DIRECTING MALICIOUS TRAFFIC TO HONEYPOT

USING ANOMALY DETECTION AND ATTRIBUTION.

A PROJECT REPORT

Submitted by

KAUSHIK G (171351601052)

NOOR MOHAMED M(171351601086)

KARUPPASAMY K(171351601051)

Under the guidance of

Mrs. NIVITHA J

In partial fulfillment for the award of the degree of

Bachelor of Computer Applications

MAY 2020

1
 BONAFIDE CERTIFICATE

Certified that this project report “DIRECTING MALICIOUS TRAFFIC TO

HONEYPOT USING ANOMALY DETECTION AND ATTRIBUTION” is the Bonafide
work of KAUSHIK G (171351601052), NOOR MOHAMED M (171351601086),
KARUPPASAMY K (171351601051) who carried out the project work under my
supervision. Certified further, that to the best of my knowledge the work reported herein
does not form part of any other project report or dissertation on the basis of which a
degree or award was conferred on an earlier occasion on this or any other candidate.

SIGNATURE SIGNATURE

Mrs. NIVITHA J Dr. GUFRAN AHMAD ANSARI

Assistant Professor Professor and Head

Department of Computer Application Department of Computer Application

B.S. Abdur Rahman Crescent Institute B.S. Abdur Rahman Crescent Institute

of Science and Technology of Science and Technology

Vandalur, Chennai – 600 048 Vandalur, Chennai – 600 048

2
 VIVA-VOICE EXAMINATION

The viva-voice examination of the project work titled “DIRECTING MALICIOUS

TRAFFIC TO HONEYPOT USING ANOMALY DETECTION AND ATTRIBUTION”
submitted by KAUSHIK G(171351601052),NOOR MOHAMED M (171351601086),
KARUPPASAMY K (171351601051) is held on __________________.

INTERNAL EXAMINER EXTERNAL EXAMINER

3
 ACKNOWLEDGEMENT

I thank the Almighty for showering His blessings upon me in completing the
project. I submit this project with a deep sense of gratitude and reverence for my beloved
parents for their moral support and encouragements.

I sincerely express my heartfelt gratitude to Prof. Dr. A. Peer Mohamed

Pro Vice Chancellor, B.S. Abdur Rahman Crescent University and Prof. Dr.A.
Azad, Registrar, for furnishing every essential facility for doing my project.

I owe my sincere gratitude to Prof. Dr. Venkatesan Selvam., Dean of School of

Computer, Information and Mathematical Science (SCIMS), Dr. Gufran Ahmad Ansari,
Professor and Head, Department of Computer Applications for providing strong oversight
of vision, strategic direction, encouragement and valuable suggestions in completing my
project work.

I convey my earnest thanks to my project guide Mrs. Nivitha J, Assistant

Professor, Department of Computer Applications, for his/her valuable guidance and
support throughout the project.

I express my gratitude to the Project Coordinators and the project Committee

Members of the Department of Computer Applications for their support and continued
assistance in the process.

I extend my sincere thanks to all my faculty members for their valuable

suggestions, timely advice, and support to complete the project.

KAUSHIK G

NOOR MOHAMED M

KARUPPASAMY K

4
 ABSTRACT
Modern networks are complex and hence, network operators often rely on automation
to assist in assuring the security, availability, and performance of these networks. But
every Individual networks have their own advantage and their very own weakness which
could be easily exploited by an malicious outsider if the holes in a network system are
not carefully taken care of which could lead to exploiting the whole network and the
devices connected to it.

So to know an Individual system's weakness is to hire people to find the holes and
break into the system, so we can come up with counter measures to fix the hole and
avoid getting troubles in the future. Or we could let real malicious hackers hack into the
system, but we'll make them think they are attacking the real system while they are
actually inside a duplicated system of the original with false data in it and completely
separate from the real system, this fake system is called a honeypot.

At the core of many of these systems are general-purpose anomaly detection

algorithms that seek to identify normal behavior and detect deviations. In this paper, we
will combine the computing technology, HONEYPOT to detect, or in any manner,
counteract attempts at unauthorized use of information systems. The Ability and the
limitation of honeypots were tested and aspects of it that need to be improved were
identified. Being placed in the network, it observe and capture new attacks.

5
 TABLE OF CONTENTS

CHAPTE TITLE PAGE

R NO. NO.

ABSTRACT V

LIST OF FIGURES VIII

LIST OF ABBREVIATION IX

1 INTRODUCTION

1.1 GENERAL 1

1.2 EXISTING SYSTEM 1

1.2.1 Literature Survey 2

1.2.2 Disadvantages of the Existing System 3

1.3 PROPOSED SYSTEM 3

1.3.1 Advantages of the proposed system 4

1.4 ORGANISATION OF THE CHAPTERS 4

2 PROBLEM DEFINITION AND METHODOLOGIES

2.1 PROBLEM DEFINITION 5

2.2 METHODOLOGY 6

3 DEVELOPMENT PROCESS

6
 3.1 REQUIREMENT ANALYSIS 7

3.1.1 Input Requirements 7

3.1.2 Output Requirements 8

3.1.3 Resource Requirements 8

3.2 DESIGN 8

3.2.1 Architectural Design 9

3.2.2 Detailed Design 10

3.3 IMPLEMENTATION 12

3.3.1 Tool used 12

3.3.2 What is Honeypot? 12

3.3.3 How do Honeypot work? 13

3.3.4 What is Anomaly Detection? 13

3.3.5 Where can we use Anomaly Detection? 14

3.4 TESTING 14

3.4.1 Unit Testing 14

3.4.2 Integration Testing 15

3.4.3 Functional Testing 15

3.4.4 System Testing 16

3.4.5 Validation Testing 16

4 SCREENSHOTS 18

5 RESULTS AND CONCLUSION

5.1 RESULT 22

7
 5.2 CONCLUSION 23

5.3 FUTUTRE ENHANCEMENTS 23

REFERENCE 24

APPENDIX: SAMPLE COMMANDS 26

TECHNICAL BIOGRAPHY 90

LIST OF FIGURES

FIGURE NO. TITLE PAGE NO.

2.1 Hierarchical diagram of the system 12

3.2 Architecture of the system 16
3.3 Detailed design of the system 18
4.1 Pent menu DOS attack 24
4.2 Pent menu Homepage 25
4.3 Entering port number for target 26
4.4 Starting UDP flood 26
4.5 Packet Capture and Monitor 27

8
 LIST OF ABBREVIATION

ADS Anomaly Detection System

VPC Virtual Private Cloud

DDOS Distributed Denial-Of-Service

9
 CHAPTER 1

INTRODUCTION

Security is a major concern today in all sectors such as banks, governmental

applications, military organization, and educational institutions. Users tend to use easy-
to-guess passwords, use the same password in multiple accounts or store them on their
machines. Furthermore, hackers have the option of using many techniques to steal
passwords such as shoulder surfing, snooping, sniffing, guessing. A typical solution is
based on giving the user a hardware token that generates one-time-passwords, i.e.
passwords for single session or transaction usage.

1.1 GENERAL

This project has a provision for securing the data from hacker. The intruder
whenever tries to access the original data of the user is being re-directed to a virtual
platform called HONEYPOT, where there will be a replication of the original data of the
user. But the intruder doesn’t know that he is being trapped and being monitored.

1.2. EXISTING SYSTEM:

This existing project consists of how the intruder is attacking the system and with
the use of anomaly detection, the malicious user is being captured from the network
traffics and is blocked right away.

1.1.1 Literature Survey:

I. F. Iglesias and T. Zeby, “Analysis of network traffic features for anomaly detection,”
Mach. Learn., vol. 101, nos. 1–3, pp. 59–84, 2014. When the anomalies are detected
from the malicious user, it redirects to the HONEYPOT system and it captures the
malicious data, and make them see, what they are capable of doing, and make them
pretend they are in the original system.

10
II. Y. Gu, A. McCallum, and D. Towsley, “Detecting anomalies in network traffic using
maximum entropy estimation,” in Proc. IMC, 2005, p. 32. Anomaly detection system
significantly reduces the time needed for analyzing alarms, and also mitigate the anomaly
for detected without human intervention.

III C. Callegari, S. Vaton, and M. Pagano, “A new statistical method for detecting network
anomalies in TCP traffic,” Trans. Emer. Telecomm. Technol., vol. 21, no. 7, pp. 575–588,
2010. The basic idea was to realize a profile of the normal behavior of the system.
Denning pro-posed several statistical models to be used to build the pro-file; among these
she considered a Markov Process Model to describe the transition probabilities for a given
metric.

1.2.1 Disadvantages of the Existing System:

The following are the disadvantages of the existing system,

System is not secured.

Just they know there is a intruder.

1.3 PROPOSED SYSTEM:

Use of Honeypot into the System, where there is a existing Original System,
can be the original view point for the attacker, but it is really not.
When the attackers stays for a little longer than he really should be, it will be
easier to know what the intruder is here for, or what the attacker really needs.

1.3.1 Advantages of the Proposed System:

11
 Security is very high.
Hard to know that they being trapped.
Intruder is being monitored and traced back.
And the intruder can’t access the original data of the user.

1.4 ORGANISATION OF THE CHAPTER

The general introduction, existing system and proposed system for this project
was discussed. The working and implementation of this system are discussed further in
the chapters. Chapter 2 discusses about the problem definition and methodology. The
development process, requirement analysis, design, implementation and the testing of
the project are discussed in chapter 3.The results of the project are analyzed and
concluded in the final chapter 4.

CHAPTER 2

PROBLEM DEFINITION AND METHODOLOGY

12
 In the previous chapter, the existing system and the proposed system for
this project are discussed . This chapter deals with the problem definition and the
methodology. The problem definition discusses about the objective of the project
and the methodology used to develop the project.

2.1 METHODOLOGY

The methodology followed in this project is top down approach. Top down
approach emphasize planning and complete understanding of the system. This
project is separated into four modules. Each module is processed that generate
the result from the given data.

Figure 2.1 shows the hierarchical diagram of the system.

Figure 2.1 Hierarchy diagram

13
 CHAPTER – 3

DEVELOPMENT PROCESS

3.1 REQUIREMENT ANALYSIS:

3.1.1 Input Requirements:

The input requirement for the project is all the malicious user should register their
information to login using user name and password.

3.1.2 Output Requirements

The output of this project is that it is very easy to find out the unauthorized users
who are trying to get the access without the knowledge of the user is redirected to
HONEYPOT. Then the admin trace the unauthorized user or not letting him access the
original data.

14
3.1.3 Resource Requirements
Software Requirements:
Programming Language:
Tools: Pentmenu
Database: MySQL 5.5
Web server: Apache Tomcat 6.0

Hardware Requirements:
Operating System: Windows 10
RAM : 4 GB
Memory: 500 GB

3.2 DESIGN:
3.2.1 Architectural Design:

Figure 3.5 depicts the system architecture of the entire project. It defines the
structure of the developed system comprising different or modules, the externally visible
properties and the relationships shows the overall architectural design of the system.

15
 Figure 3.2.1 – Architecture diagram

3.2.1.1 Internet Gateway

An internet gateway is a horizontally scaled, redundant, and highly available VPC
component that allows communication between your VPC and the internet. ... An internet
gateway supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth
constraints on your network traffic.

3.2.1.2 Firewall
Generally the firewall has two network interfaces: one for the external side of the network,
one for the internal side. Its purpose is to control what traffic is allowed to traverse from
one side to the other. As the most basic level, firewalls can block traffic intended for
particular IP addresses or server ports.

16
3.2.1.3 Anomaly Detection System (ADS)
An anomaly-based intrusion detection system, is an intrusion detection system for
detecting both network and computer intrusions and misuse by monitoring system activity
and classifying it as either normal or anomalous. ... Systems using artificial neural
networks have been used to great effect.

3.2.1.4 SQL Storage

The most basic concept to understand concerning how SQL Server uses storage is that
databases are composed of two types of files: Data files. These files store the database
data. A basic database consists of a single data file, but a database can consist of multiple
data files that reside on one or more drives.

3.2.2 Detailed Design:

The detailed design is similar to the architectural design, which shows all
the three levels of authentication in both registration and login phase.

Figure 3.2.2– Detailed design

17
3.2.2.1 User IP address

The Internet, sometimes called the network of networks, is based upon one simple
principle: transferring information from one computer to another. In order to do this each
computer needs an identity which is called the "Internet Protocol address" or "IP address."
It is similar to a telephone number or street address.

3.2.2.2 User MAC address

A media access control address (MAC address) is a unique identifier assigned to a

network interface controller (NIC) for use as a network address in communications within
a network segment.

3.2.2.3 User network connectivity

Network connectivity describes the extensive process of connecting various parts of a

network to one another, for example, through the use of routers, switches and gateways,
and how that process works.

3.3 IMPLEMENTATION

3.3.1 TOOLS USED

Tools used to trap or monitor intruders from accessing the data are HONEYPOT and
ANOMALY DETECTION SYSTEM (ADS)

3.3.2 WHAT IS HONEY POT?

A honeypot is a computer or computer system intended to mimic likely targets of

cyberattacks. It can be used to detect attacks or deflect them from a legitimate target. It
can also be used to gain information about how cybercriminals operate.

3.3.3 How do honeypots work?

18
If you, for instance, were in charge of IT security for a bank, you might set up a Honeypot
system that, to outsiders, looks like the bank’s network. The same goes for those in
charge of — or researching — other types of secure, internet-connected systems.

By monitoring traffic to such systems, you can better understand where cybercriminals
are coming from, how they operate, and what they want. More importantly, you can
determine which security measures you have in place are working — and which ones
may need improvement.

Honeypots are used to identify and trap attackers by presenting vulnerable systems that
appear to be a production system, but in fact they are a dummy system that is isolated
from the production environment.

Honeypots can be used to identify attackers because they can be configured to alert
when they are being attacked or have been successfully compromised. They can also be
used to trap attackers by presenting them with false information that is also set to trigger
alerts when accessed.

Utility companies should set up honeypots throughout their organization and particularly
in their perimeter and smart grid environments. By doing so, they will be able to
understand their current threats as well as the type of probes attackers are using to find
weaknesses in their infrastructure.

Finally, they can use honeypots to enact countermeasures against attackers before they
breakout of the honeypot and into the production environment.

19
3.3.4 What is anomaly detection?

Anomaly detection (aka outlier analysis) is a step in data mining that identifies data points,
events, and/or observations that deviate from a dataset’s normal behavior. Anomalous
data can indicate critical incidents, such as a technical glitch, or potential opportunities,
for instance a change in consumer behavior. Machine learning is progressively being
used to automate anomaly detection.

3.3.5 Where can we use anomaly detection?

Finance: Anomalies could indicate illegal activities such as transactional fraud, identity
theft, network intrusion, account takeover, or money laundering. By immediately detecting
anomalies in your data--whether failed and declined transaction rates, multiple login
attempts, device usage and the transaction amount per product--performance issues and
security threats can be avoided.

E-commerce: Spotting changes in behavior can help improve product placement or

inform the development of personalized product offers. And being alerted in real time of
unexpected behavior that poses a security threat (such as DDOS attacks (distributed
denial-of-service)) means you can respond immediately in order to prevent fraud and
revenue loss.

Gaming: System glitches or performance issues can be spotted and fixed--whether in

operating systems, levels, user segments, or different devices--before they interrupt
game-play, degrade player engagement, and damage hard-won brand equity.

Telecom: New, complex, IP-based services and their convergence with traditional voice
services makes for complex network management challenges where a service loss, even
in a small node, could affect thousands of customers.

3.4 TESTING:

20
 The purpose of testing is to discover errors. Testing is the process of trying to
discover every conceivable fault or weakness in a work product. It provides a way to
check the functionality of components, sub-assemblies, assemblies and/or a finished
product It is the process of exercising software with the intent of ensuring that the
Software system meets its requirements and user expectations and does not fail in an
unacceptable manner. There are various types of test. Each test type addresses a
specific testing requirement.

3.4.1 Unit Testing

Unit testing involves the design of test cases that validate that the internal program
logic is functioning properly, and that program inputs produce valid outputs. All decision
branches and internal code flow should be validated. It is the testing of individual software
units of the application it is done after the completion of an individual unit before
integration. This is a structural testing, that relies on knowledge of its construction and is
invasive. Unit tests perform basic tests at component level and test a specific business
process, application, and/or system configuration. Unit tests ensure that each unique path
of a business process performs accurately to the documented specifications and contains
clearly defined inputs and expected results.

3.4.2 Integration Testing

Integration tests are designed to test integrated software components to determine

if they run as one program. Testing is event driven and is more concerned with the basic
outcome of screens or fields. Integration tests demonstrate that although the components
were individually satisfaction, as shown by successfully unit testing, the combination of
components is correct and consistent. Integration testing is specifically aimed
at exposing the problems that arise from the combination of components.

21
3.4.3 Functional Testing

Functional tests provide a systematic demonstration that functions tested are available
as specified by the business and technical requirements, system documentation, and
user manuals.

Functional testing is centered on the following items:

Valid Input : Identified classes of valid input must be accepted.

Invalid Input : Identified classes of invalid input must be rejected.

Functions : Identified functions must be exercised.

Output : Identified classes of application outputs must be exercised.

Systems/Procedures: interfacing systems or procedures must be invoked.

Organization and preparation of functional tests is focused on requirements, key

functions, or special test cases. In addition, systematic coverage pertaining to identify.

Business process flows: data fields, predefined processes, and successive processes
must be considered for testing. Before functional testing is complete, additional tests are
identified and the effective value of current tests is determined.

3.4.4 System Testing

System testing ensures that the entire integrated software system meets
requirements. It tests a configuration to ensure known and predictable results. An
example of system testing is the configuration-oriented system integration test. System

22
testing is based on process descriptions and flows, emphasizing pre-driven process links
and integration points.

3.4.5 Validation Testing:

Validation succeeds when the software works in a manner expected by the user.
Software validation is achieved through a series of test cases that demonstrates with
requirements. In this project “An intelligent tool for processing natural language sentences
into structured query language” each module is tested separately.

CHAPTER – 4

SCREENSHOTS

23
Figure 4.1 represents the Command entered in the pent menu tool to make a DOS
attack.

Figure 4.1 – Pent menu DOS attack

Figure 4.2 represents the home page of the Pent menu tool

24
Figure 4.2 – Pent menu Homepage

25
Figure 4.3 represents the given port number for the target and entering random string to
pass through the packet. In this case UDP flood is used to attack

Figure 4.3 - Entering port number for target

Figure 4.4 Represents the attack in progress and the number of packets sent to the
system

Figure 4.4 - Starting UDP Flood

26
Figure 4.5 Packets are captured and monitored

27
 CHAPTER 5

RESULT AND CONCLUSION

5.1 RESULT

Figure 4.5 shows that this project regards every attackers/hackers positive notion
on how they might be able to attack, clearly they can’t look up to this technology ,if they
have higher knowledge than us(victims).So be safe ,protect your data viably. The chapter
deals with the result analysis, conclusion and future enhancement.

5.2 CONCLUSION

There are clearly both pros and cons of adolescent technology use. The fact is, it
is important for adolescents to learn and understand technology. It's become a part of
daily life for all people to use a computer or a cell phone. It is necessary in most situations,
especially for when they are older and have jobs. However, technology use must not be
excessive. Extreme technological use in adolescents can cause all sorts of problems;
socially and physically. It is important for adolescents to understand that yes, technology
is an amazing thing; but at the same time, it should not be used all of the time. They
should not be overly dependent on it. Adolescents need to learn that sometimes,
technology is not the right answer for a situation.

5.3 FUTURE ENHANCEMENTS

Since this technology is normally used by the any organization that has the access to
various data over the world, it can be also used by some unidentified social networker to

28
get data, This Honeypot technology should be learned by every organization to protect
them from these hackers or attackers.

REFERENCE

[1] J. Wang and I. C. Paschalidis, “Statistical traffic anomaly detection in time-varying

communication networks,” IEEE Trans. Control Netw. Syst., vol. 2, no. 2, pp. 100–111,
Jun. 2015.

[2] A. G. Tartakovsky, A. S. Polunchenko, and G. Sokolov, “Efficient computer network

anomaly detection by changepoint detection methods,” IEEE J. Sel. Topics Signal
Process., vol. 7, no. 1, pp. 4–11, Feb. 2013.

[3] C. Callegari, S. Vaton, and M. Pagano, “A new statistical method for detecting
network anomalies in TCP traf?c,” Trans. Emer. Telecommun. Technol., vol. 21, no. 7,
pp. 575–588, 2010.

[4] I. C. Paschalidis and G. Smaragdakis, “Spatio-temporal network anomaly detection

by assessing deviations of empirical measures,” IEEE/ACM Trans. Netw., vol. 17, no. 3,
pp. 685–697, Jun. 2009.

[5] D. Turner, K. Levchenko, A. C. Snoeren, and S. Savage, “California fault lines:

Understanding the causes and impact of network failures,” ACM SIGCOMM Comput.
Commun. Rev., vol. 40, no. 4, pp. 315–326, 2011.

APPENDIX

To start the ADS-

snort -A console -i the_network_interface -u snort -g snort -c /etc/snort/snort.conf

To start the Pentmenu-

./pentmenu

29
30
 TECHNICAL BIOGRAPHY

NOOR MOHAMED. M (RRN: 17351601086) was born on 15 th May, 2000. Currently he is

pursuing Bachelor of Computer Applications Degree programme in B.S. Abdur Rahman
Crescent University, Vandalur, Chennai – 600 048.

Email id : noorit2515@gmail.com

Mobile No : 6381980149

31
 TECHNICAL BIOGRAPHY

KAUSHIK G (RRN: 17351601052) was born on 29th November, 1999. Currently he is

pursuing Bachelor of Computer Applications Degree programme in B.S. Abdur Rahman
Crescent University, Vandalur, Chennai – 600 048.

Email id : kaushikveni@gmail.com

Mobile No : 9710674437

32
 TECHNICAL BIOGRAPHY

KARUPPASAMY K (RRN: 17351601051) was born on 3rd November, 1995. Currently he

is pursuing Bachelor of Computer Applications Degree programme in B.S. Abdur Rahman
Crescent University, Vandalur, Chennai – 600 048.

Email id : kprock65@gmail.com

Mobile No : 9176484581

33