an agent based intrusion detection
TRANSCRIPT
![Page 1: An Agent Based Intrusion Detection](https://reader036.vdocuments.mx/reader036/viewer/2022073011/547fccb2b37959652b8b5913/html5/thumbnails/1.jpg)
Shiva Azadegan
Towson University
Vanessa McKenna
Towson University
Abstract
Honeynets have been proven to be
valuable research and teaching tool in
the area of computer security and
information assurance. At Towson
University, since Fall 2002, an
undergraduate track in computer security
has been made available to the
Computer Science majors. The main
objective of the track is to build upon the
core courses in the computer science
program and to provide students with
hands-on experience with security tools
commonly used in industry. This paper
explores educational use of honeynets in
several courses required by this track.
Keywords: Computer Security,
Security Education, Honeynets,
Honeypots
Introduction
At Towson University, an
undergraduate security track for the
Computer Science majors [1] was
developed and made available to the
students in Fall 2002. The main
objective of the track is to build upon the
core courses the computer science
program and to provide students with
hands-on experience with security tools
commonly used in industry. The students
in this track are required to take the
following 7 courses:
1. Computer ethics (a required
course for CS majors)
2. Intro to Information Security
3. Cryptography
4. Network Security
5. Application Software Security
6. Operating Systems Security
7. Computer Security Case studies
Current research [2,3] indicates that
honeynets can be safely deployed in
academic environments and universities
and be used as a valuable teaching and
research tool. Honeynets provide
information on most current security
threats and challenges, and techniques
and tools used by hackers. In Georgia
Institute of Technology [4] the
honeynets were also used to increase the
level of network security across Georgia
Tech Campus Enterprise network and to
assist the system administrators in
identifying malicious traffic. This paper
explores the use of honeynets in several
courses required in this track.
Definition of Honeynets
A Honeynet is a series of
computers with known and unknown
vulnerabilities with the express purpose
of being compromised by an intruder.
An intruder can be an unknown entity
from the Internet, or an internal threat.
As stated in [5] the goal of a honeynet is
to create an environment where the tools
and behavior of black hats can be
captured and analyzed in the wild. Each
computer within the Honeynet whose
purpose is to be compromised is known
as a Honeypot. Within the Honeynet,
Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05)
using Signature Methods in Active Networks
An Agent based Intrusion Detection, Response and Blocking
![Page 2: An Agent Based Intrusion Detection](https://reader036.vdocuments.mx/reader036/viewer/2022073011/547fccb2b37959652b8b5913/html5/thumbnails/2.jpg)
there can be several more computers that
also serve specific functions, and are
shored up against attacks as securely as
current knowledge permits.
One of these computers is an
Intrusion Detection System (IDS). The
IDS receives all packets that are sent
throughout the network, including those
that are intended for Honeypots. These
packets are filtered through a rule set
and dumped into a binary file or a
database. Depending on overall security
design, the computer used to analyze the
acquired data can be on the IDS
computer, or a separate entity altogether.
Advantages and Disadvantages of a
Honeynet
One major advantage of a
Honeynet [6,7] is the fact that every hit
on the system is suspect, by the very
nature of a Honeynet. Honeypots within
the Honeynet are not production
machines, which means that they are not
used to produce any kind of real data and
do not serve any function that is relevant
to normal operations within the home
network. Therefore, any activity on the
Honeypot is suspect, indicating that an
attack is occurring on the system. This
results in the emergence of several
smaller, but equally important
advantages. First, the data collected
from the Honeynet is of a reasonable
size for analysis. No extraneous
information, such as broadcast calls from
the router, is kept, and no users are
authorized on the system. All data
collected are significant with respect to
an attack, or pre-attack patterns.
These next two advantages are
strongly related: the Honeynet, for
reasons similar to the ones stated above,
reduces false positives and negatives.
The most important aspect of the
Honeynet is this: All activity on a
Honeypot is the activity of an intruder,
or a potential intruder. These are not
production machines, so any and all
activity is suspect.
A second major advantage of a
Honeynet is that they require minimal
resources, and can generally be built
using machines that are “just lying
around.” Any computer that is not
currently being used can become a
Honeypot.
A third major advantage of a
Honeynet is the fact that any protocols
currently being used can be monitored
by the IDS, just by altering the
configuration of the IDS. This means
that Honeynets are highly flexible
entities (Know Your Enemy book,
2004), and can be customized to capture
specific data, or generalized to capture
every kind of attack, known and
unknown.
There are two major
disadvantages of a Honeynet as well.
The first disadvantage is that the
Honeypots can only see the interactions
occurring directly with them. Any
interaction with production systems is
not captured by the IDS for the
Honeynet, since (depending on
architecture) these are two separate
entities. Honeynets tend to be isolated
entities, largely because of the second
major disadvantage: the risk of
operating a Honeynet. There is always
the possibility that the Honeynet could
be compromised and used in
perpetuating the illegal behaviors of the
intruder. This poses serious legal
ramifications for businesses and
university settings, and the risk changes
with the type of Honeypot used.
Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05)
![Page 3: An Agent Based Intrusion Detection](https://reader036.vdocuments.mx/reader036/viewer/2022073011/547fccb2b37959652b8b5913/html5/thumbnails/3.jpg)
Types of Honeypots
One way to categorize honeynets
is based on their level of interaction.
Using this criterion, we can divide
honeynets into three major categories
[5]: low-interaction, medium-interaction
and high-interaction. The interaction
level of a honeypot is directly related to
the amount of data that can be collected
from intrusions. High-interaction
honeypots, as the name suggests, can
collect a great amount of data since the
intruder has a great deal of interaction
with the honeypot. However, the more
flexibility the intruder has, the more risk
that is involved with having that system
operational. Low-interaction Honeypots
limit what the intruder is able to do, and
therefore are less of a risk. However,
these Honeypots also tend to generate
less data, as an intruder who cannot
accomplish anything is likely to leave.
Medium-interaction honeypots offers
more ability to interact than do low-
interaction honeypots but less
functionality than high-interaction
honeypots.
Projects
In the remainder of this paper we
briefly describe several honeynet-related
projects that can be incorporated into our
security track courses. Currently at
Towson University, several graduate
students are working on these projects
and we are planning to incorporate these
projects into our undergraduate security
courses in the near future. All the
projects are intended to be conducted as
team projects. Due to the nature of these
projects we do not need high
performance and sophisticated hardware
rather the honeynets can be easily
configured on the used and surplus
machines, which are available at most
departments and universities. The
software used in these projects are all
free solutions or Open Source software.
It is imperative before starting
the projects to establish a close
relationship with the University
Information Technology Office and keep
them informed about all your activities
and have their permission.
Project1: Honeynets Legal and
ethical issues
Students must be educated about
the concerns of legality, security and
privacy of honeynets. We are planning
to include modules on these topics in the
computer ethics course and introduction
to information security course. The goal
of these projects is to familiarize
students with the legal aspects of the use
of honeynets and what is and is not
allowed under the current laws. Since
introduction to information security is
the prerequisite to all the other courses
in the track, it would be the best place
for the coverage of these materials.
Project 2: Deployment of a simple
Honeypot
This project provides students with the
opportunity to work with a simple low-
interaction honeynet. There is a wide
spectrum of honeynets available in the
market. We chose BackOfficer
Friendly [8], or BOF, for this purpose.
In this project students configure the
BOF to emulate the specific
vulnerability known as Back Orifice.
BOF carefully tracks the activities of the
attackers in the honeypot to see how
they exploit the vulnerability. BOF is
extremely simple to install and configure
and provide an excellent starting place.
We are planning to discuss this project
in the introduction to information
security course.
Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05)
![Page 4: An Agent Based Intrusion Detection](https://reader036.vdocuments.mx/reader036/viewer/2022073011/547fccb2b37959652b8b5913/html5/thumbnails/4.jpg)
Project 3: Building a Honeynet
This project provides students
with a valuable experience to actually set
up their own honeynet. To make this
project practical and safe, we do not
place the honeynet “live” on the
University network, rather it will be
isolated in a lab. After setting up the
honeynet, students themselves can either
simulate attacks or download data from
the honeynet project Web site.
This setting prevents new tools
and attacks from being discovered. The
only attacks generated are known
attacks, and the behavior of the IDS is
known as well. This limits the ability to
maintain an objective view of the attack.
However, one major benefit of this
approach is that the alerts generated by
the IDS were very understandable – any
alert generated was generated by the one
attack performed at that instant in time.
Thus, it prepares students to work with
“live” honeynets.
This project is currently being
completed by the Co-author Vanessa
McKenna, a graduate student at Towson
University. She allocated four
computers, all previously used, for this
project. One computer was designated
as the firewall, another was designated
as the intrusion detection and analysis
console, the third was designated the
target or victim computer, and the fourth
computer was designated the attacker.
Each computer’s hard drive was
formatted and a version of Red Hat
Linux was installed.
She is also working on an
implementation of a honeynet on a
Windows System, which is much easier
in comparison to setting up a Linux
based Honeynet. For this project the
following four components are necessary
to begin collecting and analyzing data:
1) WinPcap 2.3; 2) Ethereal 10.9; 3)
Snort 2.3; and 4) an analysis and alert
console. WinPcap and Ethereal can both
be downloaded from the Ethereal
website
(http://www.ethereal.com/distribution/wi
n32/). Snort can be downloaded from
the Snort website
(http://www.snort.org/dl/binaries/win32/
). The analysis and alert console is a
handy tool for real-time monitoring of
intrusions. A final optional item for
downloading is a database such as
MySQL. A database program is not
necessary for running snort and review
data collected, but can make things
easier in the long term.
Installation of the tools
mentioned above is quick and easy and
provides students with invaluable
experience using these tools. We are
planning to incorporate this project into
the Network Security course. At the
present, we offer the security track
courses once every year. Students
usually take the Network Security course
in the Fall semester and Operating
System Security in Spring. The
following project will be conducted in
the Operating Security Course, which
can be considered as the continuation of
this project and basically deals with the
analysis of the captured data.
Project 4: Analysis of Captured Data
The analysis of the captured data
is the most challenging and interesting
aspect of running a honeynet. Captured
data analysis can provide information on
trends of attacker behavior, potential
trends of future attacks, and show the
methodologies of attackers. Moreover,
shows the vulnerabilities that exit in the
system. For example, a case study done
by the member of the Honeynet Alliance
Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05)
![Page 5: An Agent Based Intrusion Detection](https://reader036.vdocuments.mx/reader036/viewer/2022073011/547fccb2b37959652b8b5913/html5/thumbnails/5.jpg)
demonstrates how the Honeynet can be
used to analyze attacker behavior. The
system in this particular case study was a
default server installation of Red Hat
6.0. The attack was discovered through
an alert generated by Snort indicating
that a ‘noop’ attack had occurred on one
of the Honeypots available in the
Honeynet (a collection of Honeypots.)
Two minutes after the attack was
initiated, the attacker initiated a
connection and logs in to the box.
Twenty seconds later, the intruder had
elevated his privileges to super user and
is now in complete control of the box.
In this project students analyze
the log files generated by tracing the
attackers footsteps and try to figure out
the vulnerabilities. For this project we
use older version of the operating
systems with know vulnerabilities. In
our security lab we use WMWare, which
basically allows us to create a box with
any operating system.
Project 5: Developing Signatures
for the new attacks
The Computer Security Case
Studies is the capstone course for the
track. The class is conducted in the
security lab and consists of 10-12 hands-
on projects. We are currently evaluating
several medium to high interaction
honeynet solutions to be deployed and
configured for the use in this class.
Students then can apply the knowledge
and experience that gained in the
previous courses and apply them
analyzing collected data and help to
develop signature for the new attacks.
For this project we need to work closely
with the University Information
Technology Office.
Advanced Research Projects
Honeynets provide a fertile
ground for a very broad range of
research topics that can be either
incorporated into graduate security
courses or can be conducted as graduate
projects. Some of these topics include:
distributed honeynets, design and
implementation of a wireless honeynets,
virtual honeynets, data mining and
distributed agents.
Conclusion
To better prepare educate our
students in the area of information
assurance we are working on several
projects using honeynet technology to be
incorporated into our computer security
track courses. We firmly believe that
honeynets provide a valuable teaching
tool and provide students with most up-
to-date security challenges and threats.
Moreover, our graduates in computer
security field must have the knowledge
and skills necessary to work with these
tools.
References:
[1] Azadegan, O’leary, Lavine,
Wijesinha, Zimand, “An undergraduate
Track in Computer Security,”
Procedding of ACM ITICSE 2003,
Thessaloniki, Greece, July 2003.
[2] Jones, Romney, “Honeynets: An
Educational Resource for IT Security”,
Proceedings of ACM SIGITE 2004, Salt
Lake City, Utah.
[3] Levine, LaBella, Owen, Contis,
Culver, “The use of Honeynets to Detect
Exploited Systems Across Large
Enterprise Networks”, Proceedings of
IEEE Workshop on Information
Assurnance, West Point New York, June
2003.
Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05)
![Page 6: An Agent Based Intrusion Detection](https://reader036.vdocuments.mx/reader036/viewer/2022073011/547fccb2b37959652b8b5913/html5/thumbnails/6.jpg)
[4] “Know Your Enemy: Honeynets in
Unniversities”, Hneynet Project,
www.honynet.org.
[5] Lance Spitzner, Honeynets
tracking Hackers, Addison Wesley,
2003.
[6] Know Your Enemy: Learning
about Security Threats (2nd Edition),
Honeynet Alliance, 2004
[7] Know Your Enemy: Honeynets,
www.honeynet.org/papers/honeynet/
index.html
[8]Back Orifice,
www.cultdeadcow.com/tools/bo_plugins
.html
Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05)
0-7695-2296-3/05 $20.00 © 2005 IEEE