DESIGN OF NETWORK SECURITY PROJECTS USING HONEYPOTS *



Similar documents
HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Dynamic Honeypot Construction

HONEYPOT SECURITY. February The Government of the Hong Kong Special Administrative Region

DEVELOPING CERTIFICATE-BASED PROJECTS FOR WEB SECURITY CLASSES *

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Network Forensics: Log Analysis

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

Second-generation (GenII) honeypots

Advanced Honeypot System for Analysing Network Security

Linux Network Security

Securing the system using honeypot in cloud computing environment

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Autonomous Hybrid Honeypot as the Future of Distributed Computer Systems Security

Project 2: Firewall Design (Phase I)

Countermeasure for Detection of Honeypot Deployment

Banking Security using Honeypot

: SENIOR DESIGN PROJECT: DDOS ATTACK, DETECTION AND DEFENSE SIMULATION

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

A Senior Design Project on Network Security

A Decision Maker s Guide to Securing an IT Infrastructure

Chapter 9 Firewalls and Intrusion Prevention Systems

Passive Vulnerability Detection

INTRUSION DETECTION SYSTEMS and Network Security

NETWORK SECURITY (W/LAB) Course Syllabus

Network Instruments white paper

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

DMZ Gateways: Secret Weapons for Data Security

DETECTING AND ANALYZING NETWORK ATTACKS USING VIRTUAL HONEYNET NUR ATIQAH BT. HASAN

Firewall Firewall August, 2003

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

IDS / IPS. James E. Thiel S.W.A.T.

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Developing Network Security Strategies

Course Title: Penetration Testing: Security Analysis

Honeypots / honeynets

Intrusion Detection Systems (IDS)

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

CMPT 471 Networking II

NETWORK PENETRATION TESTING


Introduction to Network Security Lab 2 - NMap

1 Scope of Assessment

Coimbatore-47, India. Keywords: intrusion detection,honeypots,networksecurity,monitoring

10 Configuring Packet Filtering and Routing Rules

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Lab Diagramming Intranet Traffic Flows

About Firewall Protection

Lab Configuring Access Policies and DMZ Settings

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Honeyd Detection via Packet Fragmentation

8. Firewall Design & Implementation

Architecture Overview

Lab Configure IOS Firewall IDS

Network Security and Firewall 1

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Keywords Intrusion detection system, honeypots, attacker, security. 7 P a g e

Achieving PCI-Compliance through Cyberoam

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Payment Card Industry (PCI) Data Security Standard

On A Network Forensics Model For Information Security

information security and its Describe what drives the need for information security.

Network Defense Tools

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Lab Configuring Access Policies and DMZ Settings

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

A Review on Network Intrusion Detection System Using Open Source Snort

Lab Developing ACLs to Implement Firewall Rule Sets

Network Segmentation

Innovative Defense Strategies for Securing SCADA & Control Systems

74% 96 Action Items. Compliance

Malicious Behavior in Voice over IP Infrastructure

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Honeypot as the Intruder Detection System

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION

March

Firewalls. Ahmad Almulhem March 10, 2012

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

The HoneyNet Project Scan Of The Month Scan 27

Firewalls Overview and Best Practices. White Paper

Introduction of Intrusion Detection Systems

HONEYPOTS The new-way Security Analysis

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Transcription:

DESIGN OF NETWORK SECURITY PROJECTS USING HONEYPOTS * Karthik Sadasivam, Banuprasad Samudrala, T. Andrew Yang University of Houston Clear Lake 2700 Bay Area Blvd., Houston, TX 77058 (281) 283-3835, yang@cl.uh.edu ABSTRACT Honeypots are closely monitored decoys that are employed in a network to study the trail of hackers and to alert network administrators of a possible intrusion. Using honeypots provides a cost-effective solution to increase the security posture of an organization. Even though it is not a panacea for security breaches, it is useful as a tool for network forensics and intrusion detection. Nowadays, they are also being extensively used by the research community to study issues in network security, such as Internet worms, spam control, DoS attacks, etc. In this paper, we advocate the use of honeypots as an effective educational tool to study issues in network security. We support this claim by demonstrating a set of projects that we have carried out in a network, which we have deployed specifically for running distributed computer security projects. The design of our projects tackles the challenges in installing a honeypot in academic institution, by not intruding on the campus network while providing secure access to the Internet. In addition to a classification of honeypots, we present a framework for designing assignments/projects for network security courses. The three sample honeypot projects discussed in this paper are presented as examples of the framework. 1. INTRODUCTION According to Bruce Schneier [1], Security is a process, not a product. This famous quote is well echoed by the phenomenon that, although there exist umpteen numbers of security tools that are available today (either as commercial or open-source solutions), none of these tools can single-handedly address all of the security goals of an * Copyright 2005 by the Consortium for Computing Sciences in Colleges. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the CCSC copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Consortium for Computing Sciences in Colleges. To copy otherwise, or to republish, requires a fee and/or specific permission. 282

CCSC: South Central Conference organization. The security professionals are thus looking for more advanced tools which are effective in detecting and recovering from security breaches. In order to monitor the activities of hackers, the methodology adopted is to deceive, by giving them some emulated set of services on a system which appears to be legitimate. The hackers activities are then logged and monitored to gain insight into their employed tactics. This idea is adopted in honeypots, a system whose value lies in being probed, attacked and/or compromised. Honeypots have received a lot of attention lately from the research community [2, 3], owing to its use in capturing and logging suspicious networking activities. Apart from its use as a research tool, it has also been deployed in educational institutions as a study tool. For example, the Honeynet Project at Georgia Tech [4] has been used in network security classes in order to teach students how to use tools such as ethereal and tcpdump in order to analyze attack traffic. However, the problem with deploying such a honeypot inside a campus network is twofold. First, the installation of honeypot is quite risky and must be carried out with utmost precision and care, so that the campus network is not intruded. Secondly, legal and ethical issues (such as the Wiretap Act 18 U.S.C. 2511 [5]) must be taken care of before such a network is deployed. The focus of this paper is not on the legal or ethical issues of deploying honeypots, but rather on using honeypot projects as a tool in teaching and studying network security issues. Our approach is to design some lab projects that demonstrate how honeypots projects may be used as effective tools in teaching network security classes. The design of our projects tackles the challenges in installing a honeypot in academic institution, by not intruding on the campus network while providing secure access to the Internet. The rest of this paper is organized as follows. In Section 2 we briefly discuss the requirements and challenges in designing network security projects. Section 3 gives a classification of honeypots and a few example honeypots we used in our projects. In section 4 we explain a framework for designing assignments/projects for network security courses, and in section 5, we explain a few of the projects we carried out. Lastly in Section 6 we provide a summary and work yet to be done in the future. 2. THE PROTOTYPE NETWORK FOR EXPERIMENTAL NETWORK SECURITY PROJECTS As discussed earlier, the design of network security projects using tools such as honeypots, for use in an academic environment, is a challenging task. Experimental network security projects are typically considered as dangerous and not permitted in a University campus network. In order to perform such experiments, a dedicated security lab is typically necessary. We have deployed a prototype computer security network, as illustrated in Figure 1, on which experimental projects in network security could be implemented. Details of the design and our experiences of deploying the prototype network can be found in a separate paper [6]. The network is composed of the following devices and configurations: (a) A DSL router, which connects the lab to the Internet via a DSL connection; (b) A dual-homed software router/firewall (Pascal), acting as the gatekeeper between the network and the outside world; (c) A regular switch connecting the DMZ (Demilitarized 283

JCSC 20, 4 (April 2005) Zone) to the server cluster; (d) A DMZ that contains publicly accessible servers (such as a Web server) and testing workstations (e.g., for monitoring network traffic, etc.); (e) A 2 nd router/firewall (Einstein) separating the DMZ from the server cluster; (f) A hub or switch connecting the 2 nd router/firewall with the back-end servers; (g) A set of network security servers, including firewalls, VPN server, IAS (Microsoft s Internet Authentication Server), and Radius server; and (h) A test bed of computers, which are equipped with swappable disk units and are connected via a VLAN switch and routers. Currently the prototype network consists of two routed-virtual LANs, which are useful for simulating several network configurations. The honeypots experiments were performed using the testbed machines in the VLAN and Newton, which is the test machine in the DMZ. Figure 1. The Prototype Network 3. CLASSIFICATION AND EXAMPLES OF HONEYPOTS Honeypots are generally divided into two categories: production honeypots and research honeypots. Production honeypots add value to the security of a specific organization and help mitigate risks, and are typically implemented within an organization as they help in detecting attacks. Production honeypots are easier to build and deploy, because they require less functionality. They give less information about the attackers than research honeypots. Research honeypots are designed to gain information about the blackhat community. The primary goal is to analyze the hackers footprints, such as the identity of the attackers, their modus operandi, and the kind of tools they use to attack other systems. 284

CCSC: South Central Conference Based on their level of interaction, honeypots are classified into three categories: low interaction, medium interaction and high interaction honeypots. Low interaction honeypots are primarily production honeypots that are used to help protect a specific organization [7]. A low interaction honeypot is easy to install and it emulates very few services. Attackers can only scan and connect to several ports. The information about the attackers and the risk is limited since the attacker s ability to interact with the honeypot is limited. An example of low interaction honeypots is Honeyd [8, 9, 10]. Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd works on the principle that when it receives a probe or connection for a system that does not exist, it assumes that the connection attempt is an attack. When honeyd receives such traffic, it logs the IP address of the destination. It then starts the emulated service for the port on which it receives the connection. Once the emulated service is started, it interacts with the attacker and captures all of his activities. The emulated service exits as soon as the attacker disconnects. This process is repeated each time honeyd receives attacks. In Honeyd, a virtual honeypot is configured with a template created in the Honeyd configuration file (honeyd.conf) that defines the characteristics of a honeypot, including operating system type, the ports it listens on, and the behavior of emulated services. Each template is given a name. New templates are created using create command. The set command assigns a personality from Nmap fingerprinting file to the template. The personality determines the network behavior of the given operating system that is simulated by Honeyd. The set command also defines the default behavior for network protocols: block, reset or open. Block indicates that all packets for the specified protocol are dropped by default. Reset means that ports are closed by default. Open means that all ports are open by default. The add command is used to specify the services that are remotely accessible. The bind command assigns a template to an IP address. Sample scripts using these commands are available in various technical reports (e.g., [11] and [12]). High interaction honeypots give vast amount of information about the attackers, but they are extremely time-consuming to build and maintain, and they come with highest level of risk [7]. The primary goal of high interaction honeypot is to give the attacker access to a real operating system in which nothing is emulated or restricted. This provides more information about attackers. These types of honeypots are placed within a controlled environment such as behind a firewall. Because of the control mechanisms, high interaction honeypots can be difficult and time-consuming to install and configure. An example of high interaction honeypots is Honeynet. What makes a Honeynet different from most honeypots is that it is an entire network of systems. Instead of a single computer, a Honeynet is a network of systems designed for attackers to interact with. The honeypots within the Honeynet can be any type of system, service, or information. Medium interaction honeypots offer attackers more ability to interact than low interaction honeypots but less functionality than high interaction honeypots [7]. This type 285

JCSC 20, 4 (April 2005) of honeypots are designed to give certain predefined responses for expected activities, and provide more information about the attacker than a low interaction honeypot. 4. A FRAMEWORK FOR DESIGNING NETWORKING PROJECTS We have designed a standard framework for representing computer security projects. The use of a framework provides an infrastructure for designing, implementing and evaluating projects, and consists of the following components: a) Learning Objectives: The goals for the assignment and the learning opportunities. b) Tools utilized: The tools necessary to implement the particular project. c) Requirements: The formal description of the problem, and what are required of the student to complete the project. d) Problem classification: The assignment can be classified based on the approach taken to solve the problem. Some of the issues to be considered include: (i) Will it be a study experiment? (ii) Will it involve programming? e) How it may be implemented in the security lab: This is concerned with the infrastructure necessary for the particular project to be implemented. Questions that need to be addressed are: (i) Will the assignment require a change of the network topology? (ii) What kind of resources will be provided to the students to implement it? f) Level of difficulty: The level of difficulty for the project (Beginner, Intermediate, or Advanced). g) Grading criteria and methods: The basis for grading the projects and the methods employed by the teaching assistant and/or the instructor to grade them. 5. LAB PROJECTS To aid in easy adoption and evaluation of the projects, all the three honeypots projects that we discuss in this section are represented using the standard framework as discussed earlier. The first project involves installation and configuration of honeyd. The second project is related to network node discovery using nmap. The third project involves virtual honeynets. 5.1 Project 1: Installation and Configuration of Honeyd a) Learning Objective: Imagine that you have been asked to administer a network. As a good network administrator, it is important for you to protect the network from being attacked by hackers. This project gives you hands-on experience on installation and configuration of virtual honeypot network using honeyd, which acts as a decoy and protects your network from attackers. Honeyd provides mechanism for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems. 286

CCSC: South Central Conference b) Tools utilized: (i) Honeyd is a small daemon that creates virtual hosts on a network [8]. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Some of the features available in Honeyd are as follows: Simulation of large network topologies; Configurable network characteristics like latency, loss and bandwidth; Integrate physical machines into network topology; Supports multiple entry routers to serve multiple networks. (ii) Arpd is a daemon that listens to ARP requests and answers for IP addresses that are unallocated. Arpd is used in conjunction with Honeyd to ensure that honeyd host responds to the ARP request for the IPs of the honeypots. Arpd responds with the MAC address of the honeyd host for any request to an unused IP address. c) Requirements: This experiment requires you to set up a virtual honeypot network with the following virtual IP addresses: Honeypot A (192.168.2.102) must simulate an IIS web server. Honeypot B (192.168.2.103), D (192.168.2.105), E (192.168.2.106) must support TCP services like telnet and ftp, running on Linux 2.3.12. Honeypot C (192.168.2.104) must simulate a POP3 mail server. Cisco router (192.168.2.5) inside virtual honeypot network must simulate a telnet server. Scripts for simulation of different services can be downloaded from http://www.honeyd.org/contrib.php. Information on how to set up the configuration file honeyd.conf can be found at http://www.honeyd.org/configuration.php. d) Problem classification: This experiment can be classified as a network assignment and also as a study experiment. e) How it may be implemented in the security lab? This experiment requires manipulating IP tables. Students can be assigned a workstation along with the tools (Arpd & Honeyd) required for this experiment in zipped archive. f) Level of difficulty: Based on the level of difficulty, this experiment can be classified as an experiment for beginners. g) Grading criteria and methods: The grader may test the virtual IPs in the virtual honeypot network using ping and traceroute utilities. The grader can also grade this experiment by testing the service configured on each of the honeypots. For example, if 192.168.2.5 is configured to simulate a Cisco router, then it must support telnet service, so the TA can try to telnet 192.168.2.5 to check if it simulates telnet service. 287

JCSC 20, 4 (April 2005) 5.2 Project 2: Network Node Discovery a) Learning Objective: As a network administrator, it s your responsibility to find and fix the vulnerabilities of the services and OS that are running on servers and workstations. We know that often OS and services running on them have some weakness and bugs, hackers can take advantage of it to gain control of the system. Traditional tools such as traceroute and tcpdump do not detect hosts that are not communicating. For example, a web server does not create any traffic unless it receives requests from others. Even some of the services running on hosts might be silent. To detect such hosts and services, we need advanced tool like nmap (Network Mapper) [13]. In this project, you will use nmap to discover hosts and services running on a network. This project requires student to work in groups of 2. One student sets up a virtual honeypot network that simulates different operating systems and with some services running on it. The other student uses an nmap tool to discover the hosts and services running on its ports. b) Tools utilized: (i) Honeyd is a small daemon that creates virtual hosts on a network [8]. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. (ii) Arpd is a daemon that listens to ARP requests and answers for IP addresses that are unallocated. Arpd is used in conjunction with Honeyd, to ensure that the honeyd host responds to the arp request for the IPs of the honeypots. Arpd responds with the MAC address of the honeyd host for any request to an unused IP address. (iii) Nmap is a free open source utility for exploring networks and performing security auditing. It was designed to rapidly scan large networks. Nmap uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are running, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and both console and graphical versions are available. Nmap is free software, available with full source code. More information about nmap is available at http://www.insecure.org/nmap. c) Requirements: Part A: (i) What is the purpose of the nmap utility? (ii) List what you can do with nmap and how? Part B: As mentioned in the learning objectives, this experiment requires students to work as pairs. One student sets up the virtual honeypot network in the workstation assigned, which simulates different OS and services running on it. The virtual honeypot network must have the following honeypots: Honeypot A must simulate an IIS web server. Honeypot B, D, E must support TCP services like telnet and ftp. Honeypot C must simulate POP3 mail server. 288

CCSC: South Central Conference The Cisco router inside virtual honeypot network must simulate a telnet server. Another student must install the nmap tool in the workstation assigned, and use it to find out the hosts and services running on virtual honeypot network set up by your group partner. Use nmap tool to find out the following: (i) All the hosts (OS type) running in the virtual honeypot network, and (ii) All the services running on the hosts that are discovered. Scripts for simulation of different services can be downloaded from http://www.honeyd.org/contrib.php. More information on how to set up the configuration file honeyd.conf can be found at http://www.honeyd.org/configuration.php. The students must learn how to install nmap and honeyd on Linux machines. Submit a report of your findings along with screen snapshots. d) Problem classification: This experiment can be classified as a network assignment and also as a study experiment. e) How it may be implemented in our security lab? This experiment requires manipulating IP tables. Students can be assigned a workstation along with the tools (nmap, arpd, and honeyd) required for this experiment in zipped archive. f) Level of difficulty: Based on the level of difficulty, this experiment can be classified as an experiment for beginners. g) Grading criteria and methods: The grader can grade this experiment by testing the virtual IPs in the virtual honeypot network using ping and traceroute utilities. The grader can also grade this experiment by testing the services configured on each of the honeypots. For example, if 192.168.2.5 is configured to simulate a Cisco router, then it must support telnet service, so TA can try to telnet 192.168.2.5 to check if it simulates telnet service. The TA can also use nmap tool from the test bed to check if nmap would return correct results. 5.3 Project 3: Virtual Honeynets a) Learning Objectives: As discussed earlier, honeynets require a variety of both physical systems and security mechanisms to effectively deploy. The Honeynet project at Georgia Tech has been researching a new possibility known as virtual honeynets [4]. These virtual Honeynets provide the advantage of running all the systems on a single system, thereby making Honeynets cheaper to build, easier to deploy, and simpler to maintain. Virtual Honeynets is not a new technology but uses the technology of Honeynet and combines them into a single system. It uses virtualization software, which allows running multiple operating systems at the same time on the same machine. In this project you will learn how to protect network organization from 289

JCSC 20, 4 (April 2005) attackers by analyzing the data collected using User Mode Linux, Snort and Analysis Console for Intrusion Detection. b) Tools required: (i) User Mode Linux is a special kernel module that allows you to run many virtual versions of Linux at the same time on the same system. (ii) Snort is an open source intrusion detection tool [14]. (iii) ACID (Analysis Console for Intrusion Detection) [15] provides an interactive interface with the data stored in the database by the Snort intrusion detection tool. (iv) Other tools needed include Apache web server, MySQL or any other database system. Figure 2. Implementing the virtual honeynet in the prototype network c) Requirements: As shown in Figure 2, this experiment requires you to expand the prototype network (Figure 1) by setting up a virtual honeynet on Newton, and applying the User Mode Linux patch to the Linux running on Newton, thereby allowing multiple instances of Linux to be run on the same system. The virtual Honeynet host (Newton) provides data control function to control what the attacker can do, by allowing all inbound traffic to the Honeynet but limiting the outbound connections. For this purpose, an open source firewall solution IPTables is used. 290

CCSC: South Central Conference The virtual Honeynet host also provides data capture which captures all the attackers activities without their knowledge. For capturing data, we use open source IDS Snort [14] and log all the data captured into the database. The captured data is analyzed using a tool called Analysis Console for Intrusion Detection (ACID) [15]. A snapshot of an analysis output screen produced by the ACID tool is included as Figure 3. d) Problem classification: This experiment can be classified as a network assignment and also as a study experiment. e) How it may be implemented in our security lab? This experiment requires setting up the configuration files for snort and manipulating Iptables. Students can be Figure 3. Sample Snapshot of ACID assigned a workstation along with the tools (snort, ACID, apache web server) required for this experiment in zipped archive. f) Level of difficulty: Based on the level of difficulty, this experiment can be classified as an experiment in advanced category. g) Grading criteria and methods: The grader can grade this experiment by testing the virtual IPs in the virtual honeynet network using ping and traceroute utilities and check using ACID tool if it has been captured by snort into the database. The data collected by iptables can also be used for grading this experiment. 6. SUMMARY AND FUTURE WORK This paper presents an overview of a prototype computer security lab and design of network security projects using Honeypots. The design of lab exercises for a network security lab is a challenging issue, and this paper provides a framework for designing such projects. The framework describes the issues that must be considered at the time of designing projects for computer or network security labs, and may be considered as a starting point by computer science educators wishing to design computer security projects. The three sample projects described in this paper were implemented and tested on the prototype network. We found honeypots to be a good tool for students to learn about Networking Security and the blackhat community. The virtual Honeynet was initially closed to the Internet due to concerns of ethical and legal issues, but was eventually open to the Internet world, in order to collect research data about the blackhat community. The 291

JCSC 20, 4 (April 2005) collected data and their subsequent analysis helped us to protect our network from attackers. As part of our future work, we plan to design more network projects using honeypots. We are also considering implementing a real Honeynet. These projects are challenging since using honeypots to protect a network is a new field, and re-creating a problem in the lab environment may not always be possible. ACKNOWLEDGEMENT This work is partially supported by the National Science Foundation (Grant DUE-0311592), and the UHCL Faculty Research and Support Fund (No. 859). REFERENCES [1] Schneier, B. Secrets and Lies: Digital Security in a Networked World, MA: John Wiley & Sons. 2000. [2] Teo, L., Sun, Y., Ahn, G. Defeating Internet Attacks Using Risk Awareness and Active Honeypots, Proceedings of the Second IEEE International Information Assurance Workshop (IWIA'04), 2004. [3] Weiler, N. Honeypots for Distributed Denial of Service Attacks, Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE'02), 2002. http://www.tik.ee.ethz.ch/~weiler/papers/wetice02.pdf [4] Honeynet Project, http://www.honeynet.org/ [5] Computer Crime and Intellectual Property Section (CCIPS), 18 U.S.C. 2511, http://www.cybercrime.gov/usc2511.htm [6] Yang, T.A., Yue, K., Liaw, M., Collins, G., Chen, P., etc. Design of a distributed computer security lab. Journal of Computing Sciences in Colleges. Volume 20, Issue 1. pp. 332-346. The Consortium for Computing in Small Colleges, 2004. [7] Spitzner, L. Honeypots Tracking Hackers, MA: Addison-Wesley, 2002. [8] Provos, N. Honeyd: A Virtual Honeypot Daemon, Technical Report, Center for Information Technology Integration, University of Michigan. [9] Provos, N. A Virtual Honeypot Framework, USENIX Security Symposium, August 2004. [10] Provos, N. Developments of the Honeyd Virtual Honeypot, http://www.honeyd.org [11] Baumann, R. Honeyd - A Low Involvement Honeypot in Action, originally published as part of the GCIA practical. http://security.rbaumann.net/download/honeyd.pdf [12] Chandran, R., Pakala, S. Simulating Network with Honeyd, Technical paper, Paladiaon Networks, December 2003. http://www.paladion.net/papers/simulating_networks_with_honeyd.pdf 292

CCSC: South Central Conference [13] Nmap, http://www.insecure.org/nmap [14] Snort, http://www.snort.org [15] Analysis Console for Intrusion Detection, http://acidlab.sourceforge.net/ 293

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information