J-Honeypot: Network

Deception Tool

Abstract:
A honeypot is a non-production system, design to interact
with cyber-attackers to collect intelligence on attack
techniques and behaviors. There has been great amount of
work done in the field of network intrusion detection over the
past three decades. With networks getting faster and with
the increasing dependence on the Internet both at the
personal and commercial level, intrusion detection becomes
a challenging process. The challenge here is not only to be
able to actively monitor large numbers of systems, but also
to be able to react quickly to different events. Before
deploying a honeypot it is advisable to have a clear idea of
what the honeypot should and should not do. There should
be clear understanding of the operating systems to be used
and services (like a web server, ftp server etc) a honeypot
will run. The risks involved should be taken into
consideration and methods to tackle or reduce these risks
should be understood. It is also advisable to have a plan on
what to do should the honeypot be compromised. In case of
production honeypots, a honeypot policy addressing security
issues should be documented. Any legal issues with respect
to the honeypots or their functioning should also be taken
into consideration. In this paper we explain the relatively
new concept of honeypot. Honeypots are a computer
specifically designed to help learn the motives, skills and
techniques of the hacker community and also describes in
depth the concepts of honeypots and their contribution to
the field of network security. The paper then proposes and
designs an intrusion detection tool based on some of the

existing intrusion detection techniques and the concept of

honeypots.

INTRODUCTION:
An intruder can be defined as somebody attempting to break into an existing
computer. This identity is popularly termed as a hacker, blackhat or cracker. The
number of computers connected to a network and the Internet is increasing with
every day. When combined with the increase in networking speed has made
intrusion detection a challenging process. System administrators now days have to
deal with larger number of systems connected to the networks that provide a
variety of services. The challenge here is not only to be able to actively monitor all
the systems but also to be able to react quickly to different events. Traditionally
intrusion detection involved a defensive approach where systems were either
dedicated computers like firewalls or host based detection systems aimed at
detecting attacks or preventing them. These systems existed as a part of the
commercial/in-use networks and used techniques like pattern matching or
anomaly detection. Another type of security systems are system integrity checkers,
which are, typically host based. The problem that these systems face is that they
are running on computers, which are in use on a daily basis. These systems usually
have to deal with large number of connections and data transfers which results in
huge log files and also makes it difficult to differentiate between normal traffic and
intrusion attempts accurately. Many of these systems are also known to generate
many false positives or in some cases false negatives. Moreover these systems
provide very little insight to the tools and methods employed by the blackhat
community [1] and [3].
An outsider attack is an attack from a person who is not a member of the
organization. Usually the intruder is a hacker whose intensions are to cause
harm or mischief. We can classify this intruder into two types, one who has
something to gain by the intrusion and the other a curious person trying to probe
the security of the system. The first type is popularly termed as a cracker.
Crackers attack web-sites or database servers in an attempt to gain critical
information such as credit card or social security information. Some try to

deface government web- sites or deny normal service and may be backed by
political motive. The second type is the hacker who can befurther broken
down into two types: - an extremely intelligent computer knowledgeable person
or a script kiddie. An intelligent hacker is one who studies protocols and
algorithms and tries to detect vulnerabilities in them. There is nothing malicious
about this type although his curiosity and intent is often criticized by many
security analysts as irresponsible behavior. The script kiddie is the intruder
with limited skills but the one who uses automated computer programs or who
exploits code downloaded from the Internet. Needless to say the script kiddie is
the most common type of intruder. This script kiddie is one of the reasons
why security by means of obscurity will not work. If you think you are hidden
from the world since you are not advertising any services and you think no one
would be interested in you then you are wrong. The primary aim of this intruder
is to compromise as many systems as possible. He is aided by the easy-to-use
tools that scan a range of IP addresses looking for a vulnerable computer. So its
just a matter of time that any system on the Internet will get probed and, if found
vulnerable, then hacked into. Networks face even a bigger threat, since all the
intruder has to do is compromise one insignificant system in the network and use
it to attack the more important systems. A honeypot is a program, machine, or
system put on a network as bait for attackers. The idea is to deceive the attacker
by making the honeypot seem like a legitimate system. Honeypots are typically
virtual machines that emulate real machines by feigning running services and
open ports, services which one might find on a typical machine on a network.
These running services are meant to attract the attention of attackers so that they
spend valuable time and resources will be used to try to exploit the machine
while the attacker is being monitored and recorded by the honeypot. The idea
behind these systems is to provide systems or services that deceive the intruder.
Such systems help in learning the methods that intruders use and they also can
be viewed as a decoy to distract hackers from the real systems and services.
Honeypots can be classified as deception systems. By definition a honeypot is
a security resource whose value lies in being probed, attacked or
compromised. Honeypots can be used as tools to gather information which can
be used to enforce and strengthen existing intrusion detection tools or network
firewalls. Honeypots should not be viewed as a solution to network security;
they should be seen as an aid to it. We look at the objectives behind the
deployment of honeypots, their uses and security and legal issues involved with
it. We also look at the setup of a network of honeypots and present some
analysis based on the information gathered from it. We summarize by presenting
a survey of existing honeypot technologies. In this thesis we look at the new
concept of honeypots and their application in intrusion detection systems. As a
part of the thesis project a network of honeypots was designed and

implemented. The honeypots were kept online for a period of time and any
network communication or events related to it was recorded and analyzed.

FEASIBILITY STUDY
OPERATIONAL FEASIBILITY
The proposed system was found to feasible in all these different classifications of the study and this
led to the design of the system.
The important points to be studied before the design of the system are the software engineering
principles such as:

Rigor and formality

Separation of concerns

Modularity

Abstraction

Anticipation of change

Generality

Incrementally

The above principles were carefully studied and implemented in various phases of the project, which will
be discussed in the following sections.
.
Separation of concerns: To dominate complexity, separate the issue to concentrate on one at a time. Divide
& conquer supports parallelization of efforts and separation of responsibilities. Go through phases one after
the other (as in water fall model). We did separation of concerns by separating activities with respect to parts.
This resulted in two parts of the project which made the task quite simple.
Rigor and formality: Software Engineering is a creative design activity, but it must be practiced systematically.
Rigor is a necessary complement to creativity that increases our confidence in our developments. Formality is
rigor at the highest degree. Rigorous documentation of development steps helped project management and
assessment of timeliness
Abstraction: Identify the important aspects of a phenomenon and ignore its details. It is a special case of
separation of concerns. The type of abstraction to apply depends on its purpose. For example: The
complexity of authentication process is hidden from the user.
Anticipation of change: Ability to support software evolution requires anticipating potential future
changes. It is the basis for software resolvability. For example: Further versions of encryption algorithm
can easily be implemented in the proposed system.
Generality: The principle of generality is closely related to the principle of anticipation of change. It is
important in designing software that is free from unnatural restrictions and limitations. While solving a
problem, try to discover if it is an instance of a more general problem whose solution can be reused in
other cases. Carefully, balance generality against performance and cost, sometimes a general problem is

easier to solve than a special case. Our system is more generalized to all classes of biometric data sets
which includes face recognition, iris, hand geometry etc.
Incrementality: An incremental software development process simplifies verification. If you develop
software by adding small increments of functionality then, for verification, you only need to deal with the
added portion. If there are any errors detected then they are already partly isolated so they are much
easier to correct. A carefully planned incremental development process can also ease the handling of
changes in requirements. To do this, the planning must identify use cases that are most likely to be
changed and put them towards the end of the development. Process.
Modularity: A complex system may be divided into simpler pieces called modules. A system that is
composed of modules is called modular. The concepts of cohesion and coupling are to be applied. When
dealing with module we can ignore details of other modules. There are two modules in this project which
handles server and client.

System Design:

The idea behind the entire package was to put together a set of tools that collectively
work as an intrusion
detection system and also as an early warning system. The honeypot module can be used to
simulate many services. Some of the services or servers simulated as a part of this thesis
wereApache web server

IIS web server

Three different kinds of FTP severs
A simple telnet server
A simple SSH (Secure shell ) server
A POP3 server
These services can be configured to run on any port and the level of interaction can also be
controlled. The module listens on the configured ports and carries out communication with
the potential attacker. Since the system is not providing any service at that particular port,
any traffic received on that port can be termed suspect. The module then logs the
information and alerts the administrator. The module also tries to gather information about
the attackers IP address by analyzing the traffic and sending queries back to that IP address.
Since these are not actually servers they do not pose a security threat and they can be turned
off as per requirements. More services can be added and also the level of interaction can be
increased. Snort works in parallel to the honeypots by analyzing traffic and matching it with a
rule database. The honeypots act as a triggering mechanism while snort provides the intrusion
detection functionality.
The package then sends the logged information via email alerts to the administrator. Both
snort and the honeypots log to in text format as well as to a database. A Web based front-end
is also available to view the logs
and perform query on these logs. The following screen shot show the information that
honeypot module logs. In
the first row of the logs we can see that a FTP session was established between the host and
the attacker. The module records the commands in the ftp session were logged and a trace of
the attackers IP address.

Conclusion:
In this work, we explored the concept of honeypots in depth and saw how it might be useful to the field of network
security. The concept of honeypots is an important addition to the security field. Honeypots offer an offensive
approach to intrusion detection and prevention. Most importantly, they serve as a learning tool for system
administrators and also involved studying issues concerning intrusion detection systems the challenges that these
systems faced. The Internet has become indispensable both at the organizational and personal level and so it will be
the case with security systems. The use of honeypots and related technologies is on the rise. As awareness and interest
in honeypots increases so will its use in an organization as a security tool. There is scope for development of honeypot
tools which facilitate the different aspects of honeypots like logging, tracing back to the source etc. System modules
for sophisticated keystroke logging, better filtering tools and utilities to capture encrypted traffic are a few things that
could be worked on. One can even consider an out-of-the-box honeypot distribution with a modified kernel to make it
easy for system administrators to deploy honeypots.

Reference: