshi, Tanimoto Naoto, Hariu Takeo, and Itoh Mitsutaka , "Enhanced
Attack Collection Scheme on High-Interaction Web Honeypots" IEEE Symposium on
Computers and Communications (ISCC), pp. 81-86, 2010.
[15] Olivier Thonnard, and Marc Dacier, "A Framework for Attack Patterns' Discovery
Honeynet data", Digital Investigation, Volume 5, Supplement, pp.S128-S139, September
2008.
[16] Dongwoo Kwon, Hong J.W, and Hongtaek Ju, "DDoS Attack Forecasting System
Architecture Using Honeynet", 14th Asia-Pacific Network Operations and Management
Symposium (APNOMS), pp.1-4, 2012.
[17] Ateeq Ahmad, Muhammad Ali, and Jamshed Mustafa, "Benefits of Honeypots in
Education Sector", International Journal of Computer Science and Network Security, VOL.11
No.10, pp. 24-28, 2011.

412


[18] O'Leary M., Azadegan S., Lakhani, J., "Development of a Honeynet Laboratory: a
Case Study", Seventh ACIS International Conference on Software Engineering, Artificial
Intelligence, Networking, and Parallel/Distributed Computing (SNPD'06), pp.401-406, 2006.
[19 ] Stephan Riebach, Erwin P. Rathgeb, and Birger Toedtmann, "Efficient Deployment
of Honeynets for Statistical and Forensic Analysis of Attacks from the Internet", Proceedings
of the 4th IFIP-TC6 international conference on Networking Technologies, Services, and
Protocols, pp. 756-767, 2005.
[20] Bhatia J.S., Sehgal R., Bhushan, B., and Kaur, H., "A Case study on Host Based
Data Analysis & Cyber Criminal Profiling in Honeynets", First International Conference on
Communication Systems and Networks (COMSNETS 2009), pp. 1-2, 2009.
[21] Pragya Jain, and Anjali Sardana, "Defending against Internet Worms using
Honeyfarm", Proceedings of the CUBE International Information Technology Conference
(CUBE '12), pp. 795-800), 2012.
[22] Kumar Upendra, Kumar Mishra Bimal, and Sahoo G., "Defending Polymorphic
Worms in Computer Network using Honeynet", International Journal of Engineering Science
and Technology (IJEST), Vol. 4 No.04, pp. 1908-1411, 2012.
[23] J.S.Bhatia , R.K.Sehgal , and Sanjeev Kumar, " Botnet Command Detection using
Virtual Honeynet", International Journal of Network Security & Its Applications Vol. 3 Issue:
5, pp. 177-189, 2011.
[24] Leita C., Pham V.H., Thonnard O., Ramirez E.S., Pouget F., Kirda E., and Dacier
M.," The Leurre.com Project: Collecting Internet Threats Information Using a Worldwide
Distributed Honeynet", Workshop on Information Security Threats Data Collection and
Sharing (WISTDCS '08), pp. 40-57, 2008.
[25] Sun Bing, Wang Hai-feng, and Cheng Ling, "Study of Network Security Situation in
Honeynet", Proceedings of International Conference on Modelling, Identification & Control
(ICMIC), pp. 519 – 523, 2012.
[26] Liu Tian-Hua, Yi Xiu-Shuang, and Ma Shi-Wei "Core Functions Analysis and
Example Deployment of Virtual Honeynet", First International Conference on Robot, Vision
and Signal Processing (RVSP), pp. 212-215, 2011.
[27] Dillip Kumar Mahapatra, Tanmaya Kumar Das and Gopakrishna Pradhan,
“Guidelines for Managing Distributed Software Project under Deployment” International
journal of Computer Engineering & Technology (IJCET), Volume 4, Issue 1, 2013,
pp. 34 - 45, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375, Published by IAEME.
[28] Syeda Gauhar Fatima, Dr. Syed Abdul Sattar and Dr.K.Anita Sheela, “Energy
Efficient Intrusion Detection System for WSN” International journal of Electronics and
Communication Engineering &Technology (IJECET), Volume 3, Issue 3, 2012,
pp. 246 - 250, ISSN Print: 0976- 6464, ISSN Online: 0976 –6472, Published by IAEME.

413

A honeynet framework to promote enterprise network security

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to A honeynet framework to promote enterprise network security (20)

More from IAEME Publication (20)

A honeynet framework to promote enterprise network security