SlideShare a Scribd company logo

The use of honeynet to detect exploited systems (basic version)

A
amar koppal

This document discusses the use of honeynets to detect exploited systems and hackers. It begins with an abstract and introduction on the topic. It then provides definitions of key terms like honeynet and honeypot. It describes the principles of data capture and data control that honeynets rely on. It discusses the differences between first (GEN I) and second (GEN II) generation honeynets. It outlines the typical honeynet architecture including honeypots and honeywalls. It explains how honeynets work to study attacker activities and methods. Finally, it discusses some advantages like high value data and simplicity, and disadvantages like narrow field of view of using honeynets.

1 of 5
Download to read offline
1
2
3
4
5
1 The Use of Honeynet to Detect Exploited Systems Amar Koppal1 , Shishir Samani2 P A college of Engineering1 , P A college of Engineering2 amarkoppal09@gmail.com1 , shishir.s42@gmail.com2 Abstract─ Computer Networks connected to the Internet continue to be compromised and exploited by hackers. This is in spite of the fact that many networks run same type of security mechanism at their connection to the Internet. With the rapid development of network technology, a variety of new attack methods to the network come out endlessly. Traditional firewalls, depending on the static feature data base, have more and more limitations to these attacks, mainly the social network sites, large enterprise networks are being targeted. In the past, the hackers roamed over network with supreme confidence in their anonymity. They take advantage of systems they've compromised to chat with their buddies safely or to launch attacks against other systems and sites without fear of detection. To alleviate this problem, in this paper we propose a honeynet- based firewall scheme with initiative security strategies. In this scheme, the data-analyzing module can timely discover new attack behaviors by analyzing the output result of honeynet with data-mining technology, and furthermore, according to these findings the rule-learning module can dynamically create new defend rules and apply these rules to the firewall. In this way, the firewall keeps enriching its security strategies that greatly enhance its ability to defend new attacks. This technique can response more quickly and accurately to the unknown attacks and being more secure for internal. Index Terms─ Cybercrime, data-mining, firewall, honeynet, honeypot, hackers, IDS. I. INTRODUCTION One of the most active threats we face today on the Internet is cyber-crime. Increasingly capable hackers are constantly developing more sophisticated means of profiting from online criminal activity. It’s become very hard to track these hackers. Computer networks that are currently connected to the Internet are vulnerable to a variety of exploits that can compromise their intended operations. Systems can be subject to Denial of Service attacks that prevents other computers from connecting to them for their provided service (e.g. web server) or prevent them from connecting to other computers on the Internet. They can be subject to attacks that cause them to cease operations either temporary or permanently. A hacker may be able to compromise a system and gain root access, i.e. the ability to control that system as if the hacker was the system administrator. The number of exploits targeted against various platforms, operating systems, and applications increases on a daily basis. System administrators are usually responsible for monitoring the overall security of their networks. System administrators use a variety of methods to protect the security of their networks. The use of firewalls at the border of their network and the Internet is one such method that is in current use today. Firewalls are used to control the flow of traffic between the local network and the Internet. Based on the characteristics of the network traffic, to include requested services, source and destination addresses, and individual users, a firewall will make a decision on whether to allow the traffic to pass through the network. A firewall can be considered as a traffic cop [1]. Another method that may be used by system users is the use of an Intrusion Detection System (IDS). An IDS is used to detect and alert on possible malicious events within a network. IDS sensors may be placed at various points throughout the network, to include the interfaces between the local network and the Internet, critical points within the local network, or on individual host systems. An IDS is normally signature based, i.e., it will look for predefined signatures of bad events. These signatures normally reside in a database associated with the IDS. They may also perform statistical and anomaly analysis of network traffic to detect malicious intrusions. When malicious activity is detected they can notify the system administrator or the user. The use of IDS and firewalls provide a level of security protection to the system administrator However, there are recognized shortfalls with the use of an IDS and firewalls to protect a network. The shortcomings associated with a firewall include the following: 1. The firewall cannot protect against attacks that bypass it, such as a dial–in or dial-out capability. 2. The firewall at the network interface does not protect against internal threats. 3. The firewall cannot protect against the transfer of virus –laden files and programs [2]. We speculate that in certain cases high volumes of network traffic may overwhelm the network monitoring capability of the firewall resulting in the possible passing of malicious traffic between networks. The use of IDS as a network security device also leads to shortcomings. It has been speculated that in some cases an IDS fails to provide an additional level of security to a network and only increases the complexity of the security management problem. Shortcomings associated with an IDS include a high level of false positive and false negative alerts [3]. We propose that the use of a Honeynet within a network can provide an additional layer of network security. The Honeynet can serve as a compliment to the use of the firewall and IDS and help to overcome some of the shortcomings that are inherent to these systems.
2 A. Definition of a Honeynet A Honeynet is a network, placed behind a reverse firewall that captures all inbound and outbound data. The reverse firewall limits the amount of malicious traffic that can leave the Honeynet. This data is contained, captured, and controlled. Any type of system can be placed within the Honeynet, to include those systems that are currently employed on the network that the Honeynet is intended to protect. Standard production systems are used on the Honeynet, in order to give the hacker the look and feel of a real system. A Honeynet is a network that is intended to be compromised, its purpose is to get attacked, so that an attacker’s activities and methods can be studied and this information can be used to increase the network security and to provide the system administrator with intelligence about vulnerabilities and compromises within the network [4]. B. Concept of Data Capture and Data Control There are two critical principles concerning the successful operation of a Honeynet. These two principles are the concept of Data Capture and Data Control. Both of these principles must be followed in order for the Honeynet to be successfully employed in protecting a network. The principle of Data Capture concerns information gathering. All information that enters or leaves the Honeynet must be collected for analysis. This data must be collected without the knowledge of the individuals who are conducting malicious activity against the network that is to be protected. This is to prevent the hacker from bypassing the Honeynet network. The data that is collected must be stored in a location different from the Honeynet. This is done so that if the hacker compromises a Honeynet system, the data cannot be destroyed or altered. The goal is to be able to capture data on the hacker without the hacker knowing that this data is being collected. The principle of Data Control concerns protecting other networks from being attacked and compromised by computers on the Honeynet. If a hacker compromises a Honeynet system, then this hacker must be prevented form using this system to attack and compromise production systems on other networks. The process of Data Control must be automated to prevent the hacker from getting suspicious. We do not want the hacker to become aware of the fact that the system he has compromised is on a Honeynet [5]. There are generally two kinds of honeynet GEN I vs. GEN II Honeynets C. GEN I vs. GEN II Honeynets There are currently two types of Honeynets that can be employed on a network. These are GEN I, or first generation, and GEN II, or second generation. The type of Honeynet that one chooses to use depends on many factors to include availability of resources, types of hackers and attacks that you are trying to detect, and overall experience with the Honeynet methodology. GEN I Honeynets are the simpler methodology to employ. This technology was first developed in 1999 by the Honeynet Alliance. Although GEN I Honeynets are somewhat limited in their ability for Data Capture and Data Control, they are highly effective in detecting automated attacks or beginner level attacks against targets of opportunity on the network. Their limitations in Data Control make it possible for a hacker to fingerprint them as a Honeynet. They also offer little to a skilled hacker to attract them to target the Honeynet, since the machines on the Honeynet are normally just default installations of various operating systems. GEN II Honeynets were developed in 2002 to address the shortcomings inherent with GEN I Honeynets. The primary area that was addressed by GEN II Honeynets is in the area of Data Control. GEN I Honeynets used a firewall to provide Data Control by limiting the number of outbound connections from the Honeynet. This is a very effective method of Data Control, however, it lacks flexibility and allows for the possibility of the hacker fingerprinting the Honeynet. GEN II Honeynets provide data control by examining outbound data and making a determination to block, to pass, or to modify by changing some of the packet contents so as to allow data to appear to pass but rendering it begin. GEN II Honeynets are more complex to deploy and maintain than GEN I Honeynets [6]. If one wants to deploy a honeynet they can go with GEN I or GEN II honeynet. As each one of them have got there own advantages and disadvantages. But if the setup is for school or college system and you are very new to honeynet then it is better to go with GEN I Honeynets. D. Honeynet Architecture The GEN II honeynet architecture is shown in the Fig A Fig A: Honeynet architecture The honeynet architecture consists of honeypots. A honeypot is security resource whose value lies in being
3 probed, attacked, or compromised. This means that whatever we designate as a honeypot, our expectations and goals are to have the system probed, attacked, and potentially exploited. It does not matter what the resource is (a router, scripts running emulated services, a jail, an actual production system). What does matter is that the resource's value lies in its being attacked. If the system is never probed or attacked, then it has little or no value. This is the exact opposite of most production systems, which you do not want to be probed or attacked. As should be apparent from this definition, honeypots are different from most security tools in that they can take on different manifestations. For example, firewalls are a technology that protect your organization by controlling what traffic can flow where. They are used as an access control device. Network Intrusion Detection Systems are designed to detect attacks by monitoring either system or network activity. They are used to identify unauthorized activity. Honeypots are different in that they aren't limited to solving a single, specific problem. Instead, honeypots are a highly flexible tool that can be applied to a variety of different situations. It consists of honeywall the Honeywall has three network interfaces. Two in bridge mode (eth0 and eth1) and the last one, eth2, with an IP stack used for management purposes. The main advantage of the bridge mode is that it is harder to detect by the attackers. For example, since the Honeywall has no IP addresses (except for eth2), it does not affect the TTLs (Time to Live) values of the traffic entering/leaving the Honeynet. However, it can still transparently control and capture all the data passing through it. The management station has one network interface with two IP addresses, one for the main network and another to manage the Honeywall. There are two types of honeypots production honeypots and research honeypots. E. How Honeynet works Conceptually, Honeynets are a simple mechanism that work on the same principle as a honeypot. You create a resource that has little or no production traffic. Anything sent to the Honeynet is suspect, potentially a probe, scan, or even an attack. Anything sent from a Honeynet implies that it has been compromised- an attacker or tool is launching activity. However, Honeynets take the concept of honeypots one step further: Instead of a single system, a Honeynet is a physical network of multiple systems. Honeynets are not a product you install or an appliance you drop on your network. Instead, Honeynets are an architecture that builds a highly controlled network, within which you can place any system or application you want. It is this architecture that is your Honeynet. The Honeynet operates as a kind of fishbowl, a self-contained environment in which you can see everything that happens. Also, like a fishbowl, in a Honeynet you can create any environment you want. In your fishbowl you can place different types of fish. In Honeynets you can place whatever systems and applications you want. Even though the systems placed within your Honeynet may be built identically to a production system, we define them as honeypots because their value within the Honeynet is being probed, attacked, or compromised. The captured activity within this controlled environment is what teaches us the tools, tactics, and motives of the blackhat community. There are three critical elements to a Honeynet architecture: data control, data capture, and data collection. These elements define your Honeynet architecture. Of the three, the first two are the most important and apply to every Honeynet deployment. The third, data collection, only applies to organizations that deploy multiple Honeynets in a distributed environment. Data control is the controlling of the blackhat activity. Once a blackhat takes control of a honeypot within the Honeynet, his activity has to be contained so he cannot harm non-Honeynet systems. Data capture is the capturing of all the activity that occurs within the Honeynet. Data collection is the aggregation of all the data captured by multiple Honeynets. Honeynets are highly flexible: there is no specific way to implement a Honeynet solution. F. Advantages and Disadvantages Data Value─ One of the challenges the security community faces is gaining value from data. Organizations collect vast amounts of data every day, including firewall logs, system logs, and Intrusion Detection alerts. The sheer amount of information can be overwhelming, making it extremely difficult to derive any value from the data. Honeypots, on the other hand, collect very little data, but what they do collect is normally of high value. The honeypot concept of no expected production activity dramatically reduces the noise level. Instead of logging gigabytes of data every day, most honeypots collect several megabytes of data per day, if even that much. Any data that is logged is most likely a scan, probe, or attack- information of high value. Honeypots can give you the precise information you need in a quick and easy-to- understand format. This makes analysis much easier and reaction time much quicker. Resources─ Another challenge most security mechanisms face is resource limitations, or even resource exhaustion. Resource exhaustion is when a security resource can no longer continue to function because its resources are overwhelmed. For example, a firewall may fail because its connections table is full, it has run out of resources, or it can no longer monitor connections. This forces the firewall to block all connections instead of just blocking unauthorized activity. An Intrusion Detection System may have too much network activity to monitor, perhaps hundreds of megabytes of data per second. When this happens, the IDS sensor's buffers become full, and it begins dropping packets. A honeypot deployed on the same network does not share this problem. The honeypot
4 only captures activities directed at itself, so the system is not overwhelmed by the traffic. Where the IDS sensor may fail because of resource exhaustion, the honeypot is not likely to have a problem. Simplicity─ I consider simplicity the biggest single advantage of honeypots. There are no fancy algorithms to develop, no signature databases to maintain, no rulebases to misconfigure. You just take the honeypot, drop it somewhere in your organization, and sit back and wait. While some honeypots, especially research honeypots, can be more complex, they all operate on the same simple premise: If somebody or someone connects to the honeypot, check it out. As experienced security professionals will tell you, the simpler the concept, the more reliable it is. With complexity come misconfigurations, breakdowns, and failures. Disadvantages of Honeypots Narrow Field of View─ The greatest disadvantage of honeypots is they have a narrow field of view: They only see what activity is directed against them. If an attacker breaks into your network and attacks a variety of systems, your honeypot will be blissfully unaware of the activity unless it is attacked directly. If the attacker has identified your honeypot for what it is, she can now avoid that system and infiltrate your organization, with the honeypot never knowing she got in. As noted earlier, honeypots have a microscope effect on the value of the data you collect, enabling you to focus closely on data of known value. However, like a microscope, the honeypot's very limited field of view can exclude events happening all around it. Risk─ They can introduce risk to your environment. By risk, we mean that a honeypot, once attacked, can be used to attack, infiltrate, or harm other systems or organizations. As we discuss later, different honeypots have different levels of risk. Some introduce very little risk, while others give the attacker entire platforms from which to launch new attacks. The simpler the honeypot, the less the risk. For example, a honeypot that merely emulates a few services is difficult to compromise and use to attack other systems. In contrast, a honeypot that creates a jail gives an attacker an actual operating system with which to interact. An attacker might be able to break out of such a cage and then use the honeypot to launch passive or active attacks against other systems or organizations. Risk is variable, depending on how one builds and deploys the honeypot. II. STEPS TO BE TAKEN 1. Start small─ Begin initially with a single machine and operating system that you are familiar with installed behind the reverse firewall. This will allow you to begin to understand how to analyze the data that you will receive on the Honeynet. You will also be able to fine tune your configuration. The more machines that you have, the more data you will most likely receive going to and from the Honeynet. 2. Focus on attacks and exploits originating from within your enterprise network. These are the attacks that can do the most damage to your enterprise. Inform your enterprise administrators immediately of these types of attacks since they indicate machines that have already been compromised within the enterprise. 3. Don’t publish the IP address range of the Honeynet. There is no need to do this. Hackers and worms are constantly scanning across the Internet for machines to exploit. You Honeynet will be found and attacked. 4. Don’t underestimate the amount of time required to analyze the data collected from the Honeynet. This data must be analyzed every day. You will be collecting lots of information and it must be analyzed to provide any benefit. Most attacks take seconds to compromise and take over a vulnerable system. It can take weeks to analyze and document such an attack. 5. Powerful machines are not necessary to establish the Honeynet. A. Differences per Operating System In this section we analyse the distribution of attacks among the honeypots running different operating systems. Fig B shown below shows how the attackers attack the honeypot set with different operating systems running on them. To test this different honeypots with different environments were placed in honeynet, some of the honeypots were running Win 2000, Win XP, Linux, Solaris. Any of the system running on any environment can be hacked, so honeypots are tested on all the environments. From the analysis shown below it’s clear that most of the attacks are concentrated on Win 2000 then comes Win XP followed by Linux and Solaris. Win2000 hosts were the primary targets of attack signatures, followed by the WinXP host. In all phases there were significantly less incidents reported for the UNIX systems Linux and Solaris. The fact that nearly 97% of all signatures are targeted towards Windows systems was not unexpected since it makes sense to concentrate the effort to develop attacks on the clearly dominating operating systems. However, the conclusion that windows systems are significantly more insecure. 10.0.0.30 )(Solaris < 1% 10.0.0.21 )(Linux %3 10.0.0.66 (Win XP) 4.41% 10.0.0.77 (Win2000) ,27%40 10.0.0.20 ( 2000)Win 52.36%
5 III. CONCLUSION A further benefit of the Honeynet is one of research in the areas of Information Assurance and Intrusion Detection. The possibility exists to detect new exploits launched against the campus network. Under the principles of data capture, all data associated with these exploits is collected for further analysis. As a result, counter measures can be taken against these new exploits and signatures targeting these exploits can be developed for the Enterprise IDS systems. As there is Honeynet project in India to all the intrested minds looking for a security field, this is the best platform for them to come forward and contribute. IV. REFERENCES [1] E. Skoudis, Counter Hack, Upper Saddle River, NJ: Prentice Hall PTR, 2002, p. 47. [2] W. Stallings, Network Security Essentials, Upper Saddle River, NJ: Prentice Hall PTR, 2000, p. 322. [3] R. Stiennon, M. Easley, Intrusion Prevention Will Replace Intrusion Detection, Gartner Research Notes, 30 August 2002, available at http://www.gartner.com /reprints/intruvert/109596.html, Dec 2002. [4] The Honeynet Project, Know Your Enemy, Indianapolis, IN: Addison-Wesley, 2002, pp. 12-17. [5] The Honeynet Project, Know Your Enemy, p. 20. [6] L. Spitzner, Honeypots- Tracking Hackers, Indianapolis, IN: Addison-Wesley, 2003, pp. 242-261.

More Related Content

PDF
NSA and PT
Rahmat Suhatman
 
PDF
IDS Research
Yehan Gunaratne
 
PDF
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
PDF
Intrusion Detection and Prevention System in an Enterprise Network
Okehie Collins
 
PDF
IRJET- Study of Hacking and Ethical Hacking
IRJET Journal
 
PPTX
Wireless Networking
GulshanAra14
 
PDF
Bt33430435
IJERA Editor
 
PPTX
Network security ppt
OECLIB Odisha Electronics Control Library
 
NSA and PT
Rahmat Suhatman
 
IDS Research
Yehan Gunaratne
 
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Intrusion Detection and Prevention System in an Enterprise Network
Okehie Collins
 
IRJET- Study of Hacking and Ethical Hacking
IRJET Journal
 
Wireless Networking
GulshanAra14
 
Bt33430435
IJERA Editor
 
Network security ppt
OECLIB Odisha Electronics Control Library
 

What's hot (18)

DOC
06686259 20140405 205404
Manasa Deshaboina
 
PPT
Network security
Vikas Jagtap
 
PPTX
Introduction to Intrusion detection and prevention system for network
Eng. Mohammed Ahmed Siddiqui
 
PDF
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
CSCJournals
 
PDF
Network srcurity
sheikhparvez4
 
PPSX
Intrusion detection system
gaurav koriya
 
PDF
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
IJECEIAES
 
PPT
Network Security
Raymond Jose
 
PPTX
Data Network Security
Atif Rehmat
 
PPTX
Impact to it security of incorrect configuration of firewall policies and thi...
usman butt
 
PDF
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
ijtsrd
 
PPTX
Intrusion detection
CAS
 
PPTX
Network security
Nkosinathi Lungu
 
PPT
Ne Course Part Two
backdoor
 
PPT
Ch04 Network Vulnerabilities and Attacks
Information Technology
 
PPTX
Modern Network Security Issue and Challenge
Ikhtiar Khan Sohan
 
PPT
intruders types ,detection & prevention
Central University Of Kashmir
 
PDF
1776 1779
Editor IJARCET
 
06686259 20140405 205404
Manasa Deshaboina
 
Network security
Vikas Jagtap
 
Introduction to Intrusion detection and prevention system for network
Eng. Mohammed Ahmed Siddiqui
 
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
CSCJournals
 
Network srcurity
sheikhparvez4
 
Intrusion detection system
gaurav koriya
 
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
IJECEIAES
 
Network Security
Raymond Jose
 
Data Network Security
Atif Rehmat
 
Impact to it security of incorrect configuration of firewall policies and thi...
usman butt
 
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
ijtsrd
 
Intrusion detection
CAS
 
Network security
Nkosinathi Lungu
 
Ne Course Part Two
backdoor
 
Ch04 Network Vulnerabilities and Attacks
Information Technology
 
Modern Network Security Issue and Challenge
Ikhtiar Khan Sohan
 
intruders types ,detection & prevention
Central University Of Kashmir
 
1776 1779
Editor IJARCET
 
Ad

Viewers also liked (13)

PPTX
Zadaća 7.
spletiko
 
PPTX
Gender paper review
Babita Thapa
 
PPTX
Uttar pradesh By Aakashdeep dwivedi
Aakashdeep Dwivedi
 
PPTX
Jenis gunung
Ivany Rahmi
 
PDF
Measuring business income
Dr.Ankamreddi Rama Mohan
 
DOCX
Aravind_Citrix_Onsite
Aravind jagu
 
PDF
Sejarah perkembangan mikroprosesor
Adola Silaban
 
PDF
Honeynet architecture
amar koppal
 
PPTX
Paralel prosesor
Adola Silaban
 
DOCX
Uml(unified modelling language)
Adola Silaban
 
PPTX
Millennium development goal(mdg) in education_Nepal's achievement
Babita Thapa
 
PPTX
Scale construction babita
Babita Thapa
 
PPT
Congress of the USA power point
Vincent Valentine
 
Zadaća 7.
spletiko
 
Gender paper review
Babita Thapa
 
Uttar pradesh By Aakashdeep dwivedi
Aakashdeep Dwivedi
 
Jenis gunung
Ivany Rahmi
 
Measuring business income
Dr.Ankamreddi Rama Mohan
 
Aravind_Citrix_Onsite
Aravind jagu
 
Sejarah perkembangan mikroprosesor
Adola Silaban
 
Honeynet architecture
amar koppal
 
Paralel prosesor
Adola Silaban
 
Uml(unified modelling language)
Adola Silaban
 
Millennium development goal(mdg) in education_Nepal's achievement
Babita Thapa
 
Scale construction babita
Babita Thapa
 
Congress of the USA power point
Vincent Valentine
 
Ad

Similar to The use of honeynet to detect exploited systems (basic version) (20)

PDF
E04 05 2841
International Journal of Engineering Inventions www.ijeijournal.com
 
PDF
Honey Pot Intrusion Detection System
International Journal of Engineering Inventions www.ijeijournal.com
 
PDF
A honeynet framework to promote enterprise network security
IAEME Publication
 
DOC
Honeypot Essentials
Anton Chuvakin
 
PDF
A Combination of the Intrusion Detection System and the Open-source Firewall ...
IJCNCJournal
 
PDF
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
IJCNCJournal
 
PPT
Honeypot honeynet
Sina Manavi
 
PDF
Icmis
Sandeep Saxena
 
PDF
Implementing a Robust Network-Based Intrusion Detection System
theijes
 
PDF
Network Security Using IDS, IPS & Honeypot
paperpublications3
 
DOCX
Network and web security
Nitesh Saitwal
 
PDF
Analysis of Honeypot Networks and Intrusion Prevention System IPS on Wireless...
ijtsrd
 
PDF
DETERRING HACKING STRATEGIES VIA TARGETING SCANNING PROPERTIES
IJNSA Journal
 
PDF
Deterring hacking strategies via
IJNSA Journal
 
PDF
Cyber Security Matters a book by Hama David Bundo
hdbundo
 
PPT
Description on Honeypots in Cyber Security
SumaiyaSk
 
PDF
An Approach to for Improving the Efficiency of IDS System Using Honeypot
Editor Jacotech
 
PDF
1376841709 17879811
Editor Jacotech
 
PDF
1376841709 17879811
Editor Jacotech
 
PDF
Encountering social engineering activities with a novel honeypot mechanism
IJECEIAES
 
E04 05 2841
International Journal of Engineering Inventions www.ijeijournal.com
 
Honey Pot Intrusion Detection System
International Journal of Engineering Inventions www.ijeijournal.com
 
A honeynet framework to promote enterprise network security
IAEME Publication
 
Honeypot Essentials
Anton Chuvakin
 
A Combination of the Intrusion Detection System and the Open-source Firewall ...
IJCNCJournal
 
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
IJCNCJournal
 
Honeypot honeynet
Sina Manavi
 
Icmis
Sandeep Saxena
 
Implementing a Robust Network-Based Intrusion Detection System
theijes
 
Network Security Using IDS, IPS & Honeypot
paperpublications3
 
Network and web security
Nitesh Saitwal
 
Analysis of Honeypot Networks and Intrusion Prevention System IPS on Wireless...
ijtsrd
 
DETERRING HACKING STRATEGIES VIA TARGETING SCANNING PROPERTIES
IJNSA Journal
 
Deterring hacking strategies via
IJNSA Journal
 
Cyber Security Matters a book by Hama David Bundo
hdbundo
 
Description on Honeypots in Cyber Security
SumaiyaSk
 
An Approach to for Improving the Efficiency of IDS System Using Honeypot
Editor Jacotech
 
1376841709 17879811
Editor Jacotech
 
1376841709 17879811
Editor Jacotech
 
Encountering social engineering activities with a novel honeypot mechanism
IJECEIAES
 

The use of honeynet to detect exploited systems (basic version)

  • 1. 1 The Use of Honeynet to Detect Exploited Systems Amar Koppal1 , Shishir Samani2 P A college of Engineering1 , P A college of Engineering2 amarkoppal09@gmail.com1 , shishir.s42@gmail.com2 Abstract─ Computer Networks connected to the Internet continue to be compromised and exploited by hackers. This is in spite of the fact that many networks run same type of security mechanism at their connection to the Internet. With the rapid development of network technology, a variety of new attack methods to the network come out endlessly. Traditional firewalls, depending on the static feature data base, have more and more limitations to these attacks, mainly the social network sites, large enterprise networks are being targeted. In the past, the hackers roamed over network with supreme confidence in their anonymity. They take advantage of systems they've compromised to chat with their buddies safely or to launch attacks against other systems and sites without fear of detection. To alleviate this problem, in this paper we propose a honeynet- based firewall scheme with initiative security strategies. In this scheme, the data-analyzing module can timely discover new attack behaviors by analyzing the output result of honeynet with data-mining technology, and furthermore, according to these findings the rule-learning module can dynamically create new defend rules and apply these rules to the firewall. In this way, the firewall keeps enriching its security strategies that greatly enhance its ability to defend new attacks. This technique can response more quickly and accurately to the unknown attacks and being more secure for internal. Index Terms─ Cybercrime, data-mining, firewall, honeynet, honeypot, hackers, IDS. I. INTRODUCTION One of the most active threats we face today on the Internet is cyber-crime. Increasingly capable hackers are constantly developing more sophisticated means of profiting from online criminal activity. It’s become very hard to track these hackers. Computer networks that are currently connected to the Internet are vulnerable to a variety of exploits that can compromise their intended operations. Systems can be subject to Denial of Service attacks that prevents other computers from connecting to them for their provided service (e.g. web server) or prevent them from connecting to other computers on the Internet. They can be subject to attacks that cause them to cease operations either temporary or permanently. A hacker may be able to compromise a system and gain root access, i.e. the ability to control that system as if the hacker was the system administrator. The number of exploits targeted against various platforms, operating systems, and applications increases on a daily basis. System administrators are usually responsible for monitoring the overall security of their networks. System administrators use a variety of methods to protect the security of their networks. The use of firewalls at the border of their network and the Internet is one such method that is in current use today. Firewalls are used to control the flow of traffic between the local network and the Internet. Based on the characteristics of the network traffic, to include requested services, source and destination addresses, and individual users, a firewall will make a decision on whether to allow the traffic to pass through the network. A firewall can be considered as a traffic cop [1]. Another method that may be used by system users is the use of an Intrusion Detection System (IDS). An IDS is used to detect and alert on possible malicious events within a network. IDS sensors may be placed at various points throughout the network, to include the interfaces between the local network and the Internet, critical points within the local network, or on individual host systems. An IDS is normally signature based, i.e., it will look for predefined signatures of bad events. These signatures normally reside in a database associated with the IDS. They may also perform statistical and anomaly analysis of network traffic to detect malicious intrusions. When malicious activity is detected they can notify the system administrator or the user. The use of IDS and firewalls provide a level of security protection to the system administrator However, there are recognized shortfalls with the use of an IDS and firewalls to protect a network. The shortcomings associated with a firewall include the following: 1. The firewall cannot protect against attacks that bypass it, such as a dial–in or dial-out capability. 2. The firewall at the network interface does not protect against internal threats. 3. The firewall cannot protect against the transfer of virus –laden files and programs [2]. We speculate that in certain cases high volumes of network traffic may overwhelm the network monitoring capability of the firewall resulting in the possible passing of malicious traffic between networks. The use of IDS as a network security device also leads to shortcomings. It has been speculated that in some cases an IDS fails to provide an additional level of security to a network and only increases the complexity of the security management problem. Shortcomings associated with an IDS include a high level of false positive and false negative alerts [3]. We propose that the use of a Honeynet within a network can provide an additional layer of network security. The Honeynet can serve as a compliment to the use of the firewall and IDS and help to overcome some of the shortcomings that are inherent to these systems.
  • 2. 2 A. Definition of a Honeynet A Honeynet is a network, placed behind a reverse firewall that captures all inbound and outbound data. The reverse firewall limits the amount of malicious traffic that can leave the Honeynet. This data is contained, captured, and controlled. Any type of system can be placed within the Honeynet, to include those systems that are currently employed on the network that the Honeynet is intended to protect. Standard production systems are used on the Honeynet, in order to give the hacker the look and feel of a real system. A Honeynet is a network that is intended to be compromised, its purpose is to get attacked, so that an attacker’s activities and methods can be studied and this information can be used to increase the network security and to provide the system administrator with intelligence about vulnerabilities and compromises within the network [4]. B. Concept of Data Capture and Data Control There are two critical principles concerning the successful operation of a Honeynet. These two principles are the concept of Data Capture and Data Control. Both of these principles must be followed in order for the Honeynet to be successfully employed in protecting a network. The principle of Data Capture concerns information gathering. All information that enters or leaves the Honeynet must be collected for analysis. This data must be collected without the knowledge of the individuals who are conducting malicious activity against the network that is to be protected. This is to prevent the hacker from bypassing the Honeynet network. The data that is collected must be stored in a location different from the Honeynet. This is done so that if the hacker compromises a Honeynet system, the data cannot be destroyed or altered. The goal is to be able to capture data on the hacker without the hacker knowing that this data is being collected. The principle of Data Control concerns protecting other networks from being attacked and compromised by computers on the Honeynet. If a hacker compromises a Honeynet system, then this hacker must be prevented form using this system to attack and compromise production systems on other networks. The process of Data Control must be automated to prevent the hacker from getting suspicious. We do not want the hacker to become aware of the fact that the system he has compromised is on a Honeynet [5]. There are generally two kinds of honeynet GEN I vs. GEN II Honeynets C. GEN I vs. GEN II Honeynets There are currently two types of Honeynets that can be employed on a network. These are GEN I, or first generation, and GEN II, or second generation. The type of Honeynet that one chooses to use depends on many factors to include availability of resources, types of hackers and attacks that you are trying to detect, and overall experience with the Honeynet methodology. GEN I Honeynets are the simpler methodology to employ. This technology was first developed in 1999 by the Honeynet Alliance. Although GEN I Honeynets are somewhat limited in their ability for Data Capture and Data Control, they are highly effective in detecting automated attacks or beginner level attacks against targets of opportunity on the network. Their limitations in Data Control make it possible for a hacker to fingerprint them as a Honeynet. They also offer little to a skilled hacker to attract them to target the Honeynet, since the machines on the Honeynet are normally just default installations of various operating systems. GEN II Honeynets were developed in 2002 to address the shortcomings inherent with GEN I Honeynets. The primary area that was addressed by GEN II Honeynets is in the area of Data Control. GEN I Honeynets used a firewall to provide Data Control by limiting the number of outbound connections from the Honeynet. This is a very effective method of Data Control, however, it lacks flexibility and allows for the possibility of the hacker fingerprinting the Honeynet. GEN II Honeynets provide data control by examining outbound data and making a determination to block, to pass, or to modify by changing some of the packet contents so as to allow data to appear to pass but rendering it begin. GEN II Honeynets are more complex to deploy and maintain than GEN I Honeynets [6]. If one wants to deploy a honeynet they can go with GEN I or GEN II honeynet. As each one of them have got there own advantages and disadvantages. But if the setup is for school or college system and you are very new to honeynet then it is better to go with GEN I Honeynets. D. Honeynet Architecture The GEN II honeynet architecture is shown in the Fig A Fig A: Honeynet architecture The honeynet architecture consists of honeypots. A honeypot is security resource whose value lies in being
  • 3. 3 probed, attacked, or compromised. This means that whatever we designate as a honeypot, our expectations and goals are to have the system probed, attacked, and potentially exploited. It does not matter what the resource is (a router, scripts running emulated services, a jail, an actual production system). What does matter is that the resource's value lies in its being attacked. If the system is never probed or attacked, then it has little or no value. This is the exact opposite of most production systems, which you do not want to be probed or attacked. As should be apparent from this definition, honeypots are different from most security tools in that they can take on different manifestations. For example, firewalls are a technology that protect your organization by controlling what traffic can flow where. They are used as an access control device. Network Intrusion Detection Systems are designed to detect attacks by monitoring either system or network activity. They are used to identify unauthorized activity. Honeypots are different in that they aren't limited to solving a single, specific problem. Instead, honeypots are a highly flexible tool that can be applied to a variety of different situations. It consists of honeywall the Honeywall has three network interfaces. Two in bridge mode (eth0 and eth1) and the last one, eth2, with an IP stack used for management purposes. The main advantage of the bridge mode is that it is harder to detect by the attackers. For example, since the Honeywall has no IP addresses (except for eth2), it does not affect the TTLs (Time to Live) values of the traffic entering/leaving the Honeynet. However, it can still transparently control and capture all the data passing through it. The management station has one network interface with two IP addresses, one for the main network and another to manage the Honeywall. There are two types of honeypots production honeypots and research honeypots. E. How Honeynet works Conceptually, Honeynets are a simple mechanism that work on the same principle as a honeypot. You create a resource that has little or no production traffic. Anything sent to the Honeynet is suspect, potentially a probe, scan, or even an attack. Anything sent from a Honeynet implies that it has been compromised- an attacker or tool is launching activity. However, Honeynets take the concept of honeypots one step further: Instead of a single system, a Honeynet is a physical network of multiple systems. Honeynets are not a product you install or an appliance you drop on your network. Instead, Honeynets are an architecture that builds a highly controlled network, within which you can place any system or application you want. It is this architecture that is your Honeynet. The Honeynet operates as a kind of fishbowl, a self-contained environment in which you can see everything that happens. Also, like a fishbowl, in a Honeynet you can create any environment you want. In your fishbowl you can place different types of fish. In Honeynets you can place whatever systems and applications you want. Even though the systems placed within your Honeynet may be built identically to a production system, we define them as honeypots because their value within the Honeynet is being probed, attacked, or compromised. The captured activity within this controlled environment is what teaches us the tools, tactics, and motives of the blackhat community. There are three critical elements to a Honeynet architecture: data control, data capture, and data collection. These elements define your Honeynet architecture. Of the three, the first two are the most important and apply to every Honeynet deployment. The third, data collection, only applies to organizations that deploy multiple Honeynets in a distributed environment. Data control is the controlling of the blackhat activity. Once a blackhat takes control of a honeypot within the Honeynet, his activity has to be contained so he cannot harm non-Honeynet systems. Data capture is the capturing of all the activity that occurs within the Honeynet. Data collection is the aggregation of all the data captured by multiple Honeynets. Honeynets are highly flexible: there is no specific way to implement a Honeynet solution. F. Advantages and Disadvantages Data Value─ One of the challenges the security community faces is gaining value from data. Organizations collect vast amounts of data every day, including firewall logs, system logs, and Intrusion Detection alerts. The sheer amount of information can be overwhelming, making it extremely difficult to derive any value from the data. Honeypots, on the other hand, collect very little data, but what they do collect is normally of high value. The honeypot concept of no expected production activity dramatically reduces the noise level. Instead of logging gigabytes of data every day, most honeypots collect several megabytes of data per day, if even that much. Any data that is logged is most likely a scan, probe, or attack- information of high value. Honeypots can give you the precise information you need in a quick and easy-to- understand format. This makes analysis much easier and reaction time much quicker. Resources─ Another challenge most security mechanisms face is resource limitations, or even resource exhaustion. Resource exhaustion is when a security resource can no longer continue to function because its resources are overwhelmed. For example, a firewall may fail because its connections table is full, it has run out of resources, or it can no longer monitor connections. This forces the firewall to block all connections instead of just blocking unauthorized activity. An Intrusion Detection System may have too much network activity to monitor, perhaps hundreds of megabytes of data per second. When this happens, the IDS sensor's buffers become full, and it begins dropping packets. A honeypot deployed on the same network does not share this problem. The honeypot
  • 4. 4 only captures activities directed at itself, so the system is not overwhelmed by the traffic. Where the IDS sensor may fail because of resource exhaustion, the honeypot is not likely to have a problem. Simplicity─ I consider simplicity the biggest single advantage of honeypots. There are no fancy algorithms to develop, no signature databases to maintain, no rulebases to misconfigure. You just take the honeypot, drop it somewhere in your organization, and sit back and wait. While some honeypots, especially research honeypots, can be more complex, they all operate on the same simple premise: If somebody or someone connects to the honeypot, check it out. As experienced security professionals will tell you, the simpler the concept, the more reliable it is. With complexity come misconfigurations, breakdowns, and failures. Disadvantages of Honeypots Narrow Field of View─ The greatest disadvantage of honeypots is they have a narrow field of view: They only see what activity is directed against them. If an attacker breaks into your network and attacks a variety of systems, your honeypot will be blissfully unaware of the activity unless it is attacked directly. If the attacker has identified your honeypot for what it is, she can now avoid that system and infiltrate your organization, with the honeypot never knowing she got in. As noted earlier, honeypots have a microscope effect on the value of the data you collect, enabling you to focus closely on data of known value. However, like a microscope, the honeypot's very limited field of view can exclude events happening all around it. Risk─ They can introduce risk to your environment. By risk, we mean that a honeypot, once attacked, can be used to attack, infiltrate, or harm other systems or organizations. As we discuss later, different honeypots have different levels of risk. Some introduce very little risk, while others give the attacker entire platforms from which to launch new attacks. The simpler the honeypot, the less the risk. For example, a honeypot that merely emulates a few services is difficult to compromise and use to attack other systems. In contrast, a honeypot that creates a jail gives an attacker an actual operating system with which to interact. An attacker might be able to break out of such a cage and then use the honeypot to launch passive or active attacks against other systems or organizations. Risk is variable, depending on how one builds and deploys the honeypot. II. STEPS TO BE TAKEN 1. Start small─ Begin initially with a single machine and operating system that you are familiar with installed behind the reverse firewall. This will allow you to begin to understand how to analyze the data that you will receive on the Honeynet. You will also be able to fine tune your configuration. The more machines that you have, the more data you will most likely receive going to and from the Honeynet. 2. Focus on attacks and exploits originating from within your enterprise network. These are the attacks that can do the most damage to your enterprise. Inform your enterprise administrators immediately of these types of attacks since they indicate machines that have already been compromised within the enterprise. 3. Don’t publish the IP address range of the Honeynet. There is no need to do this. Hackers and worms are constantly scanning across the Internet for machines to exploit. You Honeynet will be found and attacked. 4. Don’t underestimate the amount of time required to analyze the data collected from the Honeynet. This data must be analyzed every day. You will be collecting lots of information and it must be analyzed to provide any benefit. Most attacks take seconds to compromise and take over a vulnerable system. It can take weeks to analyze and document such an attack. 5. Powerful machines are not necessary to establish the Honeynet. A. Differences per Operating System In this section we analyse the distribution of attacks among the honeypots running different operating systems. Fig B shown below shows how the attackers attack the honeypot set with different operating systems running on them. To test this different honeypots with different environments were placed in honeynet, some of the honeypots were running Win 2000, Win XP, Linux, Solaris. Any of the system running on any environment can be hacked, so honeypots are tested on all the environments. From the analysis shown below it’s clear that most of the attacks are concentrated on Win 2000 then comes Win XP followed by Linux and Solaris. Win2000 hosts were the primary targets of attack signatures, followed by the WinXP host. In all phases there were significantly less incidents reported for the UNIX systems Linux and Solaris. The fact that nearly 97% of all signatures are targeted towards Windows systems was not unexpected since it makes sense to concentrate the effort to develop attacks on the clearly dominating operating systems. However, the conclusion that windows systems are significantly more insecure. 10.0.0.30 )(Solaris < 1% 10.0.0.21 )(Linux %3 10.0.0.66 (Win XP) 4.41% 10.0.0.77 (Win2000) ,27%40 10.0.0.20 ( 2000)Win 52.36%
  • 5. 5 III. CONCLUSION A further benefit of the Honeynet is one of research in the areas of Information Assurance and Intrusion Detection. The possibility exists to detect new exploits launched against the campus network. Under the principles of data capture, all data associated with these exploits is collected for further analysis. As a result, counter measures can be taken against these new exploits and signatures targeting these exploits can be developed for the Enterprise IDS systems. As there is Honeynet project in India to all the intrested minds looking for a security field, this is the best platform for them to come forward and contribute. IV. REFERENCES [1] E. Skoudis, Counter Hack, Upper Saddle River, NJ: Prentice Hall PTR, 2002, p. 47. [2] W. Stallings, Network Security Essentials, Upper Saddle River, NJ: Prentice Hall PTR, 2000, p. 322. [3] R. Stiennon, M. Easley, Intrusion Prevention Will Replace Intrusion Detection, Gartner Research Notes, 30 August 2002, available at http://www.gartner.com /reprints/intruvert/109596.html, Dec 2002. [4] The Honeynet Project, Know Your Enemy, Indianapolis, IN: Addison-Wesley, 2002, pp. 12-17. [5] The Honeynet Project, Know Your Enemy, p. 20. [6] L. Spitzner, Honeypots- Tracking Hackers, Indianapolis, IN: Addison-Wesley, 2003, pp. 242-261.