an agent based intrusion detection

Shiva Azadegan

Towson University

[email protected]

Vanessa McKenna

Towson University

[email protected]

Abstract

Honeynets have been proven to be

valuable research and teaching tool in

the area of computer security and

information assurance. At Towson

University, since Fall 2002, an

undergraduate track in computer security

has been made available to the

Computer Science majors. The main

objective of the track is to build upon the

core courses in the computer science

program and to provide students with

hands-on experience with security tools

commonly used in industry. This paper

explores educational use of honeynets in

several courses required by this track.

Keywords: Computer Security,

Security Education, Honeynets,

Honeypots

Introduction

At Towson University, an

undergraduate security track for the

Computer Science majors [1] was

developed and made available to the

students in Fall 2002. The main

objective of the track is to build upon the

core courses the computer science

program and to provide students with

hands-on experience with security tools

commonly used in industry. The students

in this track are required to take the

following 7 courses:

1. Computer ethics (a required

course for CS majors)

2. Intro to Information Security

3. Cryptography

4. Network Security

5. Application Software Security

6. Operating Systems Security

7. Computer Security Case studies

Current research [2,3] indicates that

honeynets can be safely deployed in

academic environments and universities

and be used as a valuable teaching and

research tool. Honeynets provide

information on most current security

threats and challenges, and techniques

and tools used by hackers. In Georgia

Institute of Technology [4] the

honeynets were also used to increase the

level of network security across Georgia

Tech Campus Enterprise network and to

assist the system administrators in

identifying malicious traffic. This paper

explores the use of honeynets in several

courses required in this track.

Definition of Honeynets

A Honeynet is a series of

computers with known and unknown

vulnerabilities with the express purpose

of being compromised by an intruder.

An intruder can be an unknown entity

from the Internet, or an internal threat.

As stated in [5] the goal of a honeynet is

to create an environment where the tools

and behavior of black hats can be

captured and analyzed in the wild. Each

computer within the Honeynet whose

purpose is to be compromised is known

as a Honeypot. Within the Honeynet,

Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05)

using Signature Methods in Active Networks

An Agent based Intrusion Detection, Response and Blocking

there can be several more computers that

also serve specific functions, and are

shored up against attacks as securely as

current knowledge permits.

One of these computers is an

Intrusion Detection System (IDS). The

IDS receives all packets that are sent

throughout the network, including those

that are intended for Honeypots. These

packets are filtered through a rule set

and dumped into a binary file or a

database. Depending on overall security

design, the computer used to analyze the

acquired data can be on the IDS

computer, or a separate entity altogether.

Advantages and Disadvantages of a

Honeynet

One major advantage of a

Honeynet [6,7] is the fact that every hit

on the system is suspect, by the very

nature of a Honeynet. Honeypots within

the Honeynet are not production

machines, which means that they are not

used to produce any kind of real data and

do not serve any function that is relevant

to normal operations within the home

network. Therefore, any activity on the

Honeypot is suspect, indicating that an

attack is occurring on the system. This

results in the emergence of several

smaller, but equally important

advantages. First, the data collected

from the Honeynet is of a reasonable

size for analysis. No extraneous

information, such as broadcast calls from

the router, is kept, and no users are

authorized on the system. All data

collected are significant with respect to

an attack, or pre-attack patterns.

These next two advantages are

strongly related: the Honeynet, for

reasons similar to the ones stated above,

reduces false positives and negatives.

The most important aspect of the

Honeynet is this: All activity on a

Honeypot is the activity of an intruder,

or a potential intruder. These are not

production machines, so any and all

activity is suspect.

A second major advantage of a

Honeynet is that they require minimal

resources, and can generally be built

using machines that are “just lying

around.” Any computer that is not

currently being used can become a

Honeypot.

A third major advantage of a

Honeynet is the fact that any protocols

currently being used can be monitored

by the IDS, just by altering the

configuration of the IDS. This means

that Honeynets are highly flexible

entities (Know Your Enemy book,

2004), and can be customized to capture

specific data, or generalized to capture

every kind of attack, known and

unknown.

There are two major

disadvantages of a Honeynet as well.

The first disadvantage is that the

Honeypots can only see the interactions

occurring directly with them. Any

interaction with production systems is

not captured by the IDS for the

Honeynet, since (depending on

architecture) these are two separate

entities. Honeynets tend to be isolated

entities, largely because of the second

major disadvantage: the risk of

operating a Honeynet. There is always

the possibility that the Honeynet could

be compromised and used in

perpetuating the illegal behaviors of the

intruder. This poses serious legal

ramifications for businesses and

university settings, and the risk changes

with the type of Honeypot used.


Types of Honeypots

One way to categorize honeynets

is based on their level of interaction.

Using this criterion, we can divide

honeynets into three major categories

[5]: low-interaction, medium-interaction

and high-interaction. The interaction

level of a honeypot is directly related to

the amount of data that can be collected

from intrusions. High-interaction

honeypots, as the name suggests, can

collect a great amount of data since the

intruder has a great deal of interaction

with the honeypot. However, the more

flexibility the intruder has, the more risk

that is involved with having that system

operational. Low-interaction Honeypots

limit what the intruder is able to do, and

therefore are less of a risk. However,

these Honeypots also tend to generate

less data, as an intruder who cannot

accomplish anything is likely to leave.

Medium-interaction honeypots offers

more ability to interact than do low-

interaction honeypots but less

functionality than high-interaction

honeypots.

Projects

In the remainder of this paper we

briefly describe several honeynet-related

projects that can be incorporated into our

security track courses. Currently at

Towson University, several graduate

students are working on these projects

and we are planning to incorporate these

projects into our undergraduate security

courses in the near future. All the

projects are intended to be conducted as

team projects. Due to the nature of these

projects we do not need high

performance and sophisticated hardware

rather the honeynets can be easily

configured on the used and surplus

machines, which are available at most

departments and universities. The

software used in these projects are all

free solutions or Open Source software.

It is imperative before starting

the projects to establish a close

relationship with the University

Information Technology Office and keep

them informed about all your activities

and have their permission.

Project1: Honeynets Legal and

ethical issues

Students must be educated about

the concerns of legality, security and

privacy of honeynets. We are planning

to include modules on these topics in the

computer ethics course and introduction

to information security course. The goal

of these projects is to familiarize

students with the legal aspects of the use

of honeynets and what is and is not

allowed under the current laws. Since

introduction to information security is

the prerequisite to all the other courses

in the track, it would be the best place

for the coverage of these materials.

Project 2: Deployment of a simple

Honeypot

This project provides students with the

opportunity to work with a simple low-

interaction honeynet. There is a wide

spectrum of honeynets available in the

market. We chose BackOfficer

Friendly [8], or BOF, for this purpose.

In this project students configure the

BOF to emulate the specific

vulnerability known as Back Orifice.

BOF carefully tracks the activities of the

attackers in the honeypot to see how

they exploit the vulnerability. BOF is

extremely simple to install and configure

and provide an excellent starting place.

We are planning to discuss this project

in the introduction to information

security course.


Project 3: Building a Honeynet

This project provides students

with a valuable experience to actually set

up their own honeynet. To make this

project practical and safe, we do not

place the honeynet “live” on the

University network, rather it will be

isolated in a lab. After setting up the

honeynet, students themselves can either

simulate attacks or download data from

the honeynet project Web site.

This setting prevents new tools

and attacks from being discovered. The

only attacks generated are known

attacks, and the behavior of the IDS is

known as well. This limits the ability to

maintain an objective view of the attack.

However, one major benefit of this

approach is that the alerts generated by

the IDS were very understandable – any

alert generated was generated by the one

attack performed at that instant in time.

Thus, it prepares students to work with

“live” honeynets.

This project is currently being

completed by the Co-author Vanessa

McKenna, a graduate student at Towson

University. She allocated four

computers, all previously used, for this

project. One computer was designated

as the firewall, another was designated

as the intrusion detection and analysis

console, the third was designated the

target or victim computer, and the fourth

computer was designated the attacker.

Each computer’s hard drive was

formatted and a version of Red Hat

Linux was installed.

She is also working on an

implementation of a honeynet on a

Windows System, which is much easier

in comparison to setting up a Linux

based Honeynet. For this project the

following four components are necessary

to begin collecting and analyzing data:

1) WinPcap 2.3; 2) Ethereal 10.9; 3)

Snort 2.3; and 4) an analysis and alert

console. WinPcap and Ethereal can both

be downloaded from the Ethereal

website

(http://www.ethereal.com/distribution/wi

n32/). Snort can be downloaded from

the Snort website

(http://www.snort.org/dl/binaries/win32/

). The analysis and alert console is a

handy tool for real-time monitoring of

intrusions. A final optional item for

downloading is a database such as

MySQL. A database program is not

necessary for running snort and review

data collected, but can make things

easier in the long term.

Installation of the tools

mentioned above is quick and easy and

provides students with invaluable

experience using these tools. We are

planning to incorporate this project into

the Network Security course. At the

present, we offer the security track

courses once every year. Students

usually take the Network Security course

in the Fall semester and Operating

System Security in Spring. The

following project will be conducted in

the Operating Security Course, which

can be considered as the continuation of

this project and basically deals with the

analysis of the captured data.

Project 4: Analysis of Captured Data

The analysis of the captured data

is the most challenging and interesting

aspect of running a honeynet. Captured

data analysis can provide information on

trends of attacker behavior, potential

trends of future attacks, and show the

methodologies of attackers. Moreover,

shows the vulnerabilities that exit in the

system. For example, a case study done

by the member of the Honeynet Alliance


demonstrates how the Honeynet can be

used to analyze attacker behavior. The

system in this particular case study was a

default server installation of Red Hat

6.0. The attack was discovered through

an alert generated by Snort indicating

that a ‘noop’ attack had occurred on one

of the Honeypots available in the

Honeynet (a collection of Honeypots.)

Two minutes after the attack was

initiated, the attacker initiated a

connection and logs in to the box.

Twenty seconds later, the intruder had

elevated his privileges to super user and

is now in complete control of the box.

In this project students analyze

the log files generated by tracing the

attackers footsteps and try to figure out

the vulnerabilities. For this project we

use older version of the operating

systems with know vulnerabilities. In

our security lab we use WMWare, which

basically allows us to create a box with

any operating system.

Project 5: Developing Signatures

for the new attacks

The Computer Security Case

Studies is the capstone course for the

track. The class is conducted in the

security lab and consists of 10-12 hands-

on projects. We are currently evaluating

several medium to high interaction

honeynet solutions to be deployed and

configured for the use in this class.

Students then can apply the knowledge

and experience that gained in the

previous courses and apply them

analyzing collected data and help to

develop signature for the new attacks.

For this project we need to work closely

with the University Information

Technology Office.

Advanced Research Projects

Honeynets provide a fertile

ground for a very broad range of

research topics that can be either

incorporated into graduate security

courses or can be conducted as graduate

projects. Some of these topics include:

distributed honeynets, design and

implementation of a wireless honeynets,

virtual honeynets, data mining and

distributed agents.

Conclusion

To better prepare educate our

students in the area of information

assurance we are working on several

projects using honeynet technology to be

incorporated into our computer security

track courses. We firmly believe that

honeynets provide a valuable teaching

tool and provide students with most up-

to-date security challenges and threats.

Moreover, our graduates in computer

security field must have the knowledge

and skills necessary to work with these

tools.

References:

[1] Azadegan, O’leary, Lavine,

Wijesinha, Zimand, “An undergraduate

Track in Computer Security,”

Procedding of ACM ITICSE 2003,

Thessaloniki, Greece, July 2003.

[2] Jones, Romney, “Honeynets: An

Educational Resource for IT Security”,

Proceedings of ACM SIGITE 2004, Salt

Lake City, Utah.

[3] Levine, LaBella, Owen, Contis,

Culver, “The use of Honeynets to Detect

Exploited Systems Across Large

Enterprise Networks”, Proceedings of

IEEE Workshop on Information

Assurnance, West Point New York, June

2003.


[4] “Know Your Enemy: Honeynets in

Unniversities”, Hneynet Project,

www.honynet.org.

[5] Lance Spitzner, Honeynets

tracking Hackers, Addison Wesley,

2003.

[6] Know Your Enemy: Learning

about Security Threats (2nd Edition),

Honeynet Alliance, 2004

[7] Know Your Enemy: Honeynets,

www.honeynet.org/papers/honeynet/

index.html

[8]Back Orifice,

www.cultdeadcow.com/tools/bo_plugins

.html


0-7695-2296-3/05 $20.00 © 2005 IEEE

an agent based intrusion detection

Documents