Honeypot as the Intruder Detection System



Similar documents
Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

HONEYPOT SECURITY. February The Government of the Hong Kong Special Administrative Region

Securing the system using honeypot in cloud computing environment

Dynamic Honeypot Construction

Advanced Honeypot System for Analysing Network Security

Lesson 5: Network perimeter security

LAN Based Intrusion Detection And Alerts

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Payment Card Industry (PCI) Data Security Standard

Banking Security using Honeypot

Taxonomy of Hybrid Honeypots

Chapter 9 Firewalls and Intrusion Prevention Systems

Second-generation (GenII) honeypots

PCI Security Scan Procedures. Version 1.0 December 2004

CTS2134 Introduction to Networking. Module Network Security

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Network Based Intrusion Detection Using Honey pot Deception

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

How To Protect A Network From Attack From A Hacker (Hbss)

HONEYPOTS REVEALED Prepared by:

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

THE ROLE OF IDS & ADS IN NETWORK SECURITY

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Securing Web Applications...at the Network Layer

DETECTING AND ANALYZING NETWORK ATTACKS USING VIRTUAL HONEYNET NUR ATIQAH BT. HASAN

Development of Honeypot System Emulating Functions of Database Server

Volume 2, Issue 3, March 2014 International Journal of Advance Research in Computer Science and Management Studies

Autonomous Hybrid Honeypot as the Future of Distributed Computer Systems Security

UCIT INFORMATION SECURITY STANDARDS

Use of Honeypots to Increase Awareness regarding Network Security

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Seamless ICT Infrastructure Security.

INTRUSION DETECTION SYSTEMS and Network Security

Overview. Firewall Security. Perimeter Security Devices. Routers

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

A Decision Maker s Guide to Securing an IT Infrastructure

Εmerging Ways to Protect your Network

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Overcoming PCI Compliance Challenges

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Guideline on Firewall

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Use of Honeypot and IP Tracing Mechanism for Prevention of DDOS Attack

Data Collection and Data Analysis in Honeypots and Honeynets

E-commerce Production Firewalls

SANS Top 20 Critical Controls for Effective Cyber Defense

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Daniel Meier & Stefan Badertscher

Norton Personal Firewall for Macintosh

How To Fix A Web Application Security Vulnerability

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Avoiding Cyber-attacks to DMZ and Capturing Forensics from Intruders Using Honeypots

Network Instruments white paper

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Why The Security You Bought Yesterday, Won t Save You Today

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Taxonomy of Intrusion Detection System

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewall Firewall August, 2003

FIREWALL POLICY November 2006 TNS POL - 008

Keywords Intrusion detection system, honeypots, attacker, security. 7 P a g e

Intrusion Detection Systems

Intro to Firewalls. Summary

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

HoneyBOT User Guide A Windows based honeypot solution

Proxy Server, Network Address Translator, Firewall. Proxy Server

Achieving PCI Compliance Using F5 Products

Coimbatore-47, India. Keywords: intrusion detection,honeypots,networksecurity,monitoring

New Security Perspective for Virtualized Platforms

The Truth about False Positives

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

Firewall Tips & Tricks. Paul Asadoorian Network Security Engineer Brown University November 20, 2002

Survey on DDoS Attack Detection and Prevention in Cloud

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Building Secure Networks for the Industrial World

Global Partner Management Notice

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

Security Issues with Integrated Smart Buildings

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

74% 96 Action Items. Compliance

Security Engineering Part III Network Security. Intruders, Malware, Firewalls, and IDSs

A solution for comprehensive network security

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Intrusion Detection Systems

IDS : Intrusion Detection System the Survey of Information Security

Innovative Defense Strategies for Securing SCADA & Control Systems

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Breaking the Cyber Attack Lifecycle

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Importance of Web Application Firewall Technology for Protecting Web-based Resources

Network Monitoring and Forensics

A Case for Managed Security

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

Transcription:

Honeypot as the Intruder Detection System DAVID MALANIK, LUKAS KOURIL Department of Informatics and Artificial Intelligence Faculty of Applied Informatics, Tomas Bata University in Zlin nam. T. G. Masaryka 5555, 760 01 Zlin CZECH REPUBLIC dmalanik@fai.utb.cz; kouril@fai.utb.cz http://www.fai.utb.cz Abstract: - This paper shows possible implementation of honeypot in local network. The honeypot works as the 0-day malware detection system. It implements many of active or semi-active traps in local area network and DMZ in the company network. There are not defined the legal trace to the honeypot. That mean, that common connection does not be forwarded to the honeypot. The approved users and computers are not being able to detect the honeypot. This means that all communication with honeypot coming from the unauthorized devices. The common IDS system does not detect the 0-day vulnerabilities. The trap represented by the honeypot in the network might detect behaviour of new exploits and hacker attempt. Key-Words: security, honeypot, IDS, network, intruder, malware, exploit 1 Introduction The World is represented as the many interconnected networks. These interconnections show rapid simplify of the common life. People occasionally use Internet as the global network. They used local networks as the common working tool. The interoperability of these networks represents the big potentially security issue; if there are everything connected to everything, the network does not have any borders. The intruder might misuse this connection from any place in the World. Companies use some type of security systems occasionally. The antivirus and the firewall are the common standard [1][2]. The next level is represented with an anti-spam filter and a content analyses tool [6]. But how it is with protection against 0-day exploits? Is there any option or future, how to detect 0-day exploits, malware and hacker attacks? 2 Problem Formulation The main problem in computer security is the evolution. Many attack vendors had same signature and it is possible to create the definition of this attack. There are only a few the original examples of malware; each other is only the derivation of it [1]. The evolution brings the minimal probability of the original vendor of malware or attack. But the minimal probability is not the zero probability [6]. 2.1 0-day exploit The zero day exploit represents the new vulnerability of the tested system. This is the new vendor of the attack and is possible that these types of attacks could not be detected by the definition based computer security components. 2.2 Undescribed hacker attack This new type of attack is combined with the 0-day exploit occasionally. The attacker behaviour might be undetectable, because the commonly used system does not find this vendor in the definition database [7]. 2.3 Honeypot The honeypot represents the real computer system; this system is used as the trap for unauthorized communication in the computer network. Honeypots are systems that are designed to be exploited, By creating such systems, you can attract and log activity from attackers and network worms for the purpose of studying their techniques. [2] There are some types of honeypots. The classification is based on the amount of interaction of interaction. The interaction of the honeypot ISBN: 978-960-474-311-7 96

determines the system requirements for implementation. 2.3.1 Low-interaction honeypot These types of honeypots represent the system which only simulates the specific protocols on transport layout of TCP/IP model. These systems could emulate open ports for common services such as FTP, HTTP and SQL. The main advantage of these types of honeypots is their minimal system requirements. 2.3.1 Medium-interaction honeypot This is the combination of low and high interaction honeypot. It is not only the emulation of the protocol. Application s protocols are not detailed simulated as in the high-interaction version, so the attacker thinks that this is the real system. This takes the time for the IDS/IPS to detect this action. 2.3.1 High-interaction honeypot This is the real computer system with specific real vulnerability. For example, this will be represented by the computer with the MS Windows without security updates. These types of honeypots are manageable hardly [7]. This honeypot represents the high sophisticate interactive part of the network and it is not possible to distinguish the real system from the honeypot. 3 Problem Solution The main problem for the IDS/IPS system is 0-day exploits or 0-day vulnerabilities. The possible solution is implementation of traps; these traps might catch new malware or the new vendor of attack. If there is any unwanted communication with the honeypot, there is potential malware or attacker. The honeypot is invisible for legal communication in the network. The high-interaction honeypot is occasionally used in production systems. The amount of interaction is necessary for the trustworthy target for attackers. on the IDS or IPS system. The solution is valuable for its isolation from other parts of network. This solution minimizes the risk of misused honeypot in legal LAN segment. All incoming and outgoing traffic from this honeypot network is monitored and deeply analyses at the potentially dangerous communication. There is the issue flowing from transformation of the honeypot to the sniffing device by the attacker. 3.2 Integration in network There are some methods for integration of the honeypot into the company network. The best practises in these solutions are based on the desired property of implementation [8]. 3.2.1 Honeypot in the LAN The schema of this solution is shown on Fig. 1. The honeypot is on the same segment as production servers, and it has the same gateway. This solution is the best for using a small number of honeypot inside the network infrastructure. The main advantage is: the honeypot can detect the attackers from Internet and from local network. The honeypot might detect the illegal communication and attacks coming from outside and inside. It is possible to detect intruders from the local network. This solution is the best way for wide networks. There is significantly growing risk of local intruders [10]. Honeypot on the LAN detect the active node scan; this scan is the starting point for the ARP poisoning attack. 3.1 Honeynet The honeynet is the network of honeypot. There are many high-interaction honeypot inside the LAN segment. The purpose is to emulate many of potential victims for the attack. These honeypots have a specific gateway and monitoring tool based Fig. 1. Honeypot in LAN If there are VLANs defined inside the infrastructure, the honeypots must be implemented in each VLAN. ISBN: 978-960-474-311-7 97

3.2.2 Honeypot in the DMZ The schema of this solution is shown on Fig. 2. This type of location is appropriate for detection intruders in DMZ. The DMZ occasionally contains production servers and every attempt for live host scanning and the network mapping. The advantage of this solution is isolation the DMZ from the local network. The compromited honeypot is not able to intrude security of computers in the local network. This scenario is not recommended as the only one solution. If there is the attack to the local network, this type of honeypot could not detect unwanted communication to the local network. The DMZ is protected, but there is suggested to implement the other honeypot in the local network. Fig. 3. Honeypot in Internet The position is totally isolated from the local network. This is safe for the local infrastructure. But the local infrastructure is unprotected. Fig. 2. Honeypot in DMZ 3.2.3 Honeypot in the Internet The schema of this solution is shown on Fig. 3. This situation represents the location of the honeypot outside the company network. The honeypot is connected before the firewall and it is totally unprotected. 3.3 Communication with IDS/IPS There must be authorized the two-way communication between installed honeypots (or honeynets) and IDS/IPS security components. The common IDS/IPS detects the known attack vendors or known behaviour of malware. The IDS/IPS is responsible for analyses of the communication. It could detect unwanted communication. But the new vendor does in the definition database. On the other side of the security system, there is the honeypot. The honeypot might detect the security treads, but it is not necessary. The fact is that all communication to the honeypot is unwanted. The IDS/IPS system analyse all communication to the honeypot. All of this communication is illegal. The interaction rate between the honeypot and IDS/IPS system is important for two main specifications of the honeypot. It there is no interaction, all analyses is on the IDS/IPS system. The IDS/IPS system must be able to detect any suspicious behaviour on the honeypot. The schema of this interconnection is shown on Fig. 4. ISBN: 978-960-474-311-7 98

3.4 The main roles of honeypot This part describes the main 3 roles of honeypot in the production systems; these roles cover the master parts of computer security systems. Fig. 4. Honeypot IDS/IPS not connect This case simulates the real system; the attacker could not detect any outgoing suspicious communication from the honeypot. The honeypot is clearly undetectable. But the honeypot does not report any attack vendor. The detection and prevention routines are managed by the IDS/IPS completely. The second option of interaction between the honeypot and the IDS/IPS system is the direct connection with reported services. This generates some communication between the honeypot and the IDS/IPS system, but this solution might detect any suspicious behaviour faster than the solution based without connection. The main issue in this scenario is the securing of the communication. The attacker might detect this communication and the honeypot might be compromised. The methods of interconnection are shown on Fig. 5. 3.4.1 Prevention This role might distract attention from the real system. The honeypot works as the trap for intruders. The position of the honeypot is so important. The prevention has 2 different levels of working. The first is the trap for potential intruders. The honeypot must be the attractive target for the attacker. It must be the weakness point of infrastructure. The second is the prevention based on the knowledge of intruder. If the intruder detects, that this system is only the honeypot, the intruder might leave this system, because the honeypot might report the unwanted behaviour and the security system starts defence routines. The both of these levels help improve the infrastructure security. 3.4.2 Detection The detection role is the basic role of each honeypot. If the prevention role failed, the most important operation is the detection of intruder. These detection routines contain method for: detection of malware and other intruders, collection of information about the attack and its source. This might help the IDS/IPS system to detect these activities on other part of the infrastructure [6]. Fig. 5. Honeypot IDS/IPS connect The direct LAN interconnection is unsecure method, because these communications might be detected. The option used the serial port as the cable interconnection. The maximum length might limit the interconnection device. 3.4.1 Reaction The reaction phase is the last phase in the honeypot security system. This role is important in the cases, when the attacker breaks the production system security and might compromise the real server. The honeypot is the 1:1 copy of the production server in this case. The difference is only in contained data. The honeypot does not contain the real data. It has only the collection of blank information. The system might be stopped and send to the forensic analyse every time. The honeypot contain the attack vendor and there were be information about attacker source address and its way back. The examined attack vector is implemented to the IDS/IPS system and the 0-day vulnerability is detectable. The evidence received from the honeypot might be also used in the law process with the intruder. ISBN: 978-960-474-311-7 99

3.5 Real application of honeypot The most often implementation is based on the highinteraction honeypot or honeynet placed into the local area network of a company. The solution is shown on Fig. 6. The IDS/IPS detects port scanning on invisible computer. The system reported it to the admin team. The message is clear; there is anyone who performs the port scanning on whole network. It is potentially the begin phase of the attack. The detection phase of honeypot was successful. The honeynet is configured for reporting any action. This report-level is hard constrains for the detection of any new attack vendors. The system is very sensitive for any potentially dangerous behavior; so the admin must evaluate every report. Because it is only the host alive scans from local admin account in many cases. The review from security admin is very important. Fig. 6. Commonly used implementation of honeypot The Fig. 6 shows the honeypot in the local network in the same network segment as the production computers. This is a good solution for defence again external and internal intruders. There is only one disadvantage; if the attacker compromises the honeypot, he will be able to use it for next phases of the attack. The IDS/IPS must periodically control the checksum of the honeypot. The detection and the reaction must be fast. If there are many VLANs inside the network, it is necessary to implement the honeynet with honeypots inside each network. The one honeypot with many VLAN interfaces might be identified as a honeypot very easily. The computer system inside production network with many VLANs is suspicious. The output from the real honeypot system is shown on Fig. 7. 4 Conclusion The honeypot represents the powerful weapon for unknown security vulnerability 0-day exploits and not described method for hacking. The honeypot is not be implemented as the standalone system, the main purpose is; it is the trap. It necessary to implement IDS or IPS that monitors the honeypot and provide security functions inside the network infrastructure. The implementation might be really variable. But there is some recommended solution. The first, the honeypot or the honeynet must be in any network in the company. The base implementation in DMZ zone works only in DMZ, the internal production server does not be secured. The internal intruders might be undetectable. If the internal intruders attack the server inside the LAN, the honeypot placed in DMZ could not detect this action. The implementation of honeynet across each network is hard to implemented and managed. But this solution is the best for the critical infrastructure. The risk of compromised honeypot inside the local network is minimal in this solution. External attackers might compromise DMZ zone primarily. The internal attackers have already local access. Acknowledgements Fig. 7. Log from honeypot The research work was performed to financial support by the European Regional Development Fund under the Project CEBIA-Tech No. CZ.1.05/2.1.00/03.0089. ISBN: 978-960-474-311-7 100

References: [1] McAfee LABS. McAfee Threats Report: Second Quarter 2012. c2012. http://www.mcafee.com/us/resources/reports/rp -quarterly-threat-q2-2012.pdf [2] LIGH, Michael Hale et al. Malware analyst's cookbook and DVD: tools and techniques for fighting malicious code. Indianapolis: Wiley, 2011. [3] SPITZNER, Lance. Honeytokens: The Other Honeypot. [online]. 2003 http://www.symantec.com/connect/articles/hon eytokens-other-honeypot [4] SPITZNER, Lance. Honeypots: Simple, Cost- Effective Detection. [online]. 2003, http://www.symantec.com/connect/articles/hon eypots-simple-cost-effective-detection [5] SPITZNER, Lance. Honeypots: Tracking Hackers, 2002, ISBN: 9780321108951 [6] Singh A. N., Honeypot Based Intrusion Detection System, LAP LAMBERT Academic Publishing 2012, ISBN: 9783846583104 [7] Joshi R. C., Honeypots, Science Publishers 2011, ISBN: 9781439869994 [8] Cole, E: Network security bible, John Wiley, Indianapolis IN 2009, ISBN: 9780470502495 [9] Huang, S.:Network security, Springer, London 2010, ISBN:9780387738208 [10] Tipton, H.: Information security management. Auerbach Publications, Boca Raton, FL 2007, ISBN: 9781420013580 [11] Elks, J.: Man in the Middle Attack: Focus on SSLStrip, GRIN Verlag 2011, ISBN: 9783640894721 ISBN: 978-960-474-311-7 101

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information