intrusion detection through honey pots

Jammi Ashok et. al. / International Journal of Engineering Science and Technology Vol. 2(10), 2010, 5689-5696

INTRUSION DETECTION THROUGH HONEY POTS JAMMI ASHOK1 1

Professor and Head , Department of Information Technology, Geethanjali College of Engg. & Technology, Hyderabad

Y.RAJU2 2

Associate Professor, Department of Information Technology, Geethanjali College of Engg. & Technology, Hyderabad

S.MUNISANKARAIAH3 3

Associate Professor, Department of Information Technology, Geethanjali College of Engg. & Technology, Hyderabad

ABSTRACT A honey pot is a security resource whose value lies in being probed, attacked, or compromised. Honey pots are different in that they aren't limited to solving a single, specific problem. Instead, honey pots are a highly flexible tool that can be applied to a variety of different situations. The purpose of honey pots is to provide security from intruders by deceiving and trapping them through honey pots and develop alert detection system. The honey pots are located behind the firewall. These are the virtual ports and environment acting as real ones in the network. As the intruder assumes it to be vulnerability in the system and carries out all his activates which are in fact being scanned and observed by the security administrators and following necessary actions can be taken like depending on the threat posed by the intruder. Keywords: Honey pot, firewall,

1. Introduction Intrusion detection is needed in today’s environment because it is impossible to keep pace with current and potential threats and vulnerabilities in it system.[1] If you have a system or network connected to the Internet, you become a target Mostly hackers try to enter our network by first port scanning our network to determine their way of entering into the network through the ports that are open. For this the hackers use various techniques so that it may not be caught by the firewall other security systems. In such case the application of firewall and other security Systems fails. Internet security is increasing in importance as more and more business is conducted there. Yet, despite decades of research and experience, we are still unable to make secure computer systems. As a result, exploitation of newly discovered vulnerabilities often catches us by surprise. Exploit automation and massive global scanning for vulnerabilities enable adversaries to compromise computer systems shortly after vulnerabilities become known. One way to get early warnings of new vulnerabilities is to install and monitor computer systems on a network that we expect to be broken into. Every attempt to contact these systems via the network is suspect. We call such a system a honey pot. If a honey pot is compromised, we study the vulnerability that was used to compromise it. A honey pot may run any operating system and any number of services. The configured services determine the vectors an adversary may choose to compromise the system. Due to the increasing level of malicious activity seen on today's Internet, organizations are beginning to deploy mechanisms for detecting and responding to new attacks or suspicious activity, called Intrusion Prevention Systems (IPS). Since current IPS's use rule-based intrusion detection systems (IDS) such as Snort to

ISSN: 0975-5462

5689

Jammi Ashok et. al. / International Journal of Engineering Science and Technology Vol. 2(10), 2010, 5689-5696 detect attacks, they are limited to protecting, for the most part, against already known attacks. As a result, new detection mechanisms are being developed for use in more powerful reactive-defense systems. Honey pots are any security resource whose value lies in being probed, attacked, or compromised. They can be real operating systems or virtual environments mimicking production systems. Honey pots are often the best computer security-defense tool for the job. They can be used as an adjunct tool and to log and prevent hacking. This paper presents the implementation of a honey pot. This is a middle-involved honey pot. The value of honey pots and the problems they help solve depend on how you build, deploy, and use them. 2. Honey pot A honey pot is a closely monitored computing resource that we intend to be probed, attacked, or compromised. The value of a honey pot is determined by the information that we can obtain from it. Monitoring the data that enters and leaves a honey pot lets us gather information that is not available to NIDS. Because a honey pot has no production value, any attempt to contact it is suspicious.[2]. Honey pots can run any operating system and any number of services. The configured services determine the vectors available to an adversary for compromising or probing the system. A high-interaction honey pot simulates all aspects of an operating system. A low-interaction honey pots simulates only some parts, for example the network stack. A high-interaction honey pot can be compromised completely, allowing an adversary to gain full access to the system and use it to launch further network attacks. In contrast, lowinteraction honey pots simulate only services that cannot be exploited to get complete access to the honey pot. Low-interaction honey pots are more limited, but they are useful to gather information at a higher level, e.g., learn about network probes or worm activity. They can also be used to analyze spammers or for active countermeasures against worms. Honey pots are closely monitored decoys that are employed in a network to study the trail of hackers and to alert network administrators of a possible intrusion. Using honey pots provides a cost-effective solution to increase the security posture of an organization. Even though it is not a panacea for security breaches, it is useful as a tool for network forensics and intrusion detection. Nowadays, they are also being extensively used by the research community to study issues in network security, such as Internet worms, spam control, Do’s attacks, etc Honey pots are not “install and forget it” systems. There are several steps you can take to minimize the legal risks from using a honey pot. The system of honey pots is located behind the firewall. These are the virtual ports and environment acting as real ones in the network.[3] As the intruder assumes it to be vulnerability in the system, he carries out all his activities which are in fact are being scanned and observed by the security administrators. Then necessary actions can be taken like depending on the threat posed by the intruder.

Fig 1. Architecture

The architecture of our honey pot consists of a packet capture, a database for maintaining logs, a GUI for configuration of the firewall and configuration of the daemons and viewing thongs. 3. Implementation Step 1: The admin logs into the Honey pot/Network though the GUI.

ISSN: 0975-5462

5690


Step 2: Configuration of Daemons The admin configures the daemons to open ports. These ports are considered as the vulnerabilities by the hacker and get lured to them.

When the intruder port scans our network, he finds the ports open and tries to connect to it. Step 3: The admin configures the firewall to allow the intruder by allowing his IP address. The admin then sends the IP address to the Blacklist log. The incoming packets from that IP address are monitored.

ISSN: 0975-5462

5691


Step 4: If the intruder is found to be doing some malicious activity, that IP address is blocked by configuring the firewall to deny the incoming and outgoing packets from and to that IP address. Currently Blacklisted IP addresses can be viewed as the logs are maintained in the database.

The firewall black listed entries can also be seen.

The daemon status or error logs can also be viewed. This log contains all the information about the daemons that are currently running as well as the daemons which could not be started and those daemons which were stopped earlier.

ISSN: 0975-5462

5692


The traffic that is to be allowed by the firewall can be configured by this tool.

The tool also contains help about the commands that can be used. The help page is as follows.

Similarly, to drop IP packets the configuration of the firewall can be achieved in this tool.

ISSN: 0975-5462

5693


The firewall Blacklist entries can also be viewed. These are required to see what IP addresses are blacklisted and what are needed to be blocked.

The honey pot daemon can be started, stopped, configured as well as restarted. The next screen shows the stopping of the daemon.

The attack log needs to be cleared. This helps in saving the disk space and viewing the next logs faster.

ISSN: 0975-5462

5694


4. Conclusion One important reason that the security community has been cautious regarding honey pots is that there has never been an agreed-upon definition of honey pots. Often when people or organizations discussed honey pots, they had different definitions or understandings of what honey pots do and how they operate. Some consider them a device to lure and deceive attackers, while others argue they are technologies designed to detect attacks. There was no cohesive definition of honey pots or appreciation of their value. It's difficult for organizations to adopt a technology when they don't even understand what it is. Misunderstandings about honey pots have resulted in a vicious cycle. Few organizations trust or understand the technology, so few deploy them. Since few deploy them, there is little experience or trust concerning the technologies. As of 2002, this cycle is beginning to break. More and more organizations are recognizing the value of honey pots. This is resulting in more widespread use of honey pots within organizations. With this widespread use, honey pots have a growing and exciting future ahead of them. 5. References [1] Lance Spitzner, Honey pots: Tracking Hackers, Pearson Education, 2007 [2] Honey net Project Papers, Know Your Enemy, www.honeynet.org, 2008 [3] Google search, www.google.com [4] www.blackhat.com/presentations [5]www.honey pots.net [6]www.amazon.com

6. Biography

Prof J.Ashok is currently working as Professor and Head of Information Technology at Geethanjali College of Engg. & Technology, Hyderabad, A.P, INDIA. He has received his B.E. Degree from Electronics and Communication Engineering from Osmania University and M.E. with specialization in Computer Technology from SRTMU, Nanded, INDIA. His main research interest includes neural networks, Bioinformatics and Artificial Intelligence. He has been involved in the organization of a number of conferences and workshops. He has been published more than 30 papers in International journals and conferences. He is currently doing his Ph.D from Anna University and is at the end of submission.

ISSN: 0975-5462

5695

Jammi Ashok et. al. / International Journal of Engineering Science and Technology Vol. 2(10), 2010, 5689-5696 Mr.Y.Raju is currently working as Associate Professor in the department of IT

at

Geethanjali College of Engg. & Technology, Hyderabad, A.P, INDIA. He received his M.Tech.(CSE) from JNTU,Hyderabad INDIA. His main research interest includes Information Security, data mining and data ware housing and Bio

Informatics.

Mr.S.Munisankaraiah is working as Associate Professor at Geethanjali College of Engineering and Technology, Hyderabad, A.P, INDIA. He has received his B.E. in Computer Science and Engineering from Kakatiya University and Master of Technology in Computer Science and Engineering from Jawaharlal Nehru Technological University. His main research interests include Data Mining and Information Retrieval.

ISSN: 0975-5462

5696