Advanced Honey Pot Architecture For Network Threats Quantification

Download as pdf or txt
Download as pdf or txt
You are on page 1of 5

International Journal of Engineering and Techniques - Volume 3 Issue 2, March-April 2017

RESEARCH ARTICLE OPEN ACCESS

Advanced Honey pot Architecture for Network


Threats Quantification
1 2 3 4
Karthikeyan R , Dr.T.Geetha , Shyamamol K.S , Sivagami G
1,2
Asst.Prof, Dept of MCA, Gnanamani college of Technolgy, Namakkal, INDIA
3,4
P.G.Scholar, Dept of MCA, Gnanamani college of Technolgy, Namakkal, INDIA.
.

Abstract: ABSTRACT
Today internet security is a serious problem. For every consumer and business that is on the Internet,
viruses, worms and crackers are a few security threats. There are the obvious tools that aid information security
professionals against these problems such as anti-virus software, firewalls and intrusion detection systems, but
these systems can only react to or prevent attacks-they cannot give us information about the attacker, the tools
used or even the methods employed. Given all of these security questions honeypots are a novel approach to
network security and security research alike. It is a resource, which is intended to be attacked and compromised to
gain more information about the attacker and the used tools. It can also be deployed to attract and divert an
attacker from their real targets. Honeypots is an additional layer of security. Honeypots have the big advantage that
they do not generate false alerts as each observed traffic is suspicious, because no productive components are
running on the system. The levels of interaction determines the amount of functionality a honeypots provides that
is low and high interactions.

INTRODUCTION correctly, a honeypot can serve as an early-warning


and advanced security surveillance tool,
Today's world increasingly relies on minimising the risks from attacks on IT systems
computer networks. The use of network resources and networks. Honeypots can also analyse the ways
is growing and network infrastructures are gaining in which attackers try to compromise an
in size and complexity refer by paper (3, 4, 6, 7, information system, providing valuable insight into
and 8). This increase is followed by a rising volume potential system loopholes.
of security problems. New threats and
vulnerabilities are found every day, and computers I.HONEYPOTS
are far from being secure. In the first half of 2008, According to Lance Spitzner, founder of
3,534 vulnerabilities were disclosed by vendors, the Honeynet Project, a honeypot is a system
researchers and independents. Between 8 and 16% designed to learn how “black-hats” probe for and
of these vulnerabilities were exploited the day they exploit weaknesses in an IT system1. It can also be
were released by malicious programs. The defined as “an information system resource whose
consequences affect users and companies at critical value lies in unauthorised or illicit use of that
levels, from privacy issues to financial losses. To resource”. In other words, a honeypot is a decoy,
address this concern, network operators and put out on a network as bait to lure attackers.
security researchers have developed and deployed a Honeypots are typically virtual machines, designed
variety of solutions refer by paper (9, 11). The goal to emulate real machines, feigning or creating the
of these solutions is two-fold: first to monitor, and appearance of running full services and
second to protect network assets. Monitoring applications, with open ports that might be found
allows researchers to understand the different on a typical system or server on a network. A
threats. Data are being collected to better honeypot works by fooling attackers into believing
characterize and quantify malicious activity. The it is a legitimate system; they attack the system
goal of this dissertation is to introduce an without knowing that they are being observed
innovative framework to better measure malicious covertly. When an attacker attempts to compromise
threats in the organization network. The framework a honeypot, attack-related information, such as the
is based on a flexible hybrid honeypot architecture IP address of the attacker, will be collected. This
that we integrate with the organization network activity done by the attacker provides valuable
using network flows refer this paper (13, 15, 16). A information and analysis on attacking techniques,
honeypot is a deception trap, designed to entice an allowing system administrators to “trace back” to
attacker into attempting to compromise the the source of attack if required. Honeypots can be
information systems in an organisation. If deployed used for production or research purposes. A

ISSN: 2395-1303 http://www.ijetjournal.org Page 92


International Journal of Engineering and Techniques - Volume 3 Issue 2, March-April 2017

production honeypot is used for risk mitigation. tools.Research honeypots are real operating
Most production honeypots are emulations of systems and services that attackers can interact
specific operating systems or services. They help to with, and therefore involve higher risk. They
protect a network and systems against attacks collect extensive information and intelligence on
generated by automated tools used to randomly new attack techniques and methods, and hence
look for and take over vulnerable systems. By provide a more accurate picture of the types of
running a production honeypot, the scanning attacks being perpetrated. They also provide
process from these attack tools can beslowed right improved attack prevention, detection and reaction
down, thereby wasting their time. Some production information, drawn from the log files and other
honeypots can even shut down attacks altogether information captured in the process. In general,
by, for example, sending the attackers an honeypot research institutions such as universities
acknowledgement packet with a window size of and military departments will run research
zero. This puts the attack into a “wait” status in honeypots to gather intelligence on new attack
which it could only send data when the window methods. Some of the research results are published
size increases3. In this way, production honeypots for the benefit of the whole community.
are often used as reconnaissance or deterrence

II.ARCHITECTURE OF HONEYPOTS

T h e In te r n e t

H o n e y p o t

F ir e w a ll
S e rv e r

W o r k s ta t io n

W o r k s t a t io n
L a p to p

The program is divided into two main applications.

GUI – Allows an easy way of starting and stopping the servers, searching through collected data and
displaying statistics.
Honeypot_Core – Creates and maintains the servers. Collects the data from the users and updates the
databases.

ISSN: 2395-1303 http://www.ijetjournal.org Page 93


International Journal of Engineering and Techniques - Volume 3 Issue 2, March-April 2017

A.BLOCK DIAGRAM

Honeypot Medium
Core (WinSock) GUI

HTTP Server Telnet Server

Malicious
String DB

HTTP
Telnet Login
Transactions
DB
DB
A façade is a software emulation of a
target service or application that provides a false
image of a target host. When a façade is probed or
III. LEVELS OF HONEYPOTS attacked, it gathers information about the attacker.
Honeypots can be classified into two Some façades only provide partial application-level
general categories: low-interaction honeypots that behaviour (e.g. banner presentation), while others
are often used for production purposes, and high will actually simulate the target service down to the
interaction honeypots that are used for research network stack behaviour. The value of a façade is
purposes. defined primarily by what systems and applications
it can simulate, and how easy it is to deploy and
A.LOW-INTERACTION HONEYPOTS administer. Façades offer simple, easy deployment
Low-interaction honeypots work by as they often require minimal installation effort and
emulating certain services and operating systems equipment, and they can emulate a large variety of
and have limited interaction. The attacker’s systems. Since they are not real systems, they do
activities are limited to the level of emulation not have any real vulnerabilities themselves, and
provided by the honeypot. For example, an cannot be used as a jumping-off point by attackers.
emulated FTP service listening on a particular port However, because they provide only basic
may only emulate an FTP login, or it may further information about a potential threat, they are
support a variety of additional FTP commands. The typically used by small to medium-sized
advantages of low-interaction honeypots are that enterprises, or by large enterprises in conjunction
they are simple and easy to deploy and maintain. In with other security technology.
addition, the limited emulation available and/or
allowed on low- interaction honeypots reduces the B.HIGH-INTERACTION HONEYPOTS
potential risks brought about using them in the High-interaction honeypots are more
field. However, with low-interaction honeypots, complex, as they involve real operating systems
only limited information can be obtained, and it is and applications. For example, a real FTP server
possible that experienced attackers will easily will be built if the aim is to collect information
recognise a honeypot when they come across one. about attacks on a particular FTP server or
Example: Façades service.By giving attackers real systems to interact
with, no restrictions are imposed on attack

ISSN: 2395-1303 http://www.ijetjournal.org Page 94


International Journal of Engineering and Techniques - Volume 3 Issue 2, March-April 2017

behaviour, and this allows administrators to capture attackers from using them as a stepping-stone for
extensive details about the full extent of an further attacks on other parts of the network.
attacker’s methods. However, it is not impossible Example three: Spam Honeypots
that attackers might take over a high-interaction Honeypot technology is also used for studying
honeypot system and use it as a stepping-stone to spam and email harvesting activities. Honeypots
attack other systems within the organisation. have been deployed to study how spammers detect
Therefore, sufficient protection measures need to open mail relays. Machines run as simulated mail
be implemented accordingly. In the worst case, the servers, proxies and web servers. Spam email is
network connection to the honeypot may need to be received and analysed to ascertain the reasons why
disconnected to prevent attackers from further they were received4. In addition, an email trap can
penetrating the network and machines beyond the be set up, using an email address dedicated to just
honeypot system itself. receiving spam emails.

Example one: Sacrificial Lambs IV.HYBRID HONEYPOTS


A sacrificial lamb is a system The need to collect detailed attack
intentionally left vulnerable to attack. The processes on large IP spaces has pushed researchers
administrator will examine the honeypot to invent more scalable and intelligent
periodically to determine if it has been architectures. Collapsar simplifies the deployment
compromised, and if so, what was done to it. and administration of high interaction honeypots on
Additional data, such as a detailed trace of large IP spaces by using GRE tunnels to route
commands sent to the honeypot, can be collected traffic from distributed networks into a centralized
by a network sniffer deployed near the honeypot. farm of honeypots. The limitation of Collapsar is to
However, the honeypots themselves are “live” and not provide any filtering mechanism that can
thus present a possible jumping-off point for an prevent high interaction honeypots from being
attacker. Additional deployment considerations overloaded. Another project called Potemkin is
must be made in order to isolate and control the based on the idea that idle high interaction
honeypot, such as by means of firewalls or other honeypots do not even need to run. As a result, the
network control devices, or by completely architecture saves resources by starting a new
disconnecting the honeypot from the internal virtual machine for each active IP address. As soon
network. Because sacrificial lambs are themselves as an IP address becomes inactive, the virtual
real systems, all results generated are exactly as machine is destroyed to save physical memory and
they would be for a real system. However, CPU resources. Such a system allows hundreds of
sacrificial lambs require considerable virtual machines to run on a single physical host.
administrative overhead, such as the installation of
a full operating system, and manual application
configuration or system hardening. The analysis is V.BENEFITS
also conducted manually and may require Based on how honeypots conceptually work, they
additional tools. They also require additional have several advantages.
deployment considerations as explained above, and › Reduce False Positives and False Negatives
will likely require a dedicated security expert to › Data Value
manage, support, and to analyse the resulting data › Resources
from the honeypot system. › Simplicity
Example two: Instrumented Systems
An instrumented system honeypot is an VI.DRAWBACKS
off-the-shelf system with an installed operating • Limited View
system and kernel level modification to provide • Specifically, Honeypots have the risk of
information, containment, or control. The operating being taken over by the bad guy and
system and kernel have been modified by begin used to harm other system this risk
professional security engineers, unlike the various for different honeypots .
sacrificial lamb model. After modifying the
operating system and kernel, they will leave the
system running in the network as a real target. CONCLUSION
Instrumented systems combine the strengths of Honeypots have their advantages and
both sacrificial lambs and façades. Like the disadvantages. They are clearly a useful tool for
sacrificial lamb system, they provide a complete luring and trapping attackers, capturing information
copy of a real system, ready for attackers to and generating alerts when someone is interacting
compromise, while at the same time (like façades) with them. The activities of attackers provides
they are easily accessible and difficult to evade. valuable information for analysing their attacking
Furthermore, the operating system and kernel in techniques and methods. Because honeypots only
capture and archive data and requests coming in to
these systems have been modified to prevent
them, they do not add extra burden to existing

ISSN: 2395-1303 http://www.ijetjournal.org Page 95


International Journal of Engineering and Techniques - Volume 3 Issue 2, March-April 2017

network bandwidth. However, honeypots do have Development in Technology Volume 7, Issue 1,


their drawbacks. Because they only track and Jan 2017, Page No:71-77
capture activity that directly interacts with them, 8. R.Karthikeyan,Dr.T.Geetha “Web Based
they cannot detect attacks against other systems in Honeypots Network”,in the International journal
the network. Furthermore, deploying honeypots for Research & Development in
without enough planning and consideration may Technology.Volume 7.Issue 2 ,Jan 2017,Page
introduce more risks to an existing network, No.:67-73 ISSN:2349-3585.
because honeypots are designed to be exploited, 9. R.Karthikeyan,Dr.T.Geetha,“A Simple Transmit
and there is always a risk of them being taken over Diversity Technique for Wireless
by attackers, using them as a stepping-stone to gain Communication”,in the International journal for
entry to other systems within the network. This is Engineering and Techniques. Volume 3. Issue 1,
perhaps the most controversial drawback of Feb 2017, Page No.:56-61 ISSN:2395-1303.
honeypots. 10. C.Ganesh,B.Sathyabhama,Dr.T.Geetha “ Fast
Frequent Pattern Mining using Vertical Data
REFERENCE: Format for Knowledge Discovery “International
Journal of Engineering Research in Management &
1. Srivathsa S Rao#1,Vinay Hegde#2 , Boruthalupula Technology. Vol.5,Issue-5,Pages:141-149.
Maneesh#3, Jyothi Prasad N M#4, Suhas Suresh#5, 11. R.Karthikeyan,Dr.T.Geetha “Strategy of Trible – E
August 2013, International Journal of Scientific on Solving Trojan Defense in Cyber Crime Cases”,
and Research Publications, Volume 3, Issue 8 International journal for Research & Development
2. Abhishek Sharma,Nov-Dec 2013,International in Technology.Volume 7.Issue 1 ,Jan 2017,Page
Journal of Technical Research and Applications e- No.:167-171
ISSN: 2320-8163, www.ijtra.com Volume 1, Issue 12. http://www.honeynet.org.pt/index.php/HoneyMole
5, PP. 07-12 13. R.Karthikeyan,”A Survey on Position Based
3. R.Karthikeyan,” Improved Apriori Algorithm for Routing in Mobile Adhoc Networks” in the
Mining Rules” in the International Journal of international journal of P2P Network Trends and
Advanced Research in biology Engineering science Technology, Volume 3 Issue 7 2013, ISSN:2249-
and Technology Volume 11, Issue 4, April 2016, 2615.
Page No:71-77. 14. K.Ramya and K.Pavithradevi “Effective Wireless
4. R.Karthikeyan,Dr.T.Geetha “Honeypots for Communication”,International journal of Advanced
Network Security”, International journal for Research, Vol 4(12), pp.1599-1562 dec 2016.
Research & Development in Technology.Volume 15. R.Karthikeyan,Dr.T.Geetha ”FLIP-OFDM for
7.Issue 2 ,Jan 2017,Page No.:62-66 ISSN:2349- Optical Wireless Communications” in the
3585 international journal of Engineering and
5. https://www.client-honeynet.org/honeyc.html Techniques, Volume 3 Issue 1, Jan - Feb 2017,
6. R.Karthikeyan,”A Survey on Position Based ISSN:2395-1303,PP No.:115-120.
Routing in Mobile Adhoc Networks” in the 16. R.Karthikeyan,Dr.T.Geetha”Application
international journal of P2P Network Trends and Optimization in Mobile Cloud Computing” in the
Technology, Volume 3 Issue 7 2013, ISSN:2249- international journal of Engineering and
2615 Techniques, Volume 3 Issue 1, Jan - Feb 2017,
7. R.Karthikeyan,”A Survey on Sensor Networks” in ISSN:2395-1303,PP No.:121-125.
the International Journal for Research &

ISSN: 2395-1303 http://www.ijetjournal.org Page 96

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy