Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more ➡
Standard view
Full view
of .
Add note
Save to My Library
Sync to mobile
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
An Efficient Hybrid Honeypot Framework for Improving Network Security

An Efficient Hybrid Honeypot Framework for Improving Network Security

Ratings: (0)|Views: 852|Likes:
Published by ijcsis
Honeypots provide a system that can lure the attackers and hackers and response to various security frameworks to control the globe and its environment and examine and analysis network activities. We try to employ and develop a honeypot framework to propose a hybrid approach that improves the current security.
In this paper, we proposed hybrid honeypots based network assuming initiative and enterprise security scheme strategies. The proposed model has more advantages that can response accurately and swiftly to unknown attacks and lifetime safer for the network security.
Honeypots provide a system that can lure the attackers and hackers and response to various security frameworks to control the globe and its environment and examine and analysis network activities. We try to employ and develop a honeypot framework to propose a hybrid approach that improves the current security.
In this paper, we proposed hybrid honeypots based network assuming initiative and enterprise security scheme strategies. The proposed model has more advantages that can response accurately and swiftly to unknown attacks and lifetime safer for the network security.

More info:

Published by: ijcsis on Mar 08, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See More
See less





(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 2, 2011
An Efficient Hybrid Honeypot Framework forImproving Network Security
*Omid Mahdi Ebadati E.
Dept. of Computer ScienceHamdard UniversityNew Delhi, Indiaomidit@gmail.com
Harleen Kaur
Dept. of Computer ScienceHamdard UniversityNew Delhi, Indiaharleen_k1@rediffmail.com
M. Afshar Alam
Dept. of Computer ScienceHamdard UniversityNew Delhi, Indiaaalam@jamiahamdard.ac.in
Honeypots provide a system that can lure theattackers and hackers and response to various securityframeworks to control the globe and its environment andexamine and analysis network activities. We try to employand develop a honeypot framework to propose a hybridapproach that improves the current security.
In this paper, we proposed hybrid honeypots based networkassuming initiative and enterprise security scheme strategies.The proposed model has more advantages that can responseaccurately and swiftly to unknown attacks and lifetime saferfor the network security.
 Keywords-Intrusion Detection System; User Datagram Protocol; Simple Mail Transfer Protocol; De-Militarized Zone;Secure Shell; Secure Sockets Layer; Internet Protocol Security; Network Traffic Monitoring; Network AddressTranslation; Dynamic Host Configuration Protocol 
 A honeypot can be implemented in network securityto discover latest assail actions that might not detect byIntrusion Detection Systems or network firewallsconformity with the old static defense rule system. It isimportant to take into account of the enterprise defenserules to go through the honeypot when IDS (IntrusionDetection Systems) and Firewall are designed.Computer networks are well vulnerable to differentexploit that can make network unsecure or comprise theirsignify operation. Intruders and attackers have becomeprovoke rapidly on security of networks and theirchallenges. To have a better and improved security,enterprises, organization and more important financedepartments have an essay solution to implement varioushardware and software for network security providerssuch as firewalls, variant of the intrusions detector[18],Virtual Private Networks. However, these solutions actwithout interruption to depart from proprietaryinformation approachable by deciding intruders, andensue to warn approaches while new attacks take a place.II.
 Since 2001, the prevalence of Internet worms andinoculation serious damage in tens of millions of computers around the world and aimed at damaging thesystem hundreds of thousands of individuals andorganizations was initiated. Code Red worm [2], theprevalence of this type of injury for the first time as theInternet was born and today after the Morris Worm [15][5], in 1988 that led to the compromised Internet hosts and360 thousands vulnerable server and deliver the webservice attacks and distributed launched on theadministration of web servers, various types of wormshave born. Blaster worm [25], which was among the verydestructive worms, which its incidence could use a servicerunning to millions of personal computers and damageeasily put them to work, was another type. WormSlammer [2], using only UDP (User Datagram Protocol)packets and in only 10 minutes of time could causepollution to the population, these worms also can usesingle UDP.The Witty [3], using a UDP packet for extensivecontamination of the infection of the mention. Conceptualbasis of their defense and technology projects meant todefend the attacks to not utilizing, in other words, in orderto prevent them from attacks already have occurredstrategy is used. Defend and attack behavior projectsclassified with their common feature and extraction of them. We can conduct relevant strategies to prevent tothese attacks.There are various types of intrusion detections withdifferent analyze and the detection concepts even tomonitor the network traffic [18]. However, a few have thecapability of chasing these intruders by deploying mobileagents as well [17]. Implementation of a solo intrusiondetection system cannot perform as a full mechanismattack responder; nevertheless, they are the best immunecomponent to trace the incoming intruders.Many administrators how are working on security of production systems apply honeypots to research thenetwork action. In 2002 another honeypot classificationhas been introduced [20], by the level of interaction thisclassification is conduct on honeypot architecture and theobjective which it has to apply for. A complex honeypotcan be created to confer the invader entire operatingsystem with which to interact. On the contrary, fordetecting any un-ruled activity like port scanning andsystem explosion a honeypot that merely emulatesdifferent services in operation can be designed, and try togather the fingerprint of invaders.
* Corresponding Author
141http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 2, 2011
 Low Interaction Honeypots
Low-interaction honeypots in an aggressive expansionare simple but can be less work because of simplydetection by intruders, and with certain commands theinteraction honeypot emulate can get down. An exampleof a low-interaction [20], honeypot is honeyd.Taking the advantages of low interaction honeypotprovides limited interaction with invaders to let thememulate with services. The intention of this type of honeypot is to collect data of a first step of assail, and dataabout the threat
s motivation is rarely captured, and it isbecause of low level of interaction and effectively systemcompromise.A virtual honeypot software process requires havingan IP address. Multiple virtual honeypots typically useseveral IP addresses and network interfaces to share asingle run. Hence, the virtual honeypot setup on onephysical machine as network address translation runs on afirewall or in other ways. Most high-interaction honeypotsallow completely compromised the production systemwhile the low-interaction honeypots emulate virtualbecause of their ability is limited.Honeyd important work is to provide warnings, whichmost of them are right and real attack alert. By default,honeyds can detect any activity on any User DatagramProtocol (UDP) port or Transmission Control Protocol(TCP), and also writes some of the activities in ICMP(Internet Control Message Protocol). Besides, they candeceive the attacker through its ability to simulate factorsthat are used. The system response packets are suitable forfingerprinting, which by implementing a tool like Nmapthat can point to run scan network packets. A honeyd
sattacker also interacts with services, such as Telnet, FTP,HTTP, POP3, SMTP (Simple Mail Transfer Protocol)server named. Moreover, they can have backdoors forviruses, including the viruses that can be pointed Kuang2and Mydoom likes.
 High Interaction Honeypots
In this paper, we deploy honeynet with developing thevariety of tools to support our research for deploying andexamining suspicious network traffic. In our particulardesign, we provide a web interface to monitor theinformation gathering and also in backend a firewall tocontrol outgoing connection from potentially comprisedhoneypot. Implementing a high interaction honeypot hostis a cost effective procedure which mostly in mid rangescale organization, they used virtual environment toapproach the advantage of easier to monitor and safe andclean successful compromise. Various virtual machinesolutions to this environment are virtual PC [22], virtualbox [23], XEN [19], VM ware [24], user mode Linux [9].In approach to have high interaction honeypot to granta real network information gathering and facing differentscans, buffer over flows and various analyses, weassociate with a few real machines to support ourproduction server and collaboration with low interactionhoneypot zone to reach the bases and real experimentresult.Many recent research studies to explore thedeployment of honeypots to enhance network security hasbeen done, and it could be named between [4] [10] [11][12] [13] [21] [26] [28] [29]. In Weiler proposed [26],honeypots are assigned as a shield in the network,whereby all incoming traffic that is imported directed tothem. After that about disconnection of that connection orlegally allowed to connect is given. This solution may notwork as an ideal, because honeypots employ to attractattackers and being destroyed and not as prevent ordefense mechanism to serve. Teo [21], give anothersolution framework called Japonica, which has presentedthe main target of early and rapid response to unknownattacks through dynamic orchestration in detection,prevention, and reaction mechanisms to particular attacks.However, always wrong false alarm probability is a veryimportant issue and until the person directly andprofessionally tries to access production services insteadof Honeypots attack.To conclude these methods we can mention that manyof the above proposed used honeypot as a defensemechanism to block the attacker from attacking thenetwork. In this paper, that provided the hybrid honeypotproposed architecture with having of both low-interactionand high-interaction honeypots and provide a framework to not blocking or defensive system but be as interactiveand a lure design with minimization of the traditionalmistakes.
 Hybrid Honeypots
The call for assembled details assailed processes onnumber of IP domiciles urged researcher of this topic andnetwork security providers to pursue more intelligent andscalable architectures. These research guides into the largescale category architecture which called hybrid honeypotarchitecture.IV.
Worms Activity
In a network view, a worm can be a software orprogram that due to run on a honeypot can intention otherhoneypots to modify administration sufficiently whichthey start to make a link and generate connection or pairconnection requests. This delimitation helps to have amethod to distinguish and infection, which takes placenon self distributing network action from self spreading,that take system down and configure by its particularcode. However,
it doesn’t intention to automatically
continue the method. Almost all types of worms have theirown executable codes, which indicate that the capturedworms have multiple links and had system bufferoverflow or password generation from their viable. Eventhough most of these viable or executables have anickname which is contributed mostly directly with them,and because they are available as files by the worms initialutilize. The following Table I. give us the various worm
smodel and shown the number of captured on ourparticular network.The proposed work offers the best architecture thatmost focus on the decoy the best lure architecture whichabsorbed by internal network attacks through the hybridhoneypot which able to capture and record all theincoming and existing data and provide us the data
142http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 2, 2011
control. In proposed honeynet captures all the activitiesand operations of intruders, and send them to the log forthe further application.
 Data Analyzing Module
Data analyzing module does analysis of the collecteddata from original data. The honeynet record data throughinternal honeypots and forward them for analyzing. Inthis between also we are using an appropriate firewallwhich to get more information about captured data,furthermore we direct the firewall logs to our analyzer.In the proposed architecture, the use, a firewall moduleto work as a logger to capture all the traffic and theirsituation in our back end design, which provide theaccessibility of our production systems.
 Honeynet Activity
As previously mentioned, the honeynet has two mainactivities, which are information control and informationseizure or data recording. The primary idea of informationcontrol is to foreclose invaders abusing the honeynetfeature to direct them to access the other host. Informationseizure is to capture all the functionality of invaders. It isarduous to gather information as still as imaginable,nevertheless, not to be recognize by intruders.Most of the invaders try to spread out to encipherchannels like SSL (Secure Sockets Layer), IPSec, SSH(Secure Shell) and other related channel. In suchactivities, the encryption must be accomplished with aparticular account by the data collector mechanism. Inaddition to this matter, we employ seizer tools with thissimilar functionality on the honeypot to reach a multirecord level way of recording [1]. In this way not onlymay connect the various intruder
activity steps together,on the contrary, as well can keep the way from the defaultof a single mechanism.Logs, the information which recorded and systemactivity recorded by tools in honeypot are transfer toanalyzing module. The information is saved as obtaininformation consistent with the feature of network connection and its contents. The recorded information byhoneynet has less amount size, on the contrary, with morefidelity and fatal.By taking the beneficent of virtual technology, whichalso use in honeynet, we have the ability to set up thevirtual honeypot [14], on a host. This plan helps to deductand minimize the cost development of the honeynet.Nevertheless, the performance needed to deploy of a hostis still higher.
 De-Militarized Zone
De-Militarized Zone (DMZ) is not network hardwaredevice affection a router or a bridge [8], so it does notpass through altered packets. De-Militarized-Zone isdesigned to provide secure communication with serversbefore packets entering to a firewall without needing anyinbound firewall gapes between the internal LAN ornetwork and the deployed DMZ.The policy establishes facts security needs fornetworks and the machines and peripherals employedwithin the DMZ. The traditional De-Militarized-Zonesadmit machines which located behind the firewall to
requests outgoing to the DMZ. Machines inDMZ reply, try to forward or reissue queries outside theinternet or public network.Many DMZ employs in the event to utilize a server(such as proxy server) or other servers as the machinesdeployed within the DMZ. The deployed firewall in aftertrying to prevent the machines situated in DMZ frominitiating inbound requests. For the DMZ configuration,most of the machines conducted on the internal network or in a typical LAN run behind the firewall which throughthat they are able to connect to an external network or theinternet. To deploying the secure zone a few machines orservers as well employed outside the firewall in the DMZ,those machines on the external part intercept traffic andagent queries for other parts of network, and they providean extra layer of protection for the behind firewall zonemachines.A DMZ most often includes servers which providevarious services to the clients from the internet. Theseservices are included FTP, for e-mail services, SMTP,IMAP4 and POP3, and also DNS server. Even thoughthese servers must be direct to limited access from theinternet, and besides, they could protect the firewall aswell. Here we indicate that the servers and honeypotsreside could be the DMZ or inside the network, howeverDMZ is suggested. The best structure we are looking forthat has been shown in Fig. 1.
Proposed Hybrid Honeypot Framework 
The proposed advance introduces a pliable honeypotbased network security system that adopted to alter, inparticular, organizational, financial and importantconducted server zone network based on the energeticdynamic implementation and configuration of hybridhoneypots.The primary concept is for the low interactionhoneypots is to conduct using free ready unused IPaddresses which available through operating systems ordistributed ones and their services. They imitatesimulation of the distributed operating systems and theirservices of the deployed production hosts in a particularnetwork. In the mass of cases the going network traffic tohoneyds will be directed to high interaction honeypotwhere attackers face with certain services. Thedeployment of the half-breed or hybrid in order approachthe technology of honeypot in two main categorizes:Employing minimum administrative interferes onaccount of the number of honeyds and their particularservice setups automatically based on the authority of thenetwork. Focusing on the needed of the honeynets or highinteraction honeypots in the network by the redirection of traffic scenario from the low interaction honeypot showsthe affection of honyds as real systems to attackers.
Proposed Honeynet 
By the availability of fake machines in the network,firstly, the system administrator requires assigning the IPaddresses of the physical honeypot or essential host in thehoneynet, then authorized traffic redirection from lowinteraction honeypots and log the activities of attackers.The locution redirection does not intend to simply changecommunication direction from different machines.However, rather, it pertained reformatting the entering
143http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->