(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 2, 2011
Low Interaction Honeypots
Low-interaction honeypots in an aggressive expansionare simple but can be less work because of simplydetection by intruders, and with certain commands theinteraction honeypot emulate can get down. An exampleof a low-interaction , honeypot is honeyd.Taking the advantages of low interaction honeypotprovides limited interaction with invaders to let thememulate with services. The intention of this type of honeypot is to collect data of a first step of assail, and dataabout the threat
s motivation is rarely captured, and it isbecause of low level of interaction and effectively systemcompromise.A virtual honeypot software process requires havingan IP address. Multiple virtual honeypots typically useseveral IP addresses and network interfaces to share asingle run. Hence, the virtual honeypot setup on onephysical machine as network address translation runs on afirewall or in other ways. Most high-interaction honeypotsallow completely compromised the production systemwhile the low-interaction honeypots emulate virtualbecause of their ability is limited.Honeyd important work is to provide warnings, whichmost of them are right and real attack alert. By default,honeyds can detect any activity on any User DatagramProtocol (UDP) port or Transmission Control Protocol(TCP), and also writes some of the activities in ICMP(Internet Control Message Protocol). Besides, they candeceive the attacker through its ability to simulate factorsthat are used. The system response packets are suitable forfingerprinting, which by implementing a tool like Nmapthat can point to run scan network packets. A honeyd
sattacker also interacts with services, such as Telnet, FTP,HTTP, POP3, SMTP (Simple Mail Transfer Protocol)server named. Moreover, they can have backdoors forviruses, including the viruses that can be pointed Kuang2and Mydoom likes.
High Interaction Honeypots
In this paper, we deploy honeynet with developing thevariety of tools to support our research for deploying andexamining suspicious network traffic. In our particulardesign, we provide a web interface to monitor theinformation gathering and also in backend a firewall tocontrol outgoing connection from potentially comprisedhoneypot. Implementing a high interaction honeypot hostis a cost effective procedure which mostly in mid rangescale organization, they used virtual environment toapproach the advantage of easier to monitor and safe andclean successful compromise. Various virtual machinesolutions to this environment are virtual PC , virtualbox , XEN , VM ware , user mode Linux .In approach to have high interaction honeypot to granta real network information gathering and facing differentscans, buffer over flows and various analyses, weassociate with a few real machines to support ourproduction server and collaboration with low interactionhoneypot zone to reach the bases and real experimentresult.Many recent research studies to explore thedeployment of honeypots to enhance network security hasbeen done, and it could be named between        . In Weiler proposed ,honeypots are assigned as a shield in the network,whereby all incoming traffic that is imported directed tothem. After that about disconnection of that connection orlegally allowed to connect is given. This solution may notwork as an ideal, because honeypots employ to attractattackers and being destroyed and not as prevent ordefense mechanism to serve. Teo , give anothersolution framework called Japonica, which has presentedthe main target of early and rapid response to unknownattacks through dynamic orchestration in detection,prevention, and reaction mechanisms to particular attacks.However, always wrong false alarm probability is a veryimportant issue and until the person directly andprofessionally tries to access production services insteadof Honeypots attack.To conclude these methods we can mention that manyof the above proposed used honeypot as a defensemechanism to block the attacker from attacking thenetwork. In this paper, that provided the hybrid honeypotproposed architecture with having of both low-interactionand high-interaction honeypots and provide a framework to not blocking or defensive system but be as interactiveand a lure design with minimization of the traditionalmistakes.
The call for assembled details assailed processes onnumber of IP domiciles urged researcher of this topic andnetwork security providers to pursue more intelligent andscalable architectures. These research guides into the largescale category architecture which called hybrid honeypotarchitecture.IV.
In a network view, a worm can be a software orprogram that due to run on a honeypot can intention otherhoneypots to modify administration sufficiently whichthey start to make a link and generate connection or pairconnection requests. This delimitation helps to have amethod to distinguish and infection, which takes placenon self distributing network action from self spreading,that take system down and configure by its particularcode. However,
it doesn’t intention to automatically
continue the method. Almost all types of worms have theirown executable codes, which indicate that the capturedworms have multiple links and had system bufferoverflow or password generation from their viable. Eventhough most of these viable or executables have anickname which is contributed mostly directly with them,and because they are available as files by the worms initialutilize. The following Table I. give us the various worm
smodel and shown the number of captured on ourparticular network.The proposed work offers the best architecture thatmost focus on the decoy the best lure architecture whichabsorbed by internal network attacks through the hybridhoneypot which able to capture and record all theincoming and existing data and provide us the data