A honeynet framework to promote enterprise network security


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

A honeynet framework to promote enterprise network security

  1. 1. INTERNATIONALComputer EngineeringCOMPUTER ENGINEERING International Journal of JOURNAL OF and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME & TECHNOLOGY (IJCET)ISSN 0976 – 6367(Print)ISSN 0976 – 6375(Online)Volume 4, Issue 1, January- February (2013), pp. 404-413 IJCET© IAEME:www.iaeme.com/ijcet.aspJournal Impact Factor (2012): 3.9580 (Calculated by GISI) ©IAEMEwww.jifactor.com A HONEYNET FRAMEWORK TO PROMOTE ENTERPRISE NETWORK SECURITY Mumtaz M.A. AL-Mukhtar1, Badour W. Kasim2 1 (Information Engineering College, AL-Nahrain University, Iraq) 2 (Information Engineering College, AL-Nahrain University, Iraq) ABSTRACT This research introduces a mechanism of intrusion detection based on high interaction honeypots to assist efficiently in gathering information concerning intruders attacking an enterprise network via Internet. High interaction honeypots are implemented as honeynet, which consists of a network of two servers with controlled services. Controlling the data is performed by means of data capturing and restriction the traffic that enters and leaves the network. The proposed system consists of five constituents modules: Honeypots, Sniffing, Tracing, Alert and Control. Honeypots provide real operating system files and services. The decoy implemented is based on honeyfiles and setting service configuration to reduce the cost of maintaining honeypots as well as to improve the accuracy in threat detections. Data transfer between honeypots’ modules is accomplished using Windows Communication Foundation (WCF) services that assist in conveying data in a secure way. The main aim of this work is to identify the best traffic features or parameters that can be used to identify intruders and in profiling attacks and attackers. Keywords: Attack Monitoring, High-Interaction Honeypot, Honeynet, Intrusion Detection System, Network Security. 1. INTRODUCTION The challenges of securing enterprise networks in the face of intruders armed with the tools of compromise have become overwhelming and are still growing. With security administrators supporting an ever-growing number of users, such consistent interaction with security mechanisms has become impractical. Therefore, today’s enterprise requires a security solution that will not only prevent the most advanced intruder, but will as well accomplish this with minimal configuration and supervision [1]. 404
  2. 2. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEMEThere have been several attempts to identify originators of attack packets on the network. Acommon technique is a honeypot and is defined as "a security resource whose value lies in beingprobed, attacked or compromised" [2]. Honeypots, according to their level of interaction, can beclassified into low-interaction, medium-interaction, and high-interaction honeypots [3].Normally, low interaction Honeypots work exclusively emulating operating systems and services.The attacker’s activities are limited to the honeypot’s level and quality of emulation [4]. Medium-interaction honeypots are slightly more sophisticated than low interaction honeypots. Medium-interaction honeypots provide the attacker with a better illusion of an operating system since thereis more for the attacker to interact with. More complex attacks can therefore be logged andanalyzed [5].High Interaction Honeypots constitute a complex solution because they involve the utilization ofoperating systems and real applications implemented in real hardware, without using emulationsoftware, running in a normal way; many times directly related to services such as databases andshared folders [6].A honeynet is simply a network that contains one or more honeypots [7]. More precisely, it is ahigh-interaction honeypot that is designed to be attacked with the actual intention for providingextensive information on threats and provides real systems, applications, and services forattackers to interact with, and detect new malicious attempts [8].The remaining part of this paper is organized as follows: Section 2 reviews related literature.Section 3 gives overall system layout. Section 4 explains the system design and implementationof constituent modules. Finally, section 5 describes the concluding remarks2. RELATED LITERATURE Previous research in high-interaction-honeypot include detecting threats and improvingnetwork security [9,10], designing a honeypot capable of learning from attackers and capable ofdynamically changing its behavior using a variant of reinforcement learning [11], utilizing high-interaction honeypot for SQL injection analysis [12], improving the detection speed and attackcollection scheme of high-interaction client honeypots [13, 14].Different aspects of honeynet architectures are brought out in the literature. Honeynet have beenused in assessing network security and as proactive security system [15, 16]. Aspects of usinghoneynets in educational areas are tackled in [17, 18]. Deployment of honeynet for forensicanalysis of attacks from the internet is discussed in [19, 20]. Detecting and removing Internetworms and innocuous traffic related packets is proposed in [21, 22]. Detecting and defendingBotnet is highlighted in [23]. Managing honeynet as a distributed architecture is disclosed in [24].Using virtual technology to construct honeynet is enlightened in [25, 26].In contrast with recent generation of high interaction honeypots, our work goes one step further.We improve the administration and the security enforcement to get an automated protectionsystem serving as an early-warning and advanced security surveillance tool, minimizing the risksfrom attacks on enterprise networks and ensuring that honeypots retain their usefulness asprofiling tools.3. SYSTEM OVERVIEW System layout is depicted in figure 1. The devised network compromises a pair of nodesconfigured as honeynet connected by switch to another node which is configured as monitoringstation. Each node in the honeynet acts as a high interaction honeypot, using real operatingsystems and services with decoy files. A firewall is also configured at the monitoring station toaccept connections only from honeypots devices as a security issue for the monitoring station. 405
  3. 3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEMEHoneypots provide real services for attracting attackers. Once an attacker attempts to accessthe honeypot server, its data is captured and stored in a database. Then these stored packetsare transferred to the monitoring station using web services effectively in a secure way. Themonitoring station reads the information acquired to prepare a report as an ExtensibleMarkup Language (XML) file which is sent by an e-mail to the administrator of the networkas an alert. It also provides a Graphical User Interface (GUI) to monitor the extractedinformation. Fig.1- System Layout4. SYSTEM DESIGN The designed Honeynet contains two Honeypots, which are servers connected to the Internet and expressly set up to attract intruders. The designed system comprises several cooperating modules organized within the honeypots and the monitoring station. The function of these modules is illustrated in figure 2. Fig.2- System Modules 406
  4. 4. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME4.1 Sniffing Module It runs in a network attached device that passively receives all data link layer framespassing through the device’s network adapter. The packet sniffer captures the data that isaddressed to the honeypot machine, saving it for later analysis. Using the information captured bythe packet sniffer, malicious packets can be identified to help maintain network trafficinformation. The sniffer is designed with four components: A. The hardware: Network Interface Card (NIC) is configured in promiscuous mode. B. Capture Driver: It captures the network traffic from the wire, filters it for the particular traffic. C. Buffer: Once the frames are captured from the network, they are stored in a buffer. D. Decode: This displays the contents of the network traffic with descriptive text.Operation steps of this module are shown in figure (3). Fig.3- Sniffer OperationThe capture process takes place in the kernel level while packet processing is performed at userlevel. When the kernel gets a packet from the network interface, it copies it from kernel interfacespace to the user space. The filtering step is used if the system is interested in capturing specifictype of packets by instructing the kernel to get a copy of the packets that match a filterexpression.Packet processing operation is used to extract packet information and storing it into the database.Thereafter all required packets are sent to the monitoring station to be analyzed. The steps areillustrated in figure (4). Fig.4- Packet Processing at Sniffing Module 407
  5. 5. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME4.2 Honeypot Servers These servers are designed to allure intruders by providing a web interfacethrough Internet. One server is configured with windows 2012 server operating systemwhile the other is configured with Ubuntu linux operating system providing different webservices (HTTP, FTP, SMTP, SSH, and Telnet). Each Honeypot runs two modules: webinterface module for connecting with intruders and the sniffing module which is used forcapturing network traffic.Service configuration can be done either by using a fake server or by decoy real services.This system is based on honeynet using real services. The decoy method is based onproviding honeyfiles. A honeyfile is a bait file that is intended for hackers to open, andwhen the file is accessed, data is captured and an alarm is triggered.4.3 Application Server The application server provides an interface with outside networks clients. It isbuilt in order to advertise web services. All requests received by this server are loggedinto the database. Figure (5) shows a block diagram of application server operation. Whenattackers access the application server, their browsers send number of headers to thehoneypot server. These headers occur during a negotiation process that help the browsersand the honeypot server to determine the best way to provide the requested information.The request parser is used for analyzing these headers to identify the information relatedto users accessing the server. This information is extracted from http request properties,which contain tokens that provide specific details about the users activating the requestincluding IP address, date, operating system versions, hosting services and time durationof the interaction. Figure (6) shows steps of information extracting process carried out bythe application server. Fig.5- Application Server Operation 408
  6. 6. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME Fig.6- Information Extracting by the Application Server4.4 Information Transfer To provide a secure way for analyzing data and gather more information aboutmalicious traffic, all data stored inside honeypots database servers are transferred to themonitoring machine. Windows Communication Foundation (WCF) is used to transferinformation from the honeypots servers to the monitoring station. In the current design WCFsends data as asynchronous messages from one service endpoint to another. The designedWCF service consists of two components: 409
  7. 7. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME A. Endpoint: Endpoints provide clients access to the functionality offered by a WCF service. Each endpoint consists of three properties: • An address that indicates where the endpoint is found. • A binding that specifies how the monitoring machine can communicate with the service endpoint. • A contract that identifies the operations available by WCF. B. Service Host: Service Host object is part of the process of hosting the WCF service inside the application server within honeypots and registering endpoints.Figure (7) shows the architecture of the designed WCF. Fig.7- The Architecture of the Designed WCF4.5 Control Module This is the central module located in the monitoring station. It provides GUI to controland monitor system data and functions. Two modules are integrated inside this module: theTracing Module and Alert Module.4.6 Tracing Module The tracing module collects information extracted from honeypots servers concerningeach intruder. This information is logged into the system database. Its main function is to analyzeinformation in separate background functions. Each background function analyzes part of thereceived information in a separate thread. A background function provides a responsive userinterface even with long delays associated with such operations. Three backgrounds functionsdeal with downloading and collecting information received from honeypots devices. Eachbackground deals with a part of honeypot database tables. These background are :A. UsersBackup It is implemented to download and update users information received from TheUsersdatabase table located at honeypots. UsersBackup contains an IpInfo() function that gets alocation information from Whois and IP2Location databases. Information collected from thisbackground is: IP, country, city, region, latitude, longitude and ISP of the intruder machine. Thisis carried out by initiating two connections to the remote location database (Whois andIP2Location databases). The connection to the IP2Location database is established by usingHTTP request to the database server while the connection to the whois database is established asTCP connection. 410
  8. 8. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEMEB. SessionsBackup Second background is implemented to download and updates sessions informationreceived from TheSession database table located at honeypots. Information collected fromthis background is: IP, HostingSerivce, OS (Operating System), EntryDateTime,ConnectionDuration and OpenPorts.Port scanning is invoked using Asynchronous JavaScript and XML (AJAX) service todetermine open ports. Port scan uses AJAX service with WebGetAttribute to send requeststo a range of ports at the intruder machine and is configured to use the JavaScript ObjectNotation (JSON) data format for responses.C. PacketsBackup Third background is implemented to download and update packets informationreceived from ThePacket database table located at honeypots. Information collected from thisbackground is: IP, Protocol and Data.All data packets during each session related to a single user are saved for future analysis bythe system administrator.4.7 Alerting Module Two methods are implemented through this module: logging and alert. The loggingmethod collects and processes data from other modules and make it available as an XML fileformat. The collected information is used to generate reports and is used by the alert method.The alert method generates alerts via an administrator e-mail at pre-defined time intervals.The frequency of emails and their sender and the recipient can be configured.5. CONCLUSIONS In this work, we exploited the concept of high-interaction honeypots in depth tocapture and analyze intruders data, help to observe intruders behavior, providing versatileinformation concerning security threats and their behavior. However, it can be customized tocapture specific data. As honeypots capture the malicious traffic, they also capture the newtools used by the blackhats. Moreover, the geographical location of intruders is explored byutilizing the Whois and IP2Location databases. IP GeoLocation depends on semanticapproaches, and therefore could be accurate.The system uses javascript code to scan ports to gain access to the intruder machine even ifthe firewall running. This enhances system ability to be hosted in different environment (.Netand JavaScript). System testing shows that the developed honeynet can successfully remedythe deficiencies of existing monitoring systems and improve the performance of the safetydefense systems.REFERENCES[1] Kuwatly Iyad, Sraj Malek, Al Masri Zaid, and Artail Hassan, “A DynamicHoneypot Design for Intrusion Detection”, Proceedings of the IEEE/ACS InternationalConference on Pervasive Services (ICPS’04), pp. 1-10, 2004.[2] Spitzner, L. Honeypots: Tracking Hackers. Addison Wesley, 2003. 411
  9. 9. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME[3] Iyatiti Mokube and Michele Adams, "Honeypots: Concepts, Approaches, andChallenges", Proceeding Of The 45th Annual Southeast Regional Conference (ACMSE07),pp. 321-326, 2007.[4] Abhishek Mairh, Debabrat Barik, and Kanchan Verma, "Honeypot in NetworkSecurity: A Survey", Proceedings of the 2011 International Conference on Communication,Computing & Security (ICCCS 11), pp.600-605, 2011.[5] Pei-Sheng Huang, Chung-Huang Yang, and Tae-Nam Ahn, " Design AndImplementation Of A Distributed Early Warning System Combined With Intrusion DetectionSystem And Honeypot", International Conference on Convergence and Hybrid InformationTechnology (ICHIT 09), pp.232-238, 2009.[6] Briffaut Jeremy, Lalande Jean-Francois, and Toinard Christian, "Security andResults of a Large-Scale High-Interaction Honeypot", Journal of Computers, Vol. 4, No. 5,pp. 395-404, 2009.[7] Yang Y., Yang H., and Mi J., "Design of Distributed Honeypot System Based onIntrusion Tracking", IEEE 3rd International Conference on Communication Software andNetworks (ICCSN), pp. 196-198, 2011.[8] Ritu Tiwari, and Abhishek Jain, "Improving Network Security and Design usingHoneypots, Proceedings of the CUBE International Information Technology Conference"CUBE 12", pp. 847-852, 2012.[9] Briffaut J., Rouzaud-Cornabas J., Toinard C., and Zemali Y., "A New Approach toEnforce the Security Properties of a Clustered High-Interaction Honeypot", InternationalConference on High Performance Computing & Simulation (HPCS 09), pp. 184, 192, 2009.[10] Bhumika, and Vivek Sharma, "Use of Honeypots to Increase Awareness RegardingNetwork Security", International Journal of Recent Technology and Engineering (IJRTE),Vol.1, Issue 2, pp. 171-175, 2012.[11] Gerard Wagener, Radu State and Thomas Engel, Alexandre Dulaunoy, "Adaptiveand Self-Configurable Honeypots"12th IFIP/IEEE International Symposium on IntegratedNetwork Management, pp. 345-352, 2011.[12] Jiao Ma, Kun Chai, Yao Xiao, Tian Lan, and Wei Huang, "High-InteractionHoneypot System for SQL Injection Analysis" International Conference on InformationTechnology, Computer Engineering and Management Sciences (ICM), pp. 274-277, 2011.[13] Hong-Geun Kim, Dong-Jin Kim, Seong-Je Cho, "An Efficient Visitation Algorithmto Improve the Detection Speed of High-Interaction Client Honeypots", Proceedings of theACM Symposium on Research in Applied Computation (RACS 11) , pp.266-271, 2011.[14] Yagi Takeshi, Tanimoto Naoto, Hariu Takeo, and Itoh Mitsutaka , "EnhancedAttack Collection Scheme on High-Interaction Web Honeypots" IEEE Symposium onComputers and Communications (ISCC), pp. 81-86, 2010.[15] Olivier Thonnard, and Marc Dacier, "A Framework for Attack Patterns DiscoveryHoneynet data", Digital Investigation, Volume 5, Supplement, pp.S128-S139, September2008.[16] Dongwoo Kwon, Hong J.W, and Hongtaek Ju, "DDoS Attack Forecasting SystemArchitecture Using Honeynet", 14th Asia-Pacific Network Operations and ManagementSymposium (APNOMS), pp.1-4, 2012.[17] Ateeq Ahmad, Muhammad Ali, and Jamshed Mustafa, "Benefits of Honeypots inEducation Sector", International Journal of Computer Science and Network Security, VOL.11No.10, pp. 24-28, 2011. 412
  10. 10. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME[18] OLeary M., Azadegan S., Lakhani, J., "Development of a Honeynet Laboratory: aCase Study", Seventh ACIS International Conference on Software Engineering, ArtificialIntelligence, Networking, and Parallel/Distributed Computing (SNPD06), pp.401-406, 2006.[19 ] Stephan Riebach, Erwin P. Rathgeb, and Birger Toedtmann, "Efficient Deploymentof Honeynets for Statistical and Forensic Analysis of Attacks from the Internet", Proceedingsof the 4th IFIP-TC6 international conference on Networking Technologies, Services, andProtocols, pp. 756-767, 2005.[20] Bhatia J.S., Sehgal R., Bhushan, B., and Kaur, H., "A Case study on Host BasedData Analysis & Cyber Criminal Profiling in Honeynets", First International Conference onCommunication Systems and Networks (COMSNETS 2009), pp. 1-2, 2009.[21] Pragya Jain, and Anjali Sardana, "Defending against Internet Worms usingHoneyfarm", Proceedings of the CUBE International Information Technology Conference(CUBE 12), pp. 795-800), 2012.[22] Kumar Upendra, Kumar Mishra Bimal, and Sahoo G., "Defending PolymorphicWorms in Computer Network using Honeynet", International Journal of Engineering Scienceand Technology (IJEST), Vol. 4 No.04, pp. 1908-1411, 2012.[23] J.S.Bhatia , R.K.Sehgal , and Sanjeev Kumar, " Botnet Command Detection usingVirtual Honeynet", International Journal of Network Security & Its Applications Vol. 3 Issue:5, pp. 177-189, 2011.[24] Leita C., Pham V.H., Thonnard O., Ramirez E.S., Pouget F., Kirda E., and DacierM.," The Leurre.com Project: Collecting Internet Threats Information Using a WorldwideDistributed Honeynet", Workshop on Information Security Threats Data Collection andSharing (WISTDCS 08), pp. 40-57, 2008.[25] Sun Bing, Wang Hai-feng, and Cheng Ling, "Study of Network Security Situation inHoneynet", Proceedings of International Conference on Modelling, Identification & Control(ICMIC), pp. 519 – 523, 2012.[26] Liu Tian-Hua, Yi Xiu-Shuang, and Ma Shi-Wei "Core Functions Analysis andExample Deployment of Virtual Honeynet", First International Conference on Robot, Visionand Signal Processing (RVSP), pp. 212-215, 2011.[27] Dillip Kumar Mahapatra, Tanmaya Kumar Das and Gopakrishna Pradhan,“Guidelines for Managing Distributed Software Project under Deployment” Internationaljournal of Computer Engineering & Technology (IJCET), Volume 4, Issue 1, 2013,pp. 34 - 45, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375, Published by IAEME.[28] Syeda Gauhar Fatima, Dr. Syed Abdul Sattar and Dr.K.Anita Sheela, “EnergyEfficient Intrusion Detection System for WSN” International journal of Electronics andCommunication Engineering &Technology (IJECET), Volume 3, Issue 3, 2012,pp. 246 - 250, ISSN Print: 0976- 6464, ISSN Online: 0976 –6472, Published by IAEME. 413