Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Wi fi security dedicated architectures


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Wi fi security dedicated architectures

  1. 1. Wi-Fi Security Dedicated Architectures Prateek Murli
  2. 2. Topics  Hotspot Authentication Issues  Rogue access points detection and blocking  WIDS and WIPS  Geolocation Techniques  Wireless Honeypots Architecture  CASE STUDY – Honey Net
  3. 3. Hot spot architecture: captive portals Hot spots are dedicated Wi-Fi networks usually deployed in airports and railway stations that give users the opportunity to connect to the Internet or their Intranet. This kind of network access was firstly deployed by providers in areas where the users are travelling The hot spot architecture is based on the “captive portal” technology. Access control and authentication are performed with the captive portal. The main strength of this technology is ergonomics as there is no impact on the client‟s computer configuration.
  4. 4. Captive Portal Overview  A captive portal is a router or a gateway host that will not allow traffic to pass until a user has authenticated himself .  In a captive portal environment, a client device acquires an Internet Protocol (IP) address using Dynamic Host Configuration Protocol (DHCP) and any web request from the client device is redirected to the captive portal.  The captive portal presents a web page, the user authenticates himself to the web page, possibly paying an access fee, the portal stops redirecting that client‟s traffic, so the client can now access the rest of the Internet.
  5. 5. A captive portal is composed of: • a dynamic rules based firewall. • a Web server. • an authentication framework and database. • (optionally) a billing framework.
  6. 6. 1) Redirection. When a computer associates with the “Open” Wi-Fi access point, it will firstly negotiate a DHCP lease. The wireless client will be redirected to the Web server whenever he will ask to go to the Internet (opening its browser and asking for The captive portal will thus redirect the connection to a HTTPS Web server in order to authenticate the Web server using public cryptography and the use of Transport Layer Security (TLS) protocol. The presented Web page is the provider portal page where the user will always be redirected until he succeeds in his authentication to the hot spot.
  7. 7. 2) Authorization. When the user authenticates himself to the captive portal (by providing a valid username/password or a valid token), the authentication framework will then authorize the user to communicate with the Internet by dynamically configuring the rule set applied on the firewall. Most captive portals rely only on the IP address to authorize the user on the firewall, while some others may also use the MAC address in order to prevent spoofing attacks on the MAC address. 3) Connection. When the firewall has configured the new rule set for the authenticated user, the template security policy (applied by the provider) is enforced and basically the user now has access to the Internet 4) Disconnection. The user may be able to close the connection to the captive portal by sending a logoff through a specific Web page on the captive portal. Also, most of hot spot architectures use other techniques to detect if the user has left the architecture (e.g. by sending ARP probes or observing DHCP renewal).
  8. 8. IMPROVEMENTS Hot spot providers are usually aware of the common issues regarding security . As these issues are related to access control and lack of attack detection in common hot spot architecture, this section will discuss possible improvements that will aim at raising the overall difficulty of performing such attacks. Access control improvements A simple but effective improvement is to add the user‟s operating system detection to correlate the MAC/IP address with. The assertion is that most attackers will use Unix-based operating systems, unlike contrary to legitimate users who will rely on Microsoft Windowsbased operating systems. Thus, if the same IP address has two different operating system fingerprints at the same moment, an IP spoofing attack is possible: this is simple but effective in practice as today it is hard to perfectly mimic other operating systems by TCP/IP stack tweaks.
  9. 9. Device discovering improvements One requirement for overcoming billing issues is to detect whenever the customer leaves the hot spot in order to stop the billing mechanism and to reconfigure the dynamic firewall to redirect the IP address to the captive portal. This is necessary to reduce the window of opportunity for the attacker. To detect that a customer leaves the architecture, several options are possible: logoff window, MAC address lookup in ARP tables of network switches, ARP probes, ICMP probes, DCHP renewal, etc.
  10. 10. Logoff window When a user is authenticated to the Captive Portal, a logoff window is accessible and triggerable . This logoff window is useful for:  giving the customer the opportunity to manually stop the billing whenever he clicks on this window;  periodically sending information to the captive portal in order to tell that the customer is still active  these probes are usually securely sent over SSL/TLS.  If the captive portal does not receive the customer probes then it will consider that he has left the hot spot and thus will shut down the current authorization linked to the authenticated user. .
  11. 11. DHCP renewal  In this case, the captive portal retrieves information from DHCP servers.  As DHCP leases are usually short timed, if the legitimate user leaves the architecture and does not renew his DHCP lease, then the captive portal will de-authenticate the legitimate user.  The attacker must then mimic the DHCP renewal process in order to bypass this mechanism..
  12. 12. ROGUE ACCESS POINT DETECTION Rogue detection is a two step process starting with discovering the presence of an Access Point in the network and then proceeding to identify whether it is a rogue or not. Some of the very commonly used techniques for AP discovery are:  RF scanning  AP scanning  Using wired side inputs
  13. 13. RF scanning: Most WLAN IDS vendors follow this technique. Re-purposed access points that do only packet capture and analysis (a.k.a RF sensors) will be plugged all over the wired network. These sensors will be quick to detect any wireless device operating in the area and can alert the WLAN administrator AP Scanning: Few Access Point vendors have this functionality of detecting neighbouring Access Points. If you deploy such Access Points in your WLAN it will automatically discover APs operating in the nearby area and expose the data through its web interface as well as its MIBs.
  14. 14. Wired Side Inputs: Most network management software use this technique to discover Access Points. This software use multiple protocols to detect devices connected in the LAN, including SNMP, Telnet, CDP (Cisco Discovery Protocol . specific to Cisco devices) etc. This approach is very reliable and proven as it can detect an AP anywhere in the LAN irrespective of its physical location. Moreover, wireless NMSs can not only discover the AP but also constantly monitor it for health and availability.  Once an AP is discovered, the next step is to identify whether it is a rogue or not. One way to do this is to use preconfigured authorized list of APs. Any newly detected AP that falls outside the authorized list would be tagged rogue. Some of the different ways in which IT managers can populate the authorized list are:
  15. 15.  Authorized MAC: IT administrators can import ACL settings to Wi-Fi Manager or type in the MAC address of authorized Access Points in the network. This enables the rogue detection tool to alert WLAN administrators whenever AP with a different MAC is detected  Authorized SSIDs: Enterprises would in most cases standardize on the authorized SSIDs that needs to be used. These SSIDs can be fed to the rogue detection tool so that it alerts WLAN administrators whenever an AP with a different SSID is detected.
  16. 16.  Authorized Radio Media Type: Enterprises sometimes standardize on 802.11 a,b,g, Access Points. This enables the rogue detection tool to alert WLAN administrators whenever AP with different radio media type is detected.  Authorized Channel: Sometimes enterprises may want their APs to operate on select channels. This enables the rogue detection tool to alert WLAN administrators whenever AP operating in a different channel is detected
  17. 17. ROGUE AP BLOCKING  Once a rogue AP is discovered the next immediate step is to block the AP from the network so that the authorized clients don‟t associate with it. There are two ways of blocking the rogue APs. 1. Tit for Tat: Launch a Denial-of-service (DoS) attack on the rogue AP and make it deny wireless service to any new client. 2. Pull it out of the network: Either the WLAN administrator can manually locate the AP and pull it physically off the LAN OR block the switch port to which the AP is connected
  18. 18. Launching a DoS attack on the rogue AP Most Wireless IDS vendors follow this practice. This is kind of using offence for defence. Once a rogue AP is detected the WLAN administrator can use the sensor to launch a DoS attack on it by sending numerous disassociation packets.
  19. 19. Blocking the switch port Wireless network management software offers this functionality. Once the rogue AP is detected the software will look for the rogue AP.s MAC address in all the switches connected in the LAN. The port at which the MAC is connected can then be blocked for any LAN traffic. This is a very effective technique
  20. 20. Wireless intrusion detection systems (WIDS) In order to protect our network we need to ensure that we know:  where all access points reside on our network  what actions to take to close down any unauthorised access points that do not conform to the company security standards  what wireless users are connected to our network  what unencrypted data is being accessed and exchanged by those users To do this we must monitor our air space using a Wireless Intrusion Detection System.
  21. 21. What is an WIDS?  For an enterprise to protect itself from abuse of its information, it must monitor the events occurring in its computer system or network and analyze them for signs of intrusion. To do this, the enterprise must install an Intrusion Detection System (IDS).  First thing to clarify here is that an IDS is not a firewall! Firewalls are designed to be outward looking and to limit access between networks in order to prevent an intrusion happening. IDS watch the wired and wireless network from the inside and report or alarm depending on how they evaluate the network traffic they see. They continually monitor for access points to the network and are able, in some cases, to do comparisons of the security controls defined on the access point with pre-defined company security standards and either reset or closedown any non conforming AP‟s they find.
  22. 22. FIREWALL VS IDS  Firewall cannot detect security breaches associated with traffic that does not pass through it. Only IDS is aware of traffic in the internal network  Not all access to the Internet occurs through the firewall.  Firewall does not inspect the content of the permitted traffic  Firewall is more likely to be attacked more often than IDS  Firewall is usually helpless against tunneling attacks  IDS is capable of monitoring messages from other pieces of security infrastructure
  23. 23. TYPES :  Misuse IDS or Signature based detection as it is sometimes known, looks for network attack sequences or events that match a predefined pattern (or signature). This method is only as good as the signatures provided to it, however, and relies on regular signature updates to keep updated of known attacks. The advantage of this method is that there are few false alarms, or false positives, when attacks are detected.  Anomaly detection on the other hand, relies on the administrator to define normal traffic behaviour on the network – things like typical packet size for example. The sensors then monitor the network for deviations to this normal behaviour and alert when anomalies are discovered. This method can produce a number of false alarms and the systems rely heavily on being „trained‟ in what is normal network traffic and what is not.
  24. 24. Network-based In a network-based IDS, or NIDS, the traffic flowing through a network is analysed. NIDS is able to detect malicious packets that are designed to be overlooked by a firewall‟s filtering rules. It analyse traffic at all seven layers of OSI-model Host-based systems In a host-based system, or HIDS, the IDS examine the activity on each individual computer and system-specific settings such as software calls, local security policy, local log audits, and more. This is done by installing a software client on the host which, again, will detect known attack patterns but only against the host that the client is installed on. Passive IDS or Reactive IDS: the passive IDS detects suspicious network traffic, logs the information and signals an alert. A reactive IDS responds to the suspicious traffic by logging off a user or closing down an AP.
  25. 25. Wireless Intrusion Detection Systems Placement Wireless intrusion detection systems will monitor a WLAN using a mixture of hardware and software called intrusion detection sensors. The sensor will sit on the 802.11 network and will examine all network traffic. To help make this decision, some detailed analysis must first be carried out on the site of the WLAN:  What kind of a building or location is it? Steel framed or wooden? (A steel framed building will limit the wireless transmitter‟s range)  Are there areas of the site that have to be kept segregated? (In a built up area there will be mixed businesses, or it may be that a payroll department may want to be segregated in a large company for example.)
  26. 26.  What MAC addresses are in use? (This list can be used as a baseline for comparison)  What authorised Access Points already exist? (Again, this list can be used as a baseline for future comparisons)  Based on this information and from information gathered from sniffing the wireless network - using open source software such as Kismet we can easily build up a picture of what our WLAN looks like – where our AP‟s are located who uses them, from where and how strong the radio signals are and how strong the radio signals need to be.
  27. 27. Ways to connect sensor to network:  INLINE  PASSIVE  NETWORK TAP Once we have our sensors on the network, the AP‟s signal strength can be calibrated or blocked to ensure appropriate coverage, the network traffic can be analysed and, if we have decided on a misuse type of IDS, can be compared to a signature file for comparison for attack patterns and known vulnerabilities. If an attack pattern is detected the sensor can send off an alert to either a central console, a member of staff or a managed security service provider for appropriate response and action.
  28. 28. TECHNICAL EXPERTISE:  IDS Security analysts who can interpret the alerts and make sense of the output  IDS Software Programmers to program the correlation tools  IDS Database Administrators  Limitations : To be effective, IDS must be run online, in real time. Offline, or after-the-event IDS, is useful for audit trail but will not prevent an attack from taking place. Real time IDS needs to be able to stream data across a network from sensors to a central point where it can be stored and analysed, sometimes known as a correlation server. This „additional‟ network traffic running concurrently can significantly impact network performance so sufficient bandwidth is a prerequisite
  29. 29. EFFICIENCY  Intrusion detection systems should now be very effective on false positives and false negatives. As is the case for any intrusion detection system, false positives are a serious issue that can prevent the technology to be effective.  If a high rate of false positives is observed, then the confidence in intrusion detection techniques will decrease drastically and its alarms will be deactivated or deleted.  The intrusion detection system must evoke confidence in the network administrators who will be in charge of operating these systems; if this is not the case, in practice the intrusion detection systems alarms will be ignored and the architecture will be abandoned.
  30. 30. Wireless IDS can be deployed in one of two ways 1. Centralized 2. Decentralized  In a decentralized environment each WIDS operates independently, logging, and alerting on its own. In addition this also means each WIDS has to be administered independently. In a large network this can quickly become overwhelming and inefficient, and therefore is not recommend for networks with more than one or two access points.
  31. 31.  The idea behind a centralized WIDS is that sensors are deployed that relate information back to one central point. This one point would send alerts and log events as well as serve as a single point of administration for all sensors. Another advantage to a centralized approach is that sensors can collaborate with one another in order to detect a wider range of events with more accuracy. In this approach there are also three main ways in which sensors can be deployed. a. The first is by using existing access points (AP). Some access points on the market are able to simultaneously function as an AP and WIDS sensor. This option has the potential to be less expensive than the others however there is a downside. Using the AP for both functions will reduce the performance, potentially creating a “bottle neck” on the network.
  32. 32. b. The second option is to deploy “dumb” sensors. These devices simply relay all information to the central server and rely on the server to detect all events. While inexpensive, all information is sent back to a central point causing an impact in the performance of the wired network and creating a single point of failure at the server. c. The third option is the use of intelligent sensors. These devices actively monitor and analyze wireless traffic, identify attack patterns and rouge devices as well as look for deviations from the norm. They then report these events back to the central server and allow an administrator to invoke countermeasures
  33. 33. These architectures schematically need to:  listen to the wireless network: which is quite easy thanks to a wireless network card in “monitor” mode  analyze the wireless traffic captures: using the mean of static signatures rule set or anomaly detection algorithms (for example, to detect MAC spoofing), these components are the code of the intrusion detection system  transmit the events to a central collector;  aggregate events to reduce the overall number of events stored in the database;
  34. 34.  correlate events in order to reduce the number of events and also to enrich the semantics of these events (typically, a large number of de-authentications during a certain timeslot is likely to be a denialof-service attack);  detect if rogue access points are interfering (neighbours), legitimate or illegitimate;  enrich the events database to provide the network administrator with precise alerts;
  35. 35. Wireless intrusion prevention systems  Intrusion detection has a serious drawback: it only provides detection. Intrusion prevention tries to mitigate the identified risks by using techniques to prevent the attacks from being effective.  Today, most wireless intrusion detection vendors provide means to achieve prevention. For example, it could be interesting to prevent legitimate clients from connecting to a rogue access point  If the detection system is able to detect a rogue access point interconnected with internal networks, it represents a serious threat for the company. However, as a detection system, nothing can be done regarding sending alarms to security operators in order to manually mitigate the issue. During the reaction period, malicious activities may occur and will not be prevented by anyone. This is one of the reason why wireless intrusion prevention systems were designed: to prevent the exploitation of wireless security issues.
  36. 36. A typical wireless intrusion prevention system consist of:  wireless sensors – used to monitor and analyze activity;  management server – receives information from the sensors and perform analysis;  database server – used to store event information generated by sensors and management servers;  console – represents the interface for the user and administrator  users and administrators.
  37. 37. In a wireless intrusion prevention system, a normal sensor cannot monitor all the traffic on a band (which consists of more channels) simultaneously and can monitor only a single channel at a time; to cover multiple channels, it uses a technique called channel scanning, which involves monitoring each channel a few times per second. To reduce or avoid this limitation, there are specialized sensors that use several radio modules and can monitor several channels at the same time. The intrusion prevention systems can detect incidents using mainly three methodologies:  signature-based,  anomaly-based  stateful protocol analysis
  38. 38. Signature-based detection involves comparing signatures against observed events in order to identify possible incidents; this method is very effective in the detection of known threats but does not provide good results in detecting previously unknown threats. Anomaly-based detection involves creating „normal‟ activity patterns and comparing the observed events against these patterns. The intrusion detection/prevention system has an initial training phase, in which the system learns the normal behaviour and creates profiles, which are used as a base for comparison.
  39. 39. A static profile is determined in the training phase and remains unchanged, whereas a dynamic profile is constantly adjusted as additional events are observed. Stateful protocol analysis: It is the process of comparing predetermined profiles of generally accepted definitions of general protocol activity for each protocol state against observed events to identify deviations
  40. 40. The main types of events which can be detected by wireless intrusion prevention systems are:  unauthorized WLANs and WLAN devices : (rogue APs, unauthorized stations, unauthorized WLANs);  poorly secured WLAN devices: (misconfigurations, use of weak WLAN protocols and implementations);  unusual usage patterns (using anomaly based detection);  the use of wireless network scanners :obviously only active scanners can be detected;  Denial of Service (DoS) attacks :(flooding, jamming);  Impersonation and man-in-the-middle attacks
  41. 41. Prevention The prevention capabilities refer to wireless actions (such as terminating the connections between a rogue or misconfigured station and an authorized AP by sending disassociation messages to the endpoints) and wired actions (such as blocking a switch port on which a particular station or AP is connected). Another feature contained in most wireless intrusion prevention systems is tracking the location of the threat – by using triangulation (estimation of the approximate distance from multiple sensors by the strengths of the threat‟s signal received by each sensor and calculation of the physical location based on this information )
  42. 42. Geolocation Techniques After tracking the IP address of intruders, our next objective is to find the geolocation of the intruders. IP to geolocation tracking is the technique of determining a user's geographic latitude, longitude and, by inference, city, region and nation by comparing the user's public Internet IP address with known locations of other electronically neighbouring servers and routers IDS can detect the intrusion. We can find the IP address of intruders but barely having a IP address, it do not give the idea that from which place attack is generated.
  43. 43. Advantage of Geolocation Tracking: Tracking the intruders IP address and plotting the trace on geographical map gives a clear picture that whether the attack is distributed and initiated from multiple country or it is initiated from one specific country our region. This information may be the vital information for the organization to take any further action or any precaution measures
  44. 44. SYSTEM ARCHITECTURE: The overall system (Figure 2) works on IDS alert analysis. Each alerts generated by IDS is passed to IDS alerts log report. All the alerts from IDS log report is further analyzed for tracking the Intruders source IP address. Once the correct source IP address of the intruders is confirmed, it is passed to the API which map the source IP address on geographical map.
  45. 45.  Implementation Detail We have implemented the system using Snort and Google API for geolocation mapping of intruders. Snort is the well known open source IDS software which detect the intrusion event. Snort log this report in alert file. The intruders IP address is analyzed and traced back. The traced IP address is passed to Google Geolocation API which enables a web application to:  Obtain the user's current position, using the getCurrentPosition method  Watch the user's position as it changes over time, using the watchPosition method  Quickly and cheaply obtain the user's last known position, using the lastPosition property
  46. 46. The Geolocation API provides the best estimate of the user's position using a number of sources (called location providers). These providers may be onboard (GPS for example) or serverbased (a network location provider). The getCurrentPosition and watchPosition methods support an optional parameter of type PositionOptions which lets you specify which location providers to use.  EVALUATION: Geolocation of intruders are obtained by tracking the IP addresses of intruders using databases that map Internet IP addresses to geographic locations. Google uses MaxMind‟s database for mapping IP addresses to a geographical location. They claim it is 99% accurate. What is in the fine print, is that it is 99% accurate in determining the country, but pinpointing the exact position is still a challenging issues which need to be addressed.
  47. 47. Honeypots A honeypot is a deception trap,designed to entice an attacker into attempting to compromise the information systems . Honeypots are typically virtual machines, designed to emulate real machines . A honeypot works by fooling attackers into believing it is a legitimate system; they attack the system without knowing that they are being observed covertly. When an attacker attempts to compromise a honeypot, attack-related information, such as the IP address of the attacker, will be collected. This activity done by the attacker provides valuable information and analysis on attacking techniques, allowing system administrators to “trace back” to the source of attack if required.
  48. 48. CLASSIFICATION OF HONEYPOTS Low-interaction Honeypots : Low-interaction honeypots work by emulating certain services and operating systems and have limited interaction. The attacker‟s activities are limited to the level of emulation provided by the honeypot. For example, an emulated FTP service listening on a particular port may only emulate an FTP login, or it may further support a variety of additional FTP commands
  49. 49. The advantages of low-interaction honeypots are that they are simple and easy to deploy and maintain. In addition, the limited emulation available and/or allowed on low-interaction honeypots reduces the potential risks brought about using them in the field. However, with low-interaction honeypots, only limited information can be obtained, and it is possible that experienced attackers will easily recognise a honeypot when they come across one. Example: Façades A façade is a software emulation of a target service or application that provides a false image of a target host. When a façade is probed or attacked, it gathers information about the attacker.
  50. 50.  High-interaction Honeypots : High-interaction honeypots are more complex, as they involve real operating systems and applications. For example, a real FTP server will be built if the aim is to collect information about attacks on a particular FTP server or service By giving attackers real systems to interact with, no restrictions are imposed on attack behaviour, and this allows administrators to capture extensive details about the full extent of an attacker‟s methods. However, it is not impossible that attackers might take over a highinteraction honeypot system and use it as a stepping-stone to attack other systems within the organisation. Therefore, sufficient protection measures need to be implemented accordingly. In the worst case, the network connection to the honeypot may need to be disconnected to prevent attackers from further penetrating the network and machines beyond the honeypot system itself
  51. 51.  Example : Sacrificial Lambs A sacrificial lamb is a system intentionally left vulnerable to attack. The administrator will examine the honeypot periodically to determine if it has been compromised, and if so, what was done to it. Additional data, such as a detailed trace of commands sent to the honeypot, can be collected by a network sniffer deployed near the honeypot. However, the honeypots themselves are “live” and thus present a possible jumping-off point for an attacker. Additional deployment considerations must be made in order to isolate and control the honeypot, such as by means of firewalls or other network control devices, or by completely disconnecting the honeypot from the internal network .
  52. 52. HONEYPOT DEPLOYMENT STRATEGIES 1. Install honeypots alongside regular production servers. The honeypot will likely need to mirror some real data and services from the production servers in order to attract attackers. The security of the honeypot can be loosened slightly so as to increase its chance of being compromised. The honeypot can then collect attack-related information. However, if a successful attack takes place on the honeypot within the network, that compromised honeypot machine might be used to scan for other potential targets in the network.
  53. 53. This is the main drawback of installing honeypots within the production system. In other honeypot deployment methods, (some of which are outlined below) this would not happen, as the whole honeynet can itself be a fictitious network. 2. Pair each server with a honeypot, and direct suspicious traffic destined for the server to the honeypot. For instance, traffic at TCP port 80 can be directed to a web server IP address as normal, while all other traffic to the web server will be directed towards the honeypot. To camouflage the honeypot, a certain amount of data, such as the website contents of a web server, may need to be replicated on the honeypot.
  54. 54. 3. Build a honeynet, which is a network of honeypots that imitate and replicate an actual or fictitious network. This will appear to attackers as if many different types of applications are available on several different platforms. A honeynet offers an early warning system against attacks and provides an excellent way to analyse and understand an attacker‟s intention, by looking at what kind of machines and services have been attacked, and what type of attacks have been conducted.
  55. 55. A CASE STUDY Distributed Honeynet System Scope  Collection of Malware/Bot Sample  Detection of Bot  Finding and Detecting Latest Attack trend
  56. 56. Development of DHS Distributed Collection System  Development of malware collection mechanism  Development of client-server architecture based dynamically configurable honeynet nodes.  Development of integrated WEB based framework for managing, controlling and visualizing DHS. DHS analysis system  Applied Supervised learning algorithm for developing classification mechanism to segregate bots based on native API calls .  System for botnet detection from honeynet data (freezing the scope and restricting to IRC and HTTP C&C server detection.
  57. 57. Technical details Collection System : Malware Collection framework To get entire spectrum of malware hybrid honeypots were used. A combination of high interaction and low interaction honeypots was configured. Other parameters that were considered are scalability. To avoid detection IP switching technique was used. The following solution was developed for autonomous spreading malware binaries which propagate by exploiting known and unknown vulnerabilities.  Directory watcher  File extractor  Submitter
  58. 58. Botnet Detection  Dynamic Malware Analysis for Bot segregation  Bot detection using native API call sequence mining  Polymorphic malware  Bot detection using system‟s persistence behavior pattern.  Behavior in terms of system state changes & network behavior rather than pattern of system calls.  Bot detection using Bothunter tool.
  59. 59. CONCLUSION 802.11-based wireless honeypots are a low-cost option to observe potential malicious uses of open wireless access points. This is quite different from WIDS, but, it is considered as an additional source of information regarding attacks from the wireless side. Even if honeypots – especially wireless honeypots – are not widely deployed and are much more dedicated to research, these technologies are valuable whenever you want to evaluate the real risks you are facing. The main drawback is related to manpower for deploying and operating the honeypot architecture.
  60. 60. However, honeypots do have their drawbacks. Because they only track and capture activity that directly interacts with them, they cannot detect attacks against other systems in the network. Furthermore, deploying honeypots without enough planning and consideration may introduce more risks to an existing network, because honeypots are designed to be exploited, and there is always a risk of them being taken over by attackers, using them as a stepping-stone to gain entry to other systems within the network. This is perhaps the most controversial drawback of honeypots.