Advanced Honey Pot Architecture For Network Threats Quantification
Advanced Honey Pot Architecture For Network Threats Quantification
Advanced Honey Pot Architecture For Network Threats Quantification
Abstract: ABSTRACT
Today internet security is a serious problem. For every consumer and business that is on the Internet,
viruses, worms and crackers are a few security threats. There are the obvious tools that aid information security
professionals against these problems such as anti-virus software, firewalls and intrusion detection systems, but
these systems can only react to or prevent attacks-they cannot give us information about the attacker, the tools
used or even the methods employed. Given all of these security questions honeypots are a novel approach to
network security and security research alike. It is a resource, which is intended to be attacked and compromised to
gain more information about the attacker and the used tools. It can also be deployed to attract and divert an
attacker from their real targets. Honeypots is an additional layer of security. Honeypots have the big advantage that
they do not generate false alerts as each observed traffic is suspicious, because no productive components are
running on the system. The levels of interaction determines the amount of functionality a honeypots provides that
is low and high interactions.
production honeypot is used for risk mitigation. tools.Research honeypots are real operating
Most production honeypots are emulations of systems and services that attackers can interact
specific operating systems or services. They help to with, and therefore involve higher risk. They
protect a network and systems against attacks collect extensive information and intelligence on
generated by automated tools used to randomly new attack techniques and methods, and hence
look for and take over vulnerable systems. By provide a more accurate picture of the types of
running a production honeypot, the scanning attacks being perpetrated. They also provide
process from these attack tools can beslowed right improved attack prevention, detection and reaction
down, thereby wasting their time. Some production information, drawn from the log files and other
honeypots can even shut down attacks altogether information captured in the process. In general,
by, for example, sending the attackers an honeypot research institutions such as universities
acknowledgement packet with a window size of and military departments will run research
zero. This puts the attack into a “wait” status in honeypots to gather intelligence on new attack
which it could only send data when the window methods. Some of the research results are published
size increases3. In this way, production honeypots for the benefit of the whole community.
are often used as reconnaissance or deterrence
II.ARCHITECTURE OF HONEYPOTS
T h e In te r n e t
H o n e y p o t
F ir e w a ll
S e rv e r
W o r k s ta t io n
W o r k s t a t io n
L a p to p
GUI – Allows an easy way of starting and stopping the servers, searching through collected data and
displaying statistics.
Honeypot_Core – Creates and maintains the servers. Collects the data from the users and updates the
databases.
A.BLOCK DIAGRAM
Honeypot Medium
Core (WinSock) GUI
Malicious
String DB
HTTP
Telnet Login
Transactions
DB
DB
A façade is a software emulation of a
target service or application that provides a false
image of a target host. When a façade is probed or
III. LEVELS OF HONEYPOTS attacked, it gathers information about the attacker.
Honeypots can be classified into two Some façades only provide partial application-level
general categories: low-interaction honeypots that behaviour (e.g. banner presentation), while others
are often used for production purposes, and high will actually simulate the target service down to the
interaction honeypots that are used for research network stack behaviour. The value of a façade is
purposes. defined primarily by what systems and applications
it can simulate, and how easy it is to deploy and
A.LOW-INTERACTION HONEYPOTS administer. Façades offer simple, easy deployment
Low-interaction honeypots work by as they often require minimal installation effort and
emulating certain services and operating systems equipment, and they can emulate a large variety of
and have limited interaction. The attacker’s systems. Since they are not real systems, they do
activities are limited to the level of emulation not have any real vulnerabilities themselves, and
provided by the honeypot. For example, an cannot be used as a jumping-off point by attackers.
emulated FTP service listening on a particular port However, because they provide only basic
may only emulate an FTP login, or it may further information about a potential threat, they are
support a variety of additional FTP commands. The typically used by small to medium-sized
advantages of low-interaction honeypots are that enterprises, or by large enterprises in conjunction
they are simple and easy to deploy and maintain. In with other security technology.
addition, the limited emulation available and/or
allowed on low- interaction honeypots reduces the B.HIGH-INTERACTION HONEYPOTS
potential risks brought about using them in the High-interaction honeypots are more
field. However, with low-interaction honeypots, complex, as they involve real operating systems
only limited information can be obtained, and it is and applications. For example, a real FTP server
possible that experienced attackers will easily will be built if the aim is to collect information
recognise a honeypot when they come across one. about attacks on a particular FTP server or
Example: Façades service.By giving attackers real systems to interact
with, no restrictions are imposed on attack
behaviour, and this allows administrators to capture attackers from using them as a stepping-stone for
extensive details about the full extent of an further attacks on other parts of the network.
attacker’s methods. However, it is not impossible Example three: Spam Honeypots
that attackers might take over a high-interaction Honeypot technology is also used for studying
honeypot system and use it as a stepping-stone to spam and email harvesting activities. Honeypots
attack other systems within the organisation. have been deployed to study how spammers detect
Therefore, sufficient protection measures need to open mail relays. Machines run as simulated mail
be implemented accordingly. In the worst case, the servers, proxies and web servers. Spam email is
network connection to the honeypot may need to be received and analysed to ascertain the reasons why
disconnected to prevent attackers from further they were received4. In addition, an email trap can
penetrating the network and machines beyond the be set up, using an email address dedicated to just
honeypot system itself. receiving spam emails.