View of A REVIEW ON NETWORK SECURITY TOOL HONEYPOT

(1)

A REVIEW ON NETWORK SECURITY TOOL HONEYPOT Dinesh Kumar Gupta

Research Scholar, Dr. APJ Abdul Kalam University, Dewas Road, Indore, MP 452016, India Dr. Deepika Pathak

Professor, Dr. APJ Abdul Kalam University, Dewas Road, Indore, MP 452016, India Abstract- Network Security is generally used to detect attacker’s activity. It analyze attacker’s behavior. Attacker’s data collection is the main task of network security. The Honeypots are used in network security to collect useful data of attackers. The honeypot is a new technology for collecting attacker’s data for security in networks at the time of attack.

It will be helpful for network administrators to create more and more secure systems and be aware of the attacks. We are successful to make honeypot system that is interesting enough for hackers to attack, they will try to gain access by using security faults on the system.

The Honeypots observe the attacks. The honeypots are places in the network for knowing the activities of attackers. The honeypots alert network administrators for a possible attack.

Attack methods can be used to improve the security in the network. A honeypot technique is developed to learn about the attacker’s procedure of attack. The honeypots obtain the useful information about the attacker by observing the attacker’s activity.

Keywords: Honeypot, Honeynet, IDS, Network Security.

1. INTRODUCTION

Network security has become more important to personal users and organizations. With the advent of the internet, security became a major concern. The internet structure itself allowed for many security threats to occur. The area of network security consists of the necessities and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification of denial of services (DoS).The Network security involves the authorization of access to data in a network, which is controlled by the network administrator. The users are assigned an ID and password or other authenticating information that allows them access to information and programs within their organization.

A honeypot is a computer security mechanism on the Internet that is expressly set up to attract and trap attacker who attempt to penetrate other user’s computer systems in the network [1].

Attacks on websites and databases are increasing rapidly day by day. Among all of them attacks are being increased, which affects small and medium sized organizations. So there must be some system to detect those attacks on the databases. To use honeypots for these systems, special care should be given to these systems. After applying honeypot, the system must look like a realistic system and it is capable to generate logs for all suspicious entries. From the basis of honeypot, we have formed this architecture which is useful to detect attacks and create logs for all entries in the database from which we can find if there is any suspicious entry is occurred with wrong purpose [2].

The hardware based honeypots are very expensive and difficult to install for medium and small sized organizations but the software based honeypots are more suitable for that.

According to the Lance Spitzner, founder of honeypot technology, “A honeypot is an information system resource whose value lies in unauthorized of illicit use of those resources”. A Honeypot is a security resource whose value lines in being probed, attacked and compromised [3].

A honeypot can detect the behavior of the attacker or the intrusion information to observe and record the activities of the attacker and create a log of malicious entries and examines purpose, tools and methods used by the attacker so that further actions can be taken against security[2].

2. HONEYPOT

A Honeypot is a Computer system that is expressly set up to attract and trap the hackers who attempt to penetrate our systems in the network. The honeypot contains some fake and interesting data or sometimes it behaves like a real system where the attacker to be attacked. It is used as a decoy. The intruder is planned to detect the honeypot and try to break into it. The purpose of a honeypot is to record the activities and learn from attacks

(2)

and use that information to improve security. A network administrator obtains information about the current threats on his network. The honeypot can be used to examine vulnerabilities of the network system. Moreover it can be used to observe activities of an intruder which access to the honeypot. The honeypots are a unique tool to learn about the strategies of hackers [1].

It is necessary to put high priority to system security, minimize vulnerabilities and secure the computer network against intrusion. Today’s standard of security is using specifically configured firewall in combination with the Intrusion detection system (IDS).

But using only IDS is not sufficient. We need to find out how attacker attacks actually. So we will provide a security hole in system and will provide unimportant data in it. Attacker will attack in the system, so that we can record all activities done by attacker. It will help us to prevent actual data from these types of attackers, this technology is known as Honeypot [4].

2.1. Honeynet

Generally, Ahoneynet is a network that contains two or more honeypots. It is a honeypot network that is designed to capture extensive information on threats and it provides real systems, applications and services for attackers to interact with us [4].

2.2. Honey Tokens

Generally, Honeytokens are the small sized honeypots. Honeytokens are the digital entities such as digital data, which are used to capture digital attacks. They can be fake data sets which can’t exist in real world, at least within a specific organization. These are used to track malicious outsiders and insiders engaging in unauthorized activities. Honeypot tokens may be a URL address, an excel sheet or sometimes a fake records in the organization’s database.

Thus, a number of companies use honeytokens like fake email address, user account, database records and sometimes executable false programs. Fake email accounts are used for early warning for spammers. The basic idea is that the fake email address is never used and it would have no valid reason for receiving spams. Receiving un-requesting email to this specific email address indicates that someone has accessed the company’s internal email list. Another approach is to insert fake data in the company’s database that unlikely to exist in the real world into a real database [6].

For example companies can insert celebrity’s names that have no direct connection to the organization. Any kind of unauthorized interaction with these fake names ensures us about the malicious activity against the information accessed from the database of organization.

3. TYPES OF HONEYPOTS

The honeypots can be categorized using two factors:

3.1. According to Purpose of Honeypot (1) Production Honeypot

It is used within an organization and help to reduce risk. The honeypot records the indication of attacks. The honeypot system can provide information for statistics of weekly or monthly happened attacks. Generally an employee is assigned a network account with several user rights. So, the attacks performed by employees are even more critical. In many cases, networks are closed to the outside but opened to the inside of network. Therefore aninternal person with legal access to the network can situation an unidentifiable attack.

Activities on honeypots can be used to prove that person has malicious intentions. So, a network folder with faked sensitive documents could be prepared. An employee with no bad intentions would not copy the files, but in the case the files are retrieved this consider as a hacker. Another benefit is that a honeypot detects attacks which are not caught by other security systems[1].

Production honeypots are simply aimed to protect the network. They are easy to build and deploy, as they require very few functionalities. They protect the system by detecting attacks and giving alerts to administrators. Generally, it is used within an organization to protect the network [2].

(3)

(2) Research Honeypot

It is used to increase the information about the hacker’s community. A research honeypot is used to learn about the policies and techniques of attacker. It is used as a guard to see how an attacker is working when compromising a system. In this case, the intruder is allowed to stay and disclose his secrets. The honeypot operator improvements knowledge about hacking tools and schemes. When a system was compromised, then the administrators usually find the tools used by the attacker but there is no information about how they were used. A honeypot gives a real live vision on how the attack happened. Research honeypots are complex to both deploy and maintain but they are used to capture wide amount of data.

They can be very time consuming. They are better to learn about the attackers but they have very short contribution in the direct security of an organization. Generally, they are used by large organizations such as universities, governments, military and industries which are interested in learning more about attacks for research [1].

Basically Research honeypots are used for learning new methods and tools of attacks. They are used to gather information on the general attacks which organization may face.So they gives the organization a better protection against those attacks. It’s main goal is to increase information about the way in which the attackers progress and performs methods of attacks. They provide a strong platform to study cyber-attacks and forensic skills [2].

3.2. According to Level of Interaction with Attacker (1) Low Interaction Honeypot

It is easiest to implement in network. It follows basic services such as Telnet and FTP. It can be easily installed on the system and configured to any of the services such as TELNET, FTP and Messaging. This low interaction honeypot is easy to deploy and maintain. To prevent the system from being fully broken by hackers, the administrator needs to ensure on the host system to carefully monitor the alert mechanisms which alerts the administrator about the attack. It has lowest level of risk. It is only good at capturing known attack patterns but it is worthless at discovering unknown attack patterns. The main objective is only to detect such as unauthorized login attempts[1].

Examples: Honeyd

These types of honeypots have the limited range of interaction with external system.

FTP is the example of this type of honeypot. There is no operating system for attackers to interact with but they implement objectives to attract or detect attackers by using software to follow features of a particular operating system and network services on a host operating system. Main advantage of this is very easy to deploy and maintain. It does not involve any difficult architecture. This creates to discover new vulnerabilities or new attack patterns.

They are safe and easy way to gather information about the frequently occurred attacks and their sources [2].

(2) High Interaction Honeypot

Generally, these are used to gather the attacker’s information for analysis. These types of honeypots are time-consuming to design, manage and maintain. The purpose of this honeypot is to give the attacker access to a real operating system where nothing is restricted. They offer a full operating system, so the risk is very high. An intruder could easily use the compromised platform to attack other devices in the network or cause bandwidth losses by creating much traffic [1].

Example: Honeynet, Honeywall

This honeypot has very high level of interaction with the intrusive system. It gives more realistic experience to the attackers and gathers more information about planned attacks. It involves very high risk of capturing of whole honeypot. They are most complex and time consuming to design and manage. There are more useful where we want to capture the details of vulnerabilities that are not yet known to the outside world [2].

(3) Medium Interaction Honeypot

It is a little more advanced than low interaction honeypots but a little less advanced than high interaction honeypot. They do not have a real operating system, but the bogus services provided are more stylish technically. They are installed as an application on the host

(4)

operating system and only the outdone services are presented to the public. But the outdone services on medium level interaction honeypots are more powerful, thus the chance of failure is higher which makes the use of this honeypot is more risky.

Example: Nepenthes, Honeytrap

It provides the attacker with a batter impression of the operating system so that more complex attacks can be logged and analyzed [2].

3.3. According to level of adaptability (1) Static Honeypots

A static honeypot is always maintain the same configuration and shows the same appearance to the attackers all the time, regardless of any changes occurring within the network. Basically, these honeypots are manually configured by system administrators. The configuration remains static throughout the deployment period until there is a new configuration from the administrator. A static honeypot’s behavior and IP address are fixed.

It is easier to deploy a static honeypot since we do not need to maintain or update its behavior and configurations [6].

(2) Dynamic Honeypots

A dynamic honeypot is simply has the capability to manage and adapt by itself. A dynamic honeypot has the ability to change its appearance automatically based on the attack towards it or the current network setting around it. The network administrator does not need to monitor or manually configure this honeypot in a timely manner. Since few effort is needed to deploy this honeypot. The most desirable feature is that this honeypot actively adapts to its current network environment [6].

4. DESIGNING OF HONEYPOT

General design of honeypot architecture is shown in following figure.

Fig. 1. Design of Honeypots with IDS

Entire network is firstly protected by a firewall then by a router and data layers are separated from network inside the organization and outside customers and operation network. Organization network is then protected by a mechanism called as honeynet, which is a network of honeypots. For extra security and detection, IDS is implemented in the system. Monitoring control system supports to manage the logs created by the honeynet and also monitor all the incoming entries in the network [2].

5. WORKING OF HONEYPOT

The honeypot is a system to collect information about attackers. Generally, honeypots are located behind the firewall. Honeypot is mainly used to simulate a variety of services and holes to induce the occurrence of various attacks. When an intruder tries to enter the system with a fake identity, the administrator system will be notified about this. When someone tries to enter the system, a log is generated about all the entries. Even though the intruder succeed in entering the system and capture the data from the database, we can

(5)

fool them by providing fake data, this is done by honeypot but intruder will not be aware about this fake information. So by this we can save our system and fool intruders. At the same time the logs will be created. So that all the data about attacker are recorded like system IP, attack type, attack pattern, available footprints etc. and attack method for the indication which can be used for further action [2].

6. ADVANTAGES OF HONEYPOTS

The honeypots have several distinct advantages over the current most commonly used security mechanism [1] [5].

1. Small Data Sets: Honeypots only take attention to the traffic that comes to them.

They are not concerned with an overload of network traffic or determining whether packets are valid or not. Therefore they only collect small amount of information, so there are no huge data logs or thousands of alerts a day. The data set may be small but the information is of very high value.

2. Minimum Resources: Since they only capture bad activity. They require minimum resources. A retired or low end system may be used as a honeypot.

3. Simplicity: They are very simple and flexible. There are no complicated algorithms to develop, state tables to update and maintain.

4. Discovery of new tools and procedures: Honeypots capture anything that is thrown at them, which can include tools and procedures not used previously.

5. Reduce False Positives: Honeypots help in reducing false positives. Any activity with the honeypot is considered dangerous and making it efficient in detecting attacks.

6. Catching False Negatives: With the help of honeypots, Catching false negatives is very easy because every connection made to honeypot is considered unauthorized.

Traditional attack detecting tools becomes fail in detecting new attacks like signature based detection tools. These tools detect only those attacks whose signatures are already in their database. As per honeypot’s approach, there is no need of predefined database.

7. Encryption: Honeypots have the capability to capture the malicious activity if it is in encrypted form. Encrypted attacks interact with the honeypots where the activity is decrypted by the honeypot.

8. Working with IPv6: Honeypots work in any IP environment, including IPv6. The IPv6 is the new version of IPv4. Many current technologies like firewalls and IDS do not work on IPv6.

9. Flexible: Honeypots are really adaptable in variety of environments.

10. Simplicity: They are very simple and flexible. There are no complicated algorithms to develop, state tables to update and maintain.

11. Discovery of new tools: Honeypots capture anything that is thrown at them, which can include tool not used previously [7].

12. Return on Investment: Some of the organizations think that if they will deploy firewall then they become secure, but it is wrong opinion because once the organization analyzed by hacker in terms of firewall or any other encryption and host-based tool, hacker will attack with different techniques and tools. Whenever any organization attacked by unauthorized activity, the honeypots can be used to capturing these attacks. So, investment in honeypotsis well for organizations[7].

7. DISADVANTAGES OF HONEYPOTS

The Honeypots have several risks and disadvantages [1] [5].

(1) Limited Vision: The only activity tracked and captured by a honeypot is when the attacker directly interacts with them. Attacks against other parts of the system will not be captured.

(2) Single Data Point: Generally one main drawback is faced by honeypots is that they are useless if no one attacks them. Obviously, honeypots can accomplish wonderful things but if the attacker doesn’t send any packet to honeypots then it would unaware of any unauthorized activity.

(3) High level of Risk: Once the honeypot is compromised, it can introduce risk to organization’s environment. Different kind of honeypots keeps different levels of risk.

(6)

Low level honeypots introduce low risk but In case of high level interaction honeypots, there is high risk as it provides real operating system to be attacked.

(4) Proper Administration: Honeypots do not fulfill their promise until one has the time to do administer them properly. So, Administration should be done properly by administrator having complete knowledge on security devices.

8. CONCLUSION

This paper provides a brief overview of honeypot and their applications. Different types of honeypots such as production honeypot, research honeypot, low level interaction honeypot, high level interaction honeypot and medium level interaction honeypot are discussed. The honeypots are relatively a new technology and have good scope for future research work.

The honeypot can be used with other well established security tools such as IDS or Firewall to make them more effective.

Honeypot is a useful tool for trapping and catching attackers and capturing information. Security is the essential element of any organization websites. It is a good supplement for the security system.

Honeypots are necessary to the security of information because it traps attackers by some other fake sites in the network than the actual site is secure where real resources of information are available. These honeypots could be extended to honeynet, where attacker deals with the bunch of honeypots. The log files analyzed through these honeypots and honeynet could be used to improve the Intrusion Detection System (IDS) to make it smarter in catching attackers (intruders).

REFERENCES

1. Paliwal, S. (2017): Honeypot: A Trap for Attackers. International Journal of Advance Research in Computer and Communication Engineering, 6(3), pp. 842-845.

2. Shukla, M.; Verma, P. (2015): Honeypot: Concept, Types and Working. International Journal of Engineering Development and Research, 3(4), pp. 596-598.

3. Spitzner, L. (2002): Honeypot: Definition and Values, http://www.spitzner.net.

4. Shridhar, K.; Jain, M. (2014): Honeypot: Approach and Implementation. International Journal of Science and Research (IJSR), 3(12), pp. 1038-1043.

5. Navneet Kambow, N.; Passi, L. K. (2014): Honeypots: The Need of Network Security. International Journal of Computer Science and Information Technologies (IJCSIT), 5(5), pp. 6098-6101.

6. Zanoramy, W.; Zakaria, A.; Kiah, L. M. (2013): A review of dynamic and intelligent honeypots, Science Asia, 39, pp. 1-5.

7. Ahmad, A.; Ali, M.; Mustafa, J. (2011): Benefits of Honeypots in Education Sector. International Journal of Computer Science and Network Security, 11(10), pp. 24-28.