Editor Jacotech, profile picture
Uploaded byEditor Jacotech
213 views

1376841709 17879811

This paper proposes using a honeypot to improve the efficiency of intrusion detection systems (IDS) in detecting zero-day attacks. It presents a network architecture that deploys a honeypot and uses packet analysis tools to generate IDS signatures for new attacks. The honeypot records an attacker's activities without their knowledge. The recorded data is analyzed to write custom IDS rules matching payloads to detect similar future attacks. This allows the IDS to identify threats even without prior signatures.

Embed presentation

Download to read offline
Journal of Advanced Computing and Communication Technologies (ISSN: 2347 - 2804) Volume No.1 Issue No. 1, August 2013 An Approach to for Improving the Efficiency of IDS System Using Honeypot By Khushboo Saxena, Akanksha Saxena,Seema Arya Technocrats Institute of Technology,Bhopal,India Suresh Gyan Vihar University, Jaipur,India sxn.khushboo@gmail.com, akanksha.saxena23@gmail.com,seema.aarya@gmail.com ABSTRACT Increasing technology space has pressurized the orgainsational enviroment to safegraurd its network from outside as well as inside attack. Any malicious intrusion can dragdown a highly reputed organisation to the floors of defamation and even insolvency. Henceforth network security is one of the biggest challenge for organisation. Although traditional concepts of firewall and intrusion detction system is prevailing yet there is a need to secure the enviroment from the so called zero day attacks. Attackers every now and then generate exploits to penetrate the secure network enviroment and the existing known signatures are not able to detect such an attack. This paper brings forth the concept of deployment of honeypot so as to make the IDS system more effective and efficient for the zero day attack leading to least penetration to the network enviroment. This paper lays down a new network architecture so that the IDS system can be updated with the latest attack scenarios. The aforesaid objective is achived with the help of establishment of honeypot. Later tcpdump is used for he further analysis of payload so as to generate alert signautre in IDS(Snort v2.0). Keywords Keywords are your own designated keywords which can be used for easy location of the manuscript using any search engines. 1. INTRODUCTION The high use of internet in today’s IT world has purged in the concept of security deployment in the organization so as to make it almost immune to various upcoming attack scenarios. One of the critical areas is the protection of internal network from new attacks. Although the most desirable is the deployment of intrusion and prevention system in the network architecture but this system is still vulnerable to zero day attacks. The IDS generally includes signatures for known attacks and generates the alerts for the same but if any new attack penetrates the system then it lacks behind. To deal with this problem the concept of honeypot can be used along with any packet analyzing tool so as to generate signatures for zero-day attacks in IDS. The Intrusion Detection System specially involves two types of techniques: Anomaly Detection involving the detection based on behavior/heuristic rules and Misuse Detection involving the detection based on patterns and signatures. Anomaly detection lags behind as it requires too much time to detect the behavior and Misuse Detection lags behind for detection of new attack signature. So Honeypot is used as a tool to support the technique of Misuse Detection so that new attacks can be detected before they can harm internal network and the signature can be framed in the IDS to defend the network from internal and external threat of such attack in future. Honeypots are Bait Servers which are not the part of any production server in the organization and are just placed isolated so as to attract the attackers to plug and play with it and at its end it logs all the actions of the attacker so that it can be analyzed further to generate signatures for IDS. Attackers before making an attack performs a ping sweep and if the honeypot is pinged. As the request reaches the honeypot server it records all the activities, even the keystrokes typed by the attackers so every command entered by the attacker becomes a part of log to the honeypot server. It also stores all tools used by the intruders in records as a forensic machine. The given paper describes how the data returned from the honeypot server is used to write custom IDS rules. Thus new network architecture is designed to collect the response to write custom IDS rules by seeing the data payload and writing the rules matching the payload. . 1
Journal of Advanced Computing and Communication Technologies (ISSN: 2347 - 2804) Volume No.1 Issue No. 1, August 2013 2. RELATED WORK One of the drawback stumble upon with network intrusion detection systems is that the logging of failed connection attempts just occurs when services are not listening on a scanned port. When a RST signal terminates a TCP connection attempt, the system never logs the data packet that the remote machine was trying to send into the network. A honeypot as a one of the greatest security tool suggests a mechanism by completing the connection attempt and providing an attacker a false illusion of accessing the critical servers and then recording the interactions between the honeypot and the remote machine. Honeypot placement is one of the greatest issues to be taken care of to optimize the efficiency of the implemented Intrusion Detection System. Various network architectures are presented till now to achieve the aforesaid motive but the basic idea behind this as we suppose is detection of hackers scripts and actions to penetrate into the system and henceforth the proposed architecture is presented which will help the organizational security to build up patches for the existing loophole and make their system robust and stringent to attack scenarios. 3. PROPOSED DESIGN AND IMPLEMENTATION In this section we outline the requirements of the proposed infrastructure which is considered as a solution to decrease the malicious inflow of packets in the organizational environment and enhance the efficiency of IDS system deployed. The real honeypot server is used to safeguard the main server from if the hacker is able to compromise the honeypot server. Although it is hard to implement the real honeypot but it is desirable for large organizations as such servers do not hamper the production process in the organization and only IT staff is able to access the required logs. Neither the attacker nor the organizational staff knows where honeypot is placed. The given network architecture is used to develop an understanding as to why and how honeypots are used to enhance the work of IDS system. In this configuration, main network is a “TCP/IP based network” which contains clients and servers. Snort 2.0 is used as IDS and is capable to be configured with server. Honeyd is a honeypot system that is configured as a separate server and is connected to the main server. We assume a”switched network” in our approach, with a configurable switch which is connected to the main server and the respective clients. As the LAN architecture is developed in within a primary network henceforth the server is supported with two Ethernet cards eth0 and eth1. Eth0 directs the internet connection to the main sever and eth1 manages the intranet traffic within the private LAN 192.168.0.1. Fig 1.1 Deployment of IDS & honeypot in the LAN Architecture The attacker first performs a ping sweep attack to detect the available servers in the network and the honeypot server entices him to perform attacks to penetrate the network. Once the requests are directed to the honeypot server the incoming connection is established with the attacking system. As the attacker gets a feel of entering into the server it performs all his efforts to penetrate into different servers. Honeypot gives him the illusion of different servers and constantly interacts with him to record his activities and send the specific response to the syslog server for future analysis and investigation. 4. Experimental Setup To implement honeypot an additional tool Arpd is embedded in it. Honeypot cannot do everything alone and requires the help of Arpd. Arpd is used for ARP spoofing; this is what actually monitors the unused IP space and directs the attacks to the honeypot. Honeyd is only able to interact with attackers. For example if the aim is to monitor all the unused IPs in the 192.168.1.0/24 network, the required commands to start both Arpd and Honeyd are as follows: arpd 192.168.0.1/24 honeyd -p nmap.prints -f honeyd.conf 192.168.0.1/24 Based on the commands, the Arpd process monitors the unused IPs, directs all corresponding attacks to the honeyd and spoofs the victim’s IP address with the MAC address of the honeypot. For the honeyd command –p nmap.prints refers to the nmap fingerprint database and -f honeyd.conf is the honeyd configuration file. 2
Journal of Advanced Computing and Communication Technologies (ISSN: 2347 - 2804) Volume No.1 Issue No. 1, August 2013 Once the installation is honeypot server is completed the traffic directed to honeypot server is dumped o other system using packet analyzing tool tcpdump with the help of following command: tcpdump -nn -x -s 1500 host 192.168.0.145 -w store.cap The tcpdump command will dump all the malicious packets directed to the honeypot and hence will help in writing the snort rule set by analyzing the payload. 4.1 Writing of Snort Rules: Penetrating in the network to gain access by getting the etc/passwd file in the Linux environment or the password shadow file i.e. etc/shadow which contains the username and password of all users. No such rule is defined in the latest snort rule set. Suppose you get the following log generated in honeypot: # cat 44F75D6380122.shell :::::::::::::: GET/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/.. % 01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/. . %01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%0 1/. .%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..% 01/ ..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..% 01 /..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/.. %0 1/..%01/..%01/..%01/..%01/..%01//etc/shadow HTTP/1.1 Host: 202.174.22.145:10000 It is visible that the attacking port is 10000 thus port 10000 is of interest. The various ip addresses from where such request came can be filtered using tcpdump analysis. alert tcp any any -> any 10000 (content:"GET /unauthenticated/..%01/..%01/"; msg:"Get unauthenticated";) The point of concern here is that adding too much of payload may result in false negatives which will overall lower down the implementation of snort in organizational network. 5. Conclusion The Intrusion detection system can only give the optimum benefit if it is also able to detect those attacks for which signatures are not defined in its database. The area of work will be to give attention to this Snort limitation and thus increasing the scalability and responsiveness of the system towards the various types of attacks so as to achieve the motto of building a smart agile and secure system to face the new challenges of technological arena. Though honeypot deployment is a cost-effective solution for the security of large organization but in future refinement is required to elimination false alarm generations. 6. REFERENCES [1] Vidar Ajaxon Grønland: Building IDS signatures by means of a honeypot Norwegian Information system Laboratory. [2] Chi-Hung Chi , Ming Li Dongxi Liu : A method to obtain Signatures From Honeypots Data, School of Computing National University of Singapore [3] Babak Khosravifar, Jamal Bentahar: An Experience Improving Intrusion Detection Systems False Alarm Ratio by Using Honeypot. [4] Department of Electrical and Computer Engineering, Concordia University [5] Greg M. Bednarski and Jake Branson: Understanding Network Threats through Honeypot Deployment, Carnegie Mellon University March 2004. 4.2 Results and Discussion [6] Richard Hammer : Enhancing IDS using, Tiny Honeypot SANS Institute InfoSec Reading Room Once the analysis is done now it is the time to write the snort rule. By the analysis of the payload it is visible that the string started with “GET/unauthenticated/” thus following snort rule can be set: [7] Solution Base: What you need to know about honeypots http://articles.techrepublic.com.com/5100-22_115758218.html alert tcp $EXTERNAL_NET any -> $192.168.0.1 10000 (content:"GET /unauthenticated/"; msg:"Get unauthenticated";) Now any attack coming from the specified port will generate the alert to the administrator of penetration for unauthorized access in the network environment by the attacker. If the set rule has to be further customized then the following payload can be added: 3

More Related Content

PDF
Icmis
bySandeep Saxena
 
DOCX
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
byDisha Bedi
 
PDF
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
byijp2p
 
PDF
Review on Honeypot Security
byIRJET Journal
 
PPTX
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
byDisha Bedi
 
PPT
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
byWei-Yu Chen
 
PDF
Network Vulnerability and Patching
byEmmanuel Udeagha B.
 
DOCX
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
byDisha Bedi
 
Icmis
bySandeep Saxena
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
byDisha Bedi
 
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
byijp2p
 
Review on Honeypot Security
byIRJET Journal
 
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
byDisha Bedi
 
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
byWei-Yu Chen
 
Network Vulnerability and Patching
byEmmanuel Udeagha B.
 
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
byDisha Bedi
 

What's hot

PPT
Network Intrusion Detection System Using Snort
byDisha Bedi
 
PDF
Intrusion Detection System Project Report
byRaghav Bisht
 
PDF
IRJET - IDS for Wifi Security
byIRJET Journal
 
PDF
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
byJowin John Chemban
 
PPT
Intrusion detection system ppt
bySheetal Verma
 
PPT
Honeypots - Tracking the Blackhat Community
byamiable_indian
 
PPSX
Practical real-time intrusion detection using machine learning approaches
byFull Stack Developer at Electro Mizan Andisheh
 
PPTX
Intrusion Detection with Neural Networks
byantoniomorancardenas
 
PDF
Remotely Scanning Organization’s Internal Network
byijtsrd
 
PDF
20320140501016
byIAEME Publication
 
PDF
Paper sharing_Edge based intrusion detection for IOT devices
byYOU SHENG CHEN
 
PDF
Defense mechanism for d do s attack through machine learning
byeSAT Publishing House
 
PDF
An Extensive Survey of Intrusion Detection Systems
byIRJET Journal
 
PDF
M0704071074
byIJERD Editor
 
PDF
Efficient String Matching Algorithm for Intrusion Detection
byeditor1knowledgecuddle
 
DOCX
Intrusion Detection System
byDevil's Cafe
 
PDF
International Journal of Computer Science and Security Volume (1) Issue (3)
byCSCJournals
 
PPT
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
byskpatel91
 
PDF
N44096972
byIJERA Editor
 
Network Intrusion Detection System Using Snort
byDisha Bedi
 
Intrusion Detection System Project Report
byRaghav Bisht
 
IRJET - IDS for Wifi Security
byIRJET Journal
 
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
byJowin John Chemban
 
Intrusion detection system ppt
bySheetal Verma
 
Honeypots - Tracking the Blackhat Community
byamiable_indian
 
Practical real-time intrusion detection using machine learning approaches
byFull Stack Developer at Electro Mizan Andisheh
 
Intrusion Detection with Neural Networks
byantoniomorancardenas
 
Remotely Scanning Organization’s Internal Network
byijtsrd
 
20320140501016
byIAEME Publication
 
Paper sharing_Edge based intrusion detection for IOT devices
byYOU SHENG CHEN
 
Defense mechanism for d do s attack through machine learning
byeSAT Publishing House
 
An Extensive Survey of Intrusion Detection Systems
byIRJET Journal
 
M0704071074
byIJERD Editor
 
Efficient String Matching Algorithm for Intrusion Detection
byeditor1knowledgecuddle
 
Intrusion Detection System
byDevil's Cafe
 
International Journal of Computer Science and Security Volume (1) Issue (3)
byCSCJournals
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
byskpatel91
 
N44096972
byIJERA Editor
 

Viewers also liked

PDF
1376842823 2982373
byEditor Jacotech
 
PDF
Corporate social responsibility of chemical fertlizer companies – a study wit...
byEditor Jacotech
 
PDF
Implementation and evaluation of novel scheduler of UC/OS (RTOS)
byEditor Jacotech
 
PDF
1376842823 2982373
byEditor Jacotech
 
PDF
Dynamic watermarking
byEditor Jacotech
 
PDF
Quantum computation a review
byEditor Jacotech
 
PDF
1377179967 42797809
byEditor Jacotech
 
PDF
Traffic detection system using android
byEditor Jacotech
 
PDF
Codes from the cyclic group of order three
byEditor Jacotech
 
1376842823 2982373
byEditor Jacotech
 
Corporate social responsibility of chemical fertlizer companies – a study wit...
byEditor Jacotech
 
Implementation and evaluation of novel scheduler of UC/OS (RTOS)
byEditor Jacotech
 
1376842823 2982373
byEditor Jacotech
 
Dynamic watermarking
byEditor Jacotech
 
Quantum computation a review
byEditor Jacotech
 
1377179967 42797809
byEditor Jacotech
 
Traffic detection system using android
byEditor Jacotech
 
Codes from the cyclic group of order three
byEditor Jacotech
 

Similar to 1376841709 17879811

PDF
Ananth1
byShiva Krishna Chandra Shekar
 
PDF
Network Security Using IDS, IPS & Honeypot
bypaperpublications3
 
PDF
Analysis of Honeypot Networks and Intrusion Prevention System IPS on Wireless...
byijtsrd
 
PDF
Modern Attack Detection using Intelligent Honeypot
byIRJET Journal
 
PDF
Paper id 312201513
byIJRAT
 
PDF
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
byIJERA Editor
 
PDF
A honeynet framework to promote enterprise network security
byIAEME Publication
 
PPTX
Honey pots
byAlok Singh
 
PPTX
HONEYPOTS: Definition, working, advantages, disadvantages
byamit kumar
 
PDF
DESIGN AND EFFICIENT DEPLOYMENT OF HONEYPOT AND DYNAMIC RULE BASED LIVE NETWO...
byIJNSA Journal
 
PDF
Honeypot Methods and Applications
byijtsrd
 
DOC
Honeypots
byShiva Krishna Chandra Shekar
 
PDF
Olll
bynannukaur
 
PDF
Honeypot- An Overview
byIRJET Journal
 
PDF
Ananth3
byShiva Krishna Chandra Shekar
 
PDF
Em36849854
byIJERA Editor
 
PDF
Seminar Report on Honeypot
byAmit Poonia
 
PDF
IRJET- A Review on Honeypots
byIRJET Journal
 
PDF
INTRUSION DETECTION SYSTEM USING CUSTOMIZED RULES FOR SNORT
byIJMIT JOURNAL
 
PDF
IRJET- Data Security using Honeypot System
byIRJET Journal
 
Ananth1
byShiva Krishna Chandra Shekar
 
Network Security Using IDS, IPS & Honeypot
bypaperpublications3
 
Analysis of Honeypot Networks and Intrusion Prevention System IPS on Wireless...
byijtsrd
 
Modern Attack Detection using Intelligent Honeypot
byIRJET Journal
 
Paper id 312201513
byIJRAT
 
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
byIJERA Editor
 
A honeynet framework to promote enterprise network security
byIAEME Publication
 
Honey pots
byAlok Singh
 
HONEYPOTS: Definition, working, advantages, disadvantages
byamit kumar
 
DESIGN AND EFFICIENT DEPLOYMENT OF HONEYPOT AND DYNAMIC RULE BASED LIVE NETWO...
byIJNSA Journal
 
Honeypot Methods and Applications
byijtsrd
 
Honeypots
byShiva Krishna Chandra Shekar
 
Olll
bynannukaur
 
Honeypot- An Overview
byIRJET Journal
 
Ananth3
byShiva Krishna Chandra Shekar
 
Em36849854
byIJERA Editor
 
Seminar Report on Honeypot
byAmit Poonia
 
IRJET- A Review on Honeypots
byIRJET Journal
 
INTRUSION DETECTION SYSTEM USING CUSTOMIZED RULES FOR SNORT
byIJMIT JOURNAL
 
IRJET- Data Security using Honeypot System
byIRJET Journal
 

More from Editor Jacotech

PDF
Performance of Wideband Mobile Channel with Perfect Synchronism BPSK vs QPSK ...
byEditor Jacotech
 
PDF
MOVIE RATING PREDICTION BASED ON TWITTER SENTIMENT ANALYSIS
byEditor Jacotech
 
PDF
Non integer order controller based robust performance analysis of a conical t...
byEditor Jacotech
 
PDF
FACTORS CAUSING STRESS AMONG FEMALE DOCTORS (A COMPARATIVE STUDY BETWEEN SELE...
byEditor Jacotech
 
PDF
ANALYSIS AND DESIGN OF MULTIPLE WATERMARKING IN A VIDEO FOR AUTHENTICATION AN...
byEditor Jacotech
 
PDF
The Impact of Line Resistance on the Performance of Controllable Series Compe...
byEditor Jacotech
 
PDF
Security Strength Evaluation of Some Chaos Based Substitution-Boxes
byEditor Jacotech
 
PDF
Traffic detection system using android
byEditor Jacotech
 
PDF
Performance analysis of aodv with the constraints of varying terrain area and...
byEditor Jacotech
 
PDF
Modeling of solar array and analyze the current transient response of shunt s...
byEditor Jacotech
 
PDF
License plate recognition an insight to the proposed approach for plate local...
byEditor Jacotech
 
PDF
Design of airfoil using backpropagation training with mixed approach
byEditor Jacotech
 
PDF
Ant colony optimization based routing algorithm in various wireless sensor ne...
byEditor Jacotech
 
PDF
An efficient ant optimized multipath routing in wireless sensor network
byEditor Jacotech
 
PDF
A mobile monitoring and alert sms system with remote configuration – a case s...
byEditor Jacotech
 
PDF
Leader Election Approach: A Comparison and Survey
byEditor Jacotech
 
PDF
Leader election approach a comparison and survey
byEditor Jacotech
 
PDF
Modeling of solar array and analyze the current transient
byEditor Jacotech
 
PDF
Performance analysis of aodv with the constraints of
byEditor Jacotech
 
PDF
License plate recognition an insight to the proposed approach for plate local...
byEditor Jacotech
 
Performance of Wideband Mobile Channel with Perfect Synchronism BPSK vs QPSK ...
byEditor Jacotech
 
MOVIE RATING PREDICTION BASED ON TWITTER SENTIMENT ANALYSIS
byEditor Jacotech
 
Non integer order controller based robust performance analysis of a conical t...
byEditor Jacotech
 
FACTORS CAUSING STRESS AMONG FEMALE DOCTORS (A COMPARATIVE STUDY BETWEEN SELE...
byEditor Jacotech
 
ANALYSIS AND DESIGN OF MULTIPLE WATERMARKING IN A VIDEO FOR AUTHENTICATION AN...
byEditor Jacotech
 
The Impact of Line Resistance on the Performance of Controllable Series Compe...
byEditor Jacotech
 
Security Strength Evaluation of Some Chaos Based Substitution-Boxes
byEditor Jacotech
 
Traffic detection system using android
byEditor Jacotech
 
Performance analysis of aodv with the constraints of varying terrain area and...
byEditor Jacotech
 
Modeling of solar array and analyze the current transient response of shunt s...
byEditor Jacotech
 
License plate recognition an insight to the proposed approach for plate local...
byEditor Jacotech
 
Design of airfoil using backpropagation training with mixed approach
byEditor Jacotech
 
Ant colony optimization based routing algorithm in various wireless sensor ne...
byEditor Jacotech
 
An efficient ant optimized multipath routing in wireless sensor network
byEditor Jacotech
 
A mobile monitoring and alert sms system with remote configuration – a case s...
byEditor Jacotech
 
Leader Election Approach: A Comparison and Survey
byEditor Jacotech
 
Leader election approach a comparison and survey
byEditor Jacotech
 
Modeling of solar array and analyze the current transient
byEditor Jacotech
 
Performance analysis of aodv with the constraints of
byEditor Jacotech
 
License plate recognition an insight to the proposed approach for plate local...
byEditor Jacotech
 

Recently uploaded

PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
Making Search Less Taxing: Leveraging Semantics and Keywords in Hybrid Search
byEnterprise Knowledge
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
AI in DevOps: Transforming the Developer Experience and Expanding the Securit...
byEnterprise Management Associates
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Making Search Less Taxing: Leveraging Semantics and Keywords in Hybrid Search
byEnterprise Knowledge
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
AI in DevOps: Transforming the Developer Experience and Expanding the Securit...
byEnterprise Management Associates
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 

1376841709 17879811

  • 1.
    Journal of AdvancedComputing and Communication Technologies (ISSN: 2347 - 2804) Volume No.1 Issue No. 1, August 2013 An Approach to for Improving the Efficiency of IDS System Using Honeypot By Khushboo Saxena, Akanksha Saxena,Seema Arya Technocrats Institute of Technology,Bhopal,India Suresh Gyan Vihar University, Jaipur,India sxn.khushboo@gmail.com, akanksha.saxena23@gmail.com,seema.aarya@gmail.com ABSTRACT Increasing technology space has pressurized the orgainsational enviroment to safegraurd its network from outside as well as inside attack. Any malicious intrusion can dragdown a highly reputed organisation to the floors of defamation and even insolvency. Henceforth network security is one of the biggest challenge for organisation. Although traditional concepts of firewall and intrusion detction system is prevailing yet there is a need to secure the enviroment from the so called zero day attacks. Attackers every now and then generate exploits to penetrate the secure network enviroment and the existing known signatures are not able to detect such an attack. This paper brings forth the concept of deployment of honeypot so as to make the IDS system more effective and efficient for the zero day attack leading to least penetration to the network enviroment. This paper lays down a new network architecture so that the IDS system can be updated with the latest attack scenarios. The aforesaid objective is achived with the help of establishment of honeypot. Later tcpdump is used for he further analysis of payload so as to generate alert signautre in IDS(Snort v2.0). Keywords Keywords are your own designated keywords which can be used for easy location of the manuscript using any search engines. 1. INTRODUCTION The high use of internet in today’s IT world has purged in the concept of security deployment in the organization so as to make it almost immune to various upcoming attack scenarios. One of the critical areas is the protection of internal network from new attacks. Although the most desirable is the deployment of intrusion and prevention system in the network architecture but this system is still vulnerable to zero day attacks. The IDS generally includes signatures for known attacks and generates the alerts for the same but if any new attack penetrates the system then it lacks behind. To deal with this problem the concept of honeypot can be used along with any packet analyzing tool so as to generate signatures for zero-day attacks in IDS. The Intrusion Detection System specially involves two types of techniques: Anomaly Detection involving the detection based on behavior/heuristic rules and Misuse Detection involving the detection based on patterns and signatures. Anomaly detection lags behind as it requires too much time to detect the behavior and Misuse Detection lags behind for detection of new attack signature. So Honeypot is used as a tool to support the technique of Misuse Detection so that new attacks can be detected before they can harm internal network and the signature can be framed in the IDS to defend the network from internal and external threat of such attack in future. Honeypots are Bait Servers which are not the part of any production server in the organization and are just placed isolated so as to attract the attackers to plug and play with it and at its end it logs all the actions of the attacker so that it can be analyzed further to generate signatures for IDS. Attackers before making an attack performs a ping sweep and if the honeypot is pinged. As the request reaches the honeypot server it records all the activities, even the keystrokes typed by the attackers so every command entered by the attacker becomes a part of log to the honeypot server. It also stores all tools used by the intruders in records as a forensic machine. The given paper describes how the data returned from the honeypot server is used to write custom IDS rules. Thus new network architecture is designed to collect the response to write custom IDS rules by seeing the data payload and writing the rules matching the payload. . 1
  • 2.
    Journal of AdvancedComputing and Communication Technologies (ISSN: 2347 - 2804) Volume No.1 Issue No. 1, August 2013 2. RELATED WORK One of the drawback stumble upon with network intrusion detection systems is that the logging of failed connection attempts just occurs when services are not listening on a scanned port. When a RST signal terminates a TCP connection attempt, the system never logs the data packet that the remote machine was trying to send into the network. A honeypot as a one of the greatest security tool suggests a mechanism by completing the connection attempt and providing an attacker a false illusion of accessing the critical servers and then recording the interactions between the honeypot and the remote machine. Honeypot placement is one of the greatest issues to be taken care of to optimize the efficiency of the implemented Intrusion Detection System. Various network architectures are presented till now to achieve the aforesaid motive but the basic idea behind this as we suppose is detection of hackers scripts and actions to penetrate into the system and henceforth the proposed architecture is presented which will help the organizational security to build up patches for the existing loophole and make their system robust and stringent to attack scenarios. 3. PROPOSED DESIGN AND IMPLEMENTATION In this section we outline the requirements of the proposed infrastructure which is considered as a solution to decrease the malicious inflow of packets in the organizational environment and enhance the efficiency of IDS system deployed. The real honeypot server is used to safeguard the main server from if the hacker is able to compromise the honeypot server. Although it is hard to implement the real honeypot but it is desirable for large organizations as such servers do not hamper the production process in the organization and only IT staff is able to access the required logs. Neither the attacker nor the organizational staff knows where honeypot is placed. The given network architecture is used to develop an understanding as to why and how honeypots are used to enhance the work of IDS system. In this configuration, main network is a “TCP/IP based network” which contains clients and servers. Snort 2.0 is used as IDS and is capable to be configured with server. Honeyd is a honeypot system that is configured as a separate server and is connected to the main server. We assume a”switched network” in our approach, with a configurable switch which is connected to the main server and the respective clients. As the LAN architecture is developed in within a primary network henceforth the server is supported with two Ethernet cards eth0 and eth1. Eth0 directs the internet connection to the main sever and eth1 manages the intranet traffic within the private LAN 192.168.0.1. Fig 1.1 Deployment of IDS & honeypot in the LAN Architecture The attacker first performs a ping sweep attack to detect the available servers in the network and the honeypot server entices him to perform attacks to penetrate the network. Once the requests are directed to the honeypot server the incoming connection is established with the attacking system. As the attacker gets a feel of entering into the server it performs all his efforts to penetrate into different servers. Honeypot gives him the illusion of different servers and constantly interacts with him to record his activities and send the specific response to the syslog server for future analysis and investigation. 4. Experimental Setup To implement honeypot an additional tool Arpd is embedded in it. Honeypot cannot do everything alone and requires the help of Arpd. Arpd is used for ARP spoofing; this is what actually monitors the unused IP space and directs the attacks to the honeypot. Honeyd is only able to interact with attackers. For example if the aim is to monitor all the unused IPs in the 192.168.1.0/24 network, the required commands to start both Arpd and Honeyd are as follows: arpd 192.168.0.1/24 honeyd -p nmap.prints -f honeyd.conf 192.168.0.1/24 Based on the commands, the Arpd process monitors the unused IPs, directs all corresponding attacks to the honeyd and spoofs the victim’s IP address with the MAC address of the honeypot. For the honeyd command –p nmap.prints refers to the nmap fingerprint database and -f honeyd.conf is the honeyd configuration file. 2
  • 3.
    Journal of AdvancedComputing and Communication Technologies (ISSN: 2347 - 2804) Volume No.1 Issue No. 1, August 2013 Once the installation is honeypot server is completed the traffic directed to honeypot server is dumped o other system using packet analyzing tool tcpdump with the help of following command: tcpdump -nn -x -s 1500 host 192.168.0.145 -w store.cap The tcpdump command will dump all the malicious packets directed to the honeypot and hence will help in writing the snort rule set by analyzing the payload. 4.1 Writing of Snort Rules: Penetrating in the network to gain access by getting the etc/passwd file in the Linux environment or the password shadow file i.e. etc/shadow which contains the username and password of all users. No such rule is defined in the latest snort rule set. Suppose you get the following log generated in honeypot: # cat 44F75D6380122.shell :::::::::::::: GET/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/.. % 01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/. . %01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%0 1/. .%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..% 01/ ..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..% 01 /..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/.. %0 1/..%01/..%01/..%01/..%01/..%01//etc/shadow HTTP/1.1 Host: 202.174.22.145:10000 It is visible that the attacking port is 10000 thus port 10000 is of interest. The various ip addresses from where such request came can be filtered using tcpdump analysis. alert tcp any any -> any 10000 (content:"GET /unauthenticated/..%01/..%01/"; msg:"Get unauthenticated";) The point of concern here is that adding too much of payload may result in false negatives which will overall lower down the implementation of snort in organizational network. 5. Conclusion The Intrusion detection system can only give the optimum benefit if it is also able to detect those attacks for which signatures are not defined in its database. The area of work will be to give attention to this Snort limitation and thus increasing the scalability and responsiveness of the system towards the various types of attacks so as to achieve the motto of building a smart agile and secure system to face the new challenges of technological arena. Though honeypot deployment is a cost-effective solution for the security of large organization but in future refinement is required to elimination false alarm generations. 6. REFERENCES [1] Vidar Ajaxon Grønland: Building IDS signatures by means of a honeypot Norwegian Information system Laboratory. [2] Chi-Hung Chi , Ming Li Dongxi Liu : A method to obtain Signatures From Honeypots Data, School of Computing National University of Singapore [3] Babak Khosravifar, Jamal Bentahar: An Experience Improving Intrusion Detection Systems False Alarm Ratio by Using Honeypot. [4] Department of Electrical and Computer Engineering, Concordia University [5] Greg M. Bednarski and Jake Branson: Understanding Network Threats through Honeypot Deployment, Carnegie Mellon University March 2004. 4.2 Results and Discussion [6] Richard Hammer : Enhancing IDS using, Tiny Honeypot SANS Institute InfoSec Reading Room Once the analysis is done now it is the time to write the snort rule. By the analysis of the payload it is visible that the string started with “GET/unauthenticated/” thus following snort rule can be set: [7] Solution Base: What you need to know about honeypots http://articles.techrepublic.com.com/5100-22_115758218.html alert tcp $EXTERNAL_NET any -> $192.168.0.1 10000 (content:"GET /unauthenticated/"; msg:"Get unauthenticated";) Now any attack coming from the specified port will generate the alert to the administrator of penetration for unauthorized access in the network environment by the attacker. If the set rule has to be further customized then the following payload can be added: 3