Integrated honeypot

Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)
30 – 31, December 2014, Ernakulam, India
23
INTEGRATED HONEYPOT
Ansona N, Dr. S.Sasidhar Babu, Sheema M, Prof. P.Jayakumar
Department of Computer Science & Engineering, SNGCE, Kerala, India
ABSTRACT
The primary goal of computer security is to defend computers against attacks launched by malicious users.
There are a number of ways in which researchers and developers can work to protect the network they use; one class of
these tools are honeypots. A honeypot is a computer which has been configured to some extent to seem normal to an
attacker, but actually logs and observes what the attacker does. Here in this paper I am presenting the integrated honeypot
that can generate attack signatures against the Zero Day Attack, SSH Attack, Keylogger-Spyware Attack. During this
assessment it was shown that honeypot is a very effective tool in gathering vital information about the above mentioned
attacks. The prevention of these attacks are necessary. In this paper I propose an architecture for detecting and preventing
the different behaviors of network attacks.
Keywords: Honeypot, Intrusion Detection and Prevention System, Keyloggers, SSH Attacks, Spyware, Zero-Day
Attacks.
1. INTRODUCTION
There is a vast growth in the number of attacks happening in the IT field but no considerable growth in case of
detection and prevention mechanisms. Each day attackers are getting in to the systems through new ways and stealing,
modifying, deleting the personal data. The main aim of this paper is to develop an Integrated Honeypot (iHoney) that is
capable of generating updated signatures against the unknown Zero day attack, SSH attack, and the Keylogger Spyware
attacks. Here this paper does not build any firewall, or write rules for IDS/IPS, generating a system that attracts the
attackers and study their various penetration methods in depth. The basic idea behind this paper is Honeypot, which can
be used as a tool for attracting the suspects to do something suspicious.
Here an isolated environment (Virtual Machines) is used to deploy the honeypot system that is being connected
to the internet through a bridged connection so that the exact replica of original network is available in the VM. The
attacks that are concentrating in this paper are Zero Day Attack, SSH Attack, Keylogger Spyware Attack. Integrating the
normal honeypot system with the features of identifying these attacks and adding it into the architecture created. To
collect the information related to these attacks, a protected machine is using. Through this system we can identify the
various attack signatures and this can be used as a reference for adding signatures to the default IDS system, i.e.,
SNORT. Here we are focusing on collecting details from the remote host and analyzing then converting as new rule. To
establish a Honeypot in the network we have to meet certain criteria, they are Information control, Information capture,
Information Analysis and Information Collection Requirements. The paper is organized as follows. The section 2
highlights the related work and the background. The section 3 discusses in detail about system’s architecture, the system
components and functioning of the proposed system. We conclude in section 4 along with listing of future work.
INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING &
TECHNOLOGY (IJCET)
ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online)
Volume 5, Issue 12, December (2014), pp. 23-30
© IAEME: www.iaeme.com/IJCET.asp
Journal Impact Factor (2014): 8.5328 (Calculated by GISI)
www.jifactor.com
IJCET
© I A E M E

24
2. BACKGROUND AND RELATED WORKS
Before going deep into the research works on these areas we can see about the background of these attacks.
2.1 Zero Day Attacks
A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown
vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability.
This means that the developers have had zero days to address and patch the vulnerability. Malware writers are able to
exploit zero day vulnerabilities through several different attack vectors. Web browsers are a particular target because of
their widespread distribution and usage. Attackers can also send e-mail attachments, which exploit vulnerabilities in the
application opening the attachment. A special type of vulnerability management process focuses on finding and
eliminating zero-day weaknesses. This unknown vulnerability management lifecycle is a security and quality assurance
process that aims to ensure the security and robustness of both in-house and third party software products by finding and
fixing unknown (zero-day) vulnerabilities. The unknown vulnerability management process consists of four phases:
analyze, test, report and mitigate.
2.2 SSH Attacks
Now a days the malicious users are found of internet servers that can be used for their activities. One of the most
vulnerable target server is available even in the remote center is the Secure Shell (SSH). Several times these servers got
exploited by the Hackers if a very weak password is placed in the authentication mechanism. Whenever the hacker finds
a device with an SSH service, he will apply various available username and password combinations to get an authorized
access. If the hacker got succeeded in getting the connection he gains the remote access to the machine and then he can
use it for his malicious activities.
2.3 Keylogger- Spyware Attack
Spyware is a broad category of software designed to intercept or take partial control of a computer's operation
without the informed consent of that machine's owner or legitimate user. In simpler terms, spyware is a type of program
that watches what users do with their computer and then sends that information over the internet. Spyware can collect
many different types of information about a user: records the types of websites a user visits, records what is typed by the
user to intercept passwords or credit card numbers, used to launch “pop up” advertisements. Many legitimate companies
incorporate forms of spyware into their software for purposes of advertisement (Adware). Example spyware are GAIN /
Gator,E-Wallet, Cydoor, BonziBuddy, MySearch Toolbar, DownloadWare, BrowserAid, Dogpile Toolbar. A key-logger
spyware contains both scripts key-logger and spyware in a single program. The functionality of this program is that it can
capture all key strokes which are pressed by a system user and stores them in a log file. The spyware email this log file to
the designer's specified address. It is very harmful for those systems which are used in daily transaction process i.e.
online banking system.
2.4 Honeypots
In computer terminology, a honeypot is a trap/technology set to detect, deflect, or in some manner counteract
attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that
appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a
resource of value to attackers. Honeypot logs can be collected using remote procedure calls. Two or more honeypots on a
network form a honeynet. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which
one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network
intrusion detection systems. A honeyfarm is a centralized collection of honeypots and analysis tools.
A similar work is presented by Constantin Musca, Emma Mirica, Razvan Deaconescu in their “Detecting and
Analyzing Zero-day Attacks using Honeypots” [1] article. Here the authors suggested methods for separating the
unwanted traffic by using a honeypot system and using them to automatically generate attack signatures for the Snort
intrusion detection/prevention system. Here the honeypot is implemented in the form of a virtual machine and its
responsibility is to monitor and log as much information as it can about the attacks. Then, by the help of a protected
machine, the logs are collected from the remote machine, through an isolated connection, for analysis. However, the
problem is this architecture suffers lot of false positives and such an architecture can be used to detect other similar
attacks effectively, but are not specified over here in this paper.
In “Analysis and Visualization of SSH Attacks Using Honeypots” [2], the authors shown that honeypots remain
very effective tools in gathering information about SSH attacks. Furthermore, they found that attackers were continually
aiming servers in the wild employing ready-touse tools and dictionaries. Finally they presented a visualization tool
helping security researchers during the analysis of networks. This honeypot implementation was successfully tested
against some known exploits but failed with random dictionary attacks. Experimenting more on visualizing malicious
programs using honeypots, an idea that was started by security professional J. Blasco resulted visualization tool for the

25
Nepenthes honeypot [3]. Nepenthes can be seen as a malware honeypot; a software to work with malware researchers in
the procedure of collecting and effectively storing vulnerable binaries of malicious software. The aforementioned
visualization tool [4] uses the AfterGlow and Graphviz software libraries for the purpose of creating several directed
graphs. These depict the relation between IP addresses, virus samples and geographical information.
3. PROPOSED SYSTEM
The proposed system architecture comprise of the detection phase of the zero day attack, SSH attack and the
Keylogger-Spyware attack. The technique behind the detection framework is the honeypot which is being deployed
inside the isolated environment, ie, .VM. For attracting attackers, we have to build a trap. The honeypot (or eventually
honeypots) will have to be implemented in our connectivity along with the other systems. We are also setting different
workstations together in the single network to check the inter-operability. The whole network is monitored and protected
by the Intrusion Detection/Prevention System (SNORT).Here the honeypot is allowed to communicate to the protected
machine through an encrypted channel where our implementation of an attack detection is working.
The general architecture of the proposed system is illustrated in Figure 1. It is a simple and efficient approach of
detecting the mentioned attacks. The major components included are: An integrated honeypot system, a framework that
generates signatures (iAttack detection framework) and a filtering component. Here filtering component is actually an
intrusion detection/ prevention system (such as Snort). Snort's open source network-based intrusion detection system
(NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks [5].
Snort performs protocol analysis, content searching, and content matching. These basic services have many purposes
including application-aware triggered quality of service, to de-prioritize bulk traffic when latency-sensitive applications
are in use. The integrated honeypot doesn’t do any processing of the packets. It only captures information and the
detection framework is built on another machine, which is a protected one. This machine collects the information or the
logs stored on the honeypot through a safe channel. This framework is used to analyze the logs and on the basis of
different methods it generates new signatures for the preinstalled filtering component. The filtering component is usually
a software part of the architecture.
The working logic of the architecture is: when a new network first flows through the filtering component, it is
checked by the filtering component on the basis of rules it knows. When the network turns to be malicious the filtering
component will not allow them to pass or else if the network doesn’t match any rule it flows through the network,
including the honeypot system, which logs some
Information about it (the information related to the attacks mentioned here). Based on the logs information it
collects from the honeypot, the framework runs the rule writing procedure and generates new signatures. The integrated
honeypot (iHoney) includes the features to log the detailed information about the unknown zero day attack, SSH attack,
Key-logger-Spyware attack. The Integrated honeypot can be explained as follows;
Fig. 1: System Architecture

26
Fig. 2: Integrated Honeypot
3.1 iHoney against SSH Attack
Deploy an SSH honeypot using a Virtual Private Server (VPS). (Kippo SSH honeypot).It can bind to Secure
Shell’s default TCP port 22 and log each connection attempt with the server. Also store these attempts to a MySQL
database along with useful information. Allows a list of credentials to be defined, which give access to a fake operating
system giving to the intruder the ability to interact with it. The program responds to these commands as a real operating
system based on Debian Linux.
Steps to deploy a Kippo SSH Honeypot
Step 1: Kippo SSH honeypot is a python based application.
Therefore, we need to first install python libraries:
$ sudo apt-get install python-twisted
Step 2: Normally we would run you sshd service listening on default port 22. It makes sense to use this port for our SSH
honeypot and thus if we already run the SSH service we need to change the default port to some other number. I would
suggest not to use alternative port 2222 as its use is already generally known and it could sabotage your disguise. Let's
pick some random 4-digit number like 4632. Open SSH /etc/ssh/sshd_config configuration file and change the Port
directive from:
Port 22 to Port 4632
Step 3: Restart our sshd:
$ sudo service ssh restart
Step 4: Furthermore, Kippo needs to run a non-privileged user so it is a good idea to create some separate user account
and run Kippo under this account. Create a new user kippo:
$ sudo adduser kippo
Step 5: First, login as or change user to kippo and then download the Kippo's source code:
kippo@ubuntu:~$wget
http://kippo.googlecode.com/files/kippo-0.5.tar.gz
Step 6: extract it with:
kippo@ubuntu:~$ tar xzf kippo-0.5.tar.gz this will create a new directory called kippo-0.5.
Step 7: Navigate into Kippo's directory you will see: kippo@ubuntu:~/kippo-0.5$ ls data dl doc fs.pickle honeyfs
kippo kippo.cfg kippo.tac log start.sh txtcmds utils

27
Most notable directories and files here are:
• dl - this is a default directory when kippo will store all malware and exploits downloaded by hacker using the
wget command
• honeyfs - this directory includes some files, which will be presented to attacker
• kippo.cfg - kippo's configuration file
• log - default directory to log attackers interaction with the shell
• start.sh - this is a shell script to start kippo
• utils - contains various kippo utilities from which most notable is playlog.py, which allows uS to replay the
attacker's shell session
Kippo comes pre-configured with port 2222. This is mainly because kippo needs to run as non-privilege user
and nonprivileged user is not able to open any ports, which are below number 1024. To solve this problem we can use
iptables with "PREROUTING" and "REDIRECT" directives. This is not the best solution as any user can open port
above 1024 thus creating an opportunity to exploit.
Step 8: Starting Kippo SSH Honeypot
If you followed the above instructions up to this point, by now you should have configured you SSH honeypot
with the following settings:
• listening port 4633
• iptables portforward from 22 -> 4633
• hostname: accounting
• multiple root passwords
• fresh up to date honeyfs clone of your existing system
• OS: Linux Mint 14 Julaya Let's start Kippo SSH honeypot now.
$ pwd /home/kippo/kippo-0.5 kippo@ubuntu:~/kippo-0.5$ ./start.sh
Starting kippo in background...Generating RSA keypair... done. kippo@ubuntu:~/kippo-0.5$ cat kippo.pid 2087
Kippo comes with multiple other options and settings. One of them is to use utils/playlog.py utility to replay
attacker's shell interactions stored in log/tty/ directory [16]. In addition, Kippo allows for log files to be stored by the
MySQL database.
3.2 iHoney against Keylogger-Spyware Attack
Fig. 3: Honeypot Base Monitoring

28
This architecture is designed in such a way that it can be easily compromised and hackers will not be able to
detect it. When a target software enters into user's computer it will also have a door into the honeypot system. This
system monitors the activity of this keylogger-Spyware. It also create a log file and sends this file to detection and
prevention server. At detection prevention server this file is inspected for threats. Figure 3 shows target software
monitoring process performed by honeypot system. The arrows show the entry of key logger spyware into the user's
computer and honeypot system. The detection and prevention system inspects that log file sent by honeypot to find out
malicious program. The functioning of this key logger spyware is that, it emails the information to a specified email
address periodically [17].
3.3. iHoney against Unknown Zero day Attack
Here two types of honeypot can be used according to the level of interaction the attacker has with it. And they
are low interaction honeypots and high-interaction honeypots [1]. The first one can be a network listener code that logs
any connection without doing an actual task and the other one is the high interaction honeypot can be a server that runs
real services.
3.3.1 Low interaction Honeypot
Listing 1: Honeyd.conf
Using the configuration file we can customize the honeypot as per our need. Here the specific honeypot is developed
for the windows XP system and the behavior of the honeypot is defined inside the configuration file. We can specify the

29
MAC address for the target device and also can mention the connection type (DHCP/not). We choose honeyd for the
purpose of honeypot because it is simple and efficient to implement. The results of the traffic monitoring will be
available in the /var/log/syslog file. The log file includes the details about the IP, TCP, ICMP, ARP protocol details. This
will check for the ping sweep, flooding attack, ARP spoofing, MAC spoofing, Denial of Service attack, SYN flood
attack, etc.
3.3.2 High Interaction Honeypot
To implement the data collection on a honeypot built as a virtual machine, Metasploitable is using. [1] No
logging capabilities for this solution. To avoid this problem, collect important logs & transfer them to protected machine
for processing. Running log_fetcher.sh, log_achiever.sh remotely. log_achiever.sh: Identifies important logs: System
Logs, Daemon Logs, Open port Stats, kernel logs, processes stats, installed packages. Shreds the logging file as we do
not want to analyze the same info for more than once. SSH protocol is using to retrieve log details. To avoid repeated
request for password the protocol Generates public key (sshkeygen) Copies to Metasploitable machine using ssh-copyid.
The Protected Machine analyzes the state of Honeypot. It verifies with the previous values stored. Mainly looks
for: New root processes: Tells us that an attacker tried to obtain admin privileges / attempt open back door in our s/m.
Installed package/listening ports: To check whether a new TCP connection is established or not. Process analysis:
collects metadata about PID, PPID, and CPU Utilization. Uses it to gain knowledge about attackers’ target. All logs from
the daemons installed on Honeypots: Gains information if attacker tried for SMTP server. Kernel module insertion:
Inserted kernel module acts as rootkit. The detailed working of the integrated honeypot is illustrated in the listing 2. By
the help of this algorithm the signature generation and attack detection can be done very easily. The process of iHoney
can be simply and efficiently represented by this algorithm and it shows the entire process history. The integrated
algorithm is also flexible in understanding.
Listing 2: Integrated iHoney Algorithm
4. CONCLUSION
Honeypot can be used as a system that lures the attackers into the network and it can be considered as an
effective tool for the identification of most of the network based threats. In proposed framework we have designed a
keylogger spyware, zero day, SSH attacking scenario how it enters into the system and then we showed the scenario of
honeypot base monitoring. This framework especially designed for these kinds of attacks. The logs that are being
generated by the honeypot system is analyzed by the protected machine and this machine is responsible for the
generation of updated signatures for the IDS that we are using in this architecture. So the effective monitoring of the
network can be done by this also it avoids the repeated checking of the same natured packets through the updating of
IDS. As a future work I suggest an automated system that can be placed instead of this iHoney which can identify all the
malfunctions happening inside the network.

30
REFERENCES
[1] Constantin Musca, Emma Mirica, Razvan Deaconescu, "Detecting and Analyzing Zero-day Attacks
using Honeypots”, 2013 19th International Conference on Control Systems and Computer Science,
ISBN: 978-0-7695-4980-4/13,DOI 10.1109/CSCS.2013.94.
[2] Ioannis Koniaris, Georgios Papadimitriou and Petros Nicopolitidis "Analysis and Visualization of SSH Attacks
Using Honeypots", EuroCon 2013 • 1-4 July 2013 • Zagreb, Croatia, ISBN: 978-1-4673-2232-4.
[3] P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. Freiling, “The Nepenthes Platform: An Efficient Approach
to Collect Malware.”2006.
[4] J. Blasco, “An approach to malware collection log visualization.” 2008. “carniwwwhore.” [Online]. Available:
http://carnivore.it/2010/11/27/carniwwwhore.
[5] "Snort (software)", http://www.snort.org.
[6] “Honeyd development,” http://www.honeyd.org/, [Online; accessed 12- 10-2012].
[7] “Metasploitable2 - linux vulnerable machine,” https://community.rapid7. com/docs/DOC-1875, [Online;
accessed 11-01-2012].
[8] “Metasploitable2 - download link,” http://sourceforge.net/projects/metasploitable/files/Metasploitable2/,
[Online; accessed 11-01-2012].
[9] N. Provos and T. Holz, Virtual Honeypots: From Botnet Tracking to Intrusion Detection, 1st ed., 2007.
[10] C. Varlan, R. Rughinis, and O. Purdila, “A practical analysis of virtual honeypot mechanisms,” The 9th
RoEduNet Conference, Sibiu, Romania, 2010.
[11] “Honeyd tutorial,” http://travisaltman.com/honeypot-honeyd-tutorialpart-1-getting-started/, [Online; accessed
12-10-2012].
[12] “Metasploitable2 - linux vulnerable machine,” https://community.rapid7.com/docs/DOC-1875, [Online;
accessed 11-01-2012].
[13] L. Spitzner, “Honeypots: Catching the Insider Threat,” in Proceedings of the 19th Annual Computer Security
Applications Conference, 2003.
[14] L. Spitzner, Honeypots: Tracking Hackers. Boston, MA: Addison Wesley, 2003.
[15] L. Spitzner, “Strategies and issues: Honeypots - sticking it to hackers,” Network Magazine, 2003.
[16] “Deployment of Kippo SSH Honeypot on Ubuntu Linux” http://www.linuxcareer.com.
[17] Mohammad Wazid, Avita Katal, R.H. Goudar, D.P. Singh,Asit Tyagi , Robin Sharma Priyanka Bhakuni “A
Framework for Detection and Prevention of Novel Keylogger Spyware Attacks”, Proceedings of 7th
International Conference on Intelligent Systems and Control, ISBN: 978-1-4673-4603-0/12, 2012.
[18] Prof. S.B. Javheri and Shwetambari Ramesh Patil, “Attacks Classification In Network”, International Journal of
Information Technology and Management Information Systems (IJITMIS), Volume 4, Issue 3, 2013, pp. 1 - 11,
ISSN Print: 0976 – 6405, ISSN Online: 0976 – 6413.

Integrated honeypot

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to Integrated honeypot

Similar to Integrated honeypot (20)

More from IAEME Publication

More from IAEME Publication (20)

Recently uploaded

Recently uploaded (20)

Integrated honeypot