Professional Documents
Culture Documents
Paper12 PDF
Paper12 PDF
ABSTRACT
A honey pot is a closely monitored network decoy serving several purposes: it can distract
adversaries from more valuable machines on a network, provide early warning about new
attack and exploitation trends and allow in- depth examination of adversaries during
and after exploitation of a honey pot. The concept of honey pots was first proposed in
Clifford Stoll's book “The Cuckoo's Egg", and Bill Cheswick's paper “An Evening with
Berferd”. Honey pots as an easy target for the attackers can simulate many vulnerable hosts
in the network and provide us with valuable information of the attackers. Honey pots are
not the solution to the network security but they are tools which are implemented for
discovering unwanted activities on a network. They are not intrusion detectors, but they
teach us how to improve our network security or more importantly, teach us what to look
for. Honey pot is a system which is built and set up in order to be hacked. Except for this,
honey pot is also a trap system for the attackers which is deployed to counteract the
resources of the attacker and slow him down, thus he wastes his time on the honey pot
instead of attacking the production systems. This paper discusses honey pots basics,
types of honey pots, various honey pots, advantages and disadvantages of honey pots and
the last section presents the comparison between different honey pots systems.
Keywords––Honey pots, Honeyd, Specter, Network Security, Honey
net.
is nothing. But honey pot is a valuable and it is this difference that makes them
security tool if it is being attacked by the such a powerful tool. Honey pots do not
attacker. Other security tools such as solve a specific problem. Instead, they are
firewall and IDS are completely passive a highly flexible tool that has many
for their task to prevent or detect attacks. applications to security. They can be used
Honey pot actively gives a way to to slow down or stop automated attacks,
attacker to gain information about new capture new exploits to gather
intrusions. This nature makes honey pot intelligence on emerging threats or to
outstanding to aid other security tools. give early warning and prediction. They
Honey pot differs according to different come in many different shapes and
uses. It could be an emulated application, sizes. They can be either a Windows
a fully functional operating system with program that emulates common services,
default configuration or an actual net such as the Windows honey pot
including different OS and applications, KFSensor3 or entire networks of real
even an emulated network on a single computers to be attacked, such as Honey
machine. Honey pots are very different, nets.
TYPES OF HONEYPOTS
In general, honey pots can be divided environment to identify attacks. These
in to two categories: honey pots are useful in catching hackers
with criminal intentions. The
Production honey pots
implementation and deployment of
Research honey pots[4]
these honey pots are relatively easier
1. Production Honey pots than research honey pots .One of the
Production honey pots are used to assist
reasons is that they have less purpose and
an organization in protecting its internal
require fewer functions. As a result, they
IT infrastructure. They are valuable to
also provide less evidence about hacker’s
the organization especially commercial, as
attack patterns and motives.
they help to reduce the risk that a specific
2. Research Honey pots
organization faces. They secure the
Research honey pots are complex. They
organization by policing its IT
www.ijsir.co.in 142
International Journal of Scientific and Innovative Research 2013; 1(2):141-150,
deploy and maintain because they have huge risk. But, the information and
limited interaction capabilities, which also evidence gathered for analysis is very
[5]
reduces risk . large. With these types of honey pots we
2. Medium-interaction Honey pots can learn what are the kind of tools
In terms of interaction, medium- hackers use, what kind of exploits they
interaction honey pots are more advanced use, what kind of vulnerabilities they
than low-interaction honey pots, but less normally look for, their knowledge in
advanced than high interaction honey hacking and surfing their way through
pots. Medium-Interaction honey pots also operating systems and how or what the
do not have a real operating system, but hackers interact about[5].
the services provided are more TRADEOFFS BETWEEN HONEY
sophisticated technically. Here, the levels POT LEVELS OF INTERACTION
of honey pots get complicated so the risk Table 1 summarizes the tradeoffs
also increases especially with regards to between different levels of interaction in
vulnerability. four categories. The first category is
3. High-interaction Honey pots installation and configuration effort,
High-interaction honey pots are different; which defines the time and effort in
they are a complex solution and involve installing and configuring the honey pot.
the deployment of real operating systems In general, if the level of interaction
and applications. They capture the between the user and the honey pot is
extensive amounts of information and more then the effort required to install
allowing attackers to interact with real and configure the honey pot is also
systems where the full extent of their significant. The second category is
behavior can be studied and recorded. deployment and maintenance. This
Examples of high-interaction honey pots category defines the time and effort
include Honey nets and Sebek. These involved in deploying and maintaining
kinds of honey pots are really time the honey pot. Once again, the more
consuming to design, manage and functionality provided by the honey pot,
maintain. Among the three types of the more is the effort required to deploy
honey pots, these honey pots possess a and maintain the honey pot .The third
www.ijsir.co.in 144
International Journal of Scientific and Innovative Research 2013; 1(2):141-150,
www.ijsir.co.in 145
International Journal of Scientific and Innovative Research 2013; 1(2):141-150,
An administrator can customize each cage space. It does not build or customize
as he would a physically separate system. any packets when responding to
He can create users, install applications, connections. Because of this simple
run processes, and even compile his own model, BOF can run on any Windows
binaries. When an intruder attacks and platform, including Windows 95 and
gains access to a cage, to the attacker it Windows 98[1].
looks as if the cage is a truly separate 3. Specter
physical system. He is not aware that he is Specter is a commercially supported
in a caged environment where every action honey pot developed and sold by the folks
and keystroke is recorded [6]. at Net Sec. Like BOF, specter is a low-
2. Back Officer Friendly (BOF) interaction honey pot. However, specter
Back Officer Friendly, or BOF as it is has far greater functionality and
commonly called, is a simple, free honey capabilities than BOF. Not only can
pot solution developed by Marcus specter emulate more services, it can
Ranum. It is extremely simple to install, emulate different operating systems and
easy to configure, and low maintenance. vulnerabilities. It also has extensive
However, this simplicity comes at a cost. alerting and logging capabilities. Because
Its capabilities are severely limited. It has specter only emulates services with
a small set of services that simply listen limited interaction, it is easy to deploy,
on ports, with notably limited emulation simple to maintain, and is low risk.
capabilities. It works by creating port However, compared to medium- and
listeners, or open sockets, that bind to a high-interaction honey pots, it is limited
port and detect any connections made to in the amount of information it can
these ports. When a connection is made gather. Specter is primarily a production
to the port, the port listeners establish a honey pot. Specter shares the same
full TCP connection (if the service is limitations as BOF. Specifically, it cannot
TCP), log the attempt, generate an alert, listen on or monitor a port that is already
and then close the connection, depending owned by another application. If any
on how the service is configured. service listening on the FTP port (port
Everything BOF does happen in user 21), then specter is unable to monitor on
www.ijsir.co.in 146
International Journal of Scientific and Innovative Research 2013; 1(2):141-150,
that port. Specter can only monitor ports activity. When the attacker is done, the
that are not owned by any other emulated service exits and is no longer
applications. It also has the capability of running. Honeyd then continues to wait
emulating different operating systems. for any more traffic or connection
This is done by changing the behavior of attempts to systems that do not exist.
the services to mimic the selected Honeyd assumes an IP address and runs
operating system [6] . an emulated service only when it receives
4. Honeyd a connection attempted for a system that
Honeyd is developed and maintained by does not exist, an extremely efficient
Niels Provos of the University of method. As Honeyd receives more
Michigan and was first released in April attacks, it repeats the process of
2002. It is designed as a low-interaction assuming the IP address of the
solution; there is no operating system intended victim, starting the respective
intended for an attacker to gain access to, emulated service under attack, interacting
only emulated services. Honeyd is with the attacker, and capturing the
designed primarily as a production attack, and finally exiting. It can emulate
honeypot, used to detect attacks or multiple IP addresses and interact with
[1]
unauthorized activity . Honeyd works different attackers all at the same time.
on the principle that when it receives a 5. Honey nets
probe or a connection for a system that Honey nets represent the extreme of
does not exist, it assumes that the high-interaction honey pots. Not only
connection attempt is hostile, most likely does it provide the attacker with a
a probe, scan, or attack. When Honeyd complete operating system to attack and
receives such traffic, it assumes the IP interact with, it may also provide
address of the intended destination multiple honey pots. Honey nets are
(making it the victim). It then starts an nothing more than a variety of standard
emulated service for the port that the systems deployed within a highly
connection is attempting. Once the controlled network. By their nature,
emulated service is started, it interacts these systems become honey pots, since
with the attacker and captures all of his their value is being probed, attacked, or
www.ijsir.co.in 147
International Journal of Scientific and Innovative Research 2013; 1(2):141-150,
www.ijsir.co.in 148
International Journal of Scientific and Innovative Research 2013; 1(2):141-150,
COMPARISON OF VARIOUS
HONEY POTS
BOF are not open source.
In this section five honey pots are BOF does not support Log file
compared in the tabular form. whereas rest of the honey pots
support log file.
The interaction level between the BOF does not emulate the operating
user and the honey pot is high in system whereas rest of the four
case of Mantrap, specter and Honey honey pots can emulate operating
net and this level is low in case of system.
BOF and honeyd. Unlimited services are supported
Honeyd and Honey net are freely by the Man Trap, Honeyd and
available whereas Mantrap, specter Honey net whereas limited services
and BOF are not freely available. are supported by the BOF and
Honeyd and Honey net are open specter.
source whereas Mantrap, specter and
CONCLUSION
Honey pots are the security resources discussed in the paper according to his
that can help in achieving network requirements.
security. Different honey pot systems REFERENCES
have been discussed in the paper. An 1. Spitzner, L.: Tracking Hackers.
effort has also been made to compare the Addison Wesley, September 2002.
different systems. Each honey pot has its 2. Zanoramy, W., Zakaria, A.,
advantages and disadvantages. Different et.al,”Deploying Virtual Honeypots on
honey pot system can be deployed under Virtual Machine Monitor”.
different conditions. An administrator 3. Spitzner, L. Honeypot:
can choose any of the five honey pots
www.ijsir.co.in 149
International Journal of Scientific and Innovative Research 2013; 1(2):141-150,