8/8/2019 Honeypot-A Supplemented Active Defense for Network Security 2

1/5

Honeypot: a Supplemented Active Defense System for Network SecurityFeng Zhang, Shijie Zhou. Zhiguang Qin, Jinde LiuCollege of Computer Science and EngineeringUniversity of Electronic Science and Technology of China

Sichuan, Chengdu 610054, P.R.ChinaE-mail: libmcenter. sizhou. qinz r , idl iu}@uestc,edu.cnAbstract Honeypot is a supplemented active defensesystem for network security. It traps attacks, recordsintrusion information about tools and activities of thehacking process, and prevents attacks outbound thecompromised system. Integrated with other securitysolutions, honeypot can solve many traditional dilemmas.We expatiate key components of data capture and datacontrol in honeypo t, and give a classification forhoneypot according to security goals and applicationgoals. We review the technical progress and securitycontribution of nowadays production honeypot andresearch honeypot. We present typical honeypot solutionsand prospect the technical trends of integration,virtualization and distribution for the future honeypot.Keywords honeypot, honeynet, attacks deception,network security

I. IntroductionWeb applications are broadly deployed. Moretraditional services are extended to Internet. E-commerceand e-government quicken up the process. At the sametime, attacks and intrusions to the web applicationsystem become more popular. Hackers exploit moretricky and obscure methods [ I ] . Automated attackingtools and Trojan horse appear at a more rapid rate. Someof them such as worms, attack scripts and DDoS attacksare truly powerful and destruct [ I , 2, 3, 231. Traditionalsecurity technologies and defense system for networksecurity are blunt while facing new attacks and intrusion.Round the clock is on e of the most importantproperties of web application, hut attacks and intrusionschange the situation. IDS cant give alert when intrusionoccurred using new signature. Even worse, we cantdown the service system to check it completely becausethere still many online usas making their deals. Toprevent, detect and react to intrusions without disturbingexisting system is a severe problem for web applicationand network security Traditional security technologiescant solve the problem. Firework gives flexible policyaccording to proper service ports to control out and inconnections regarding the protected network or system.It does nothing to attacks using proper service ports [ 4 ] .IDS work well on detecting and alerting attacks ofknown signatures [8]. Most IDS cant detect unknownintrusions [7, 8, 91. Though som e can do anomalydetection by training a clean data set of normal action,clean data set is difficult or costly to get [8]. Informationon Unknown signature of intrusion cant be attainedunless attacks are analyzed. It is a contradiction thatlaggard attaining of unknown signature and signature

matching based IDS. Honeypot system attempts to solvethe problem by setting up a controlled environmentsimilar to the service system, inveigling attackers,gaining information about new type intrusions to aid thecorresponding security system [13, 14 , 15, 16 , 181.Industry and academia show growing interests inhoneypot and related technologies. In industry field, avariety of honeypots with dif feren t extent of interactionappear including BOF [ 2 5 ] ,Spector [ 2 6 ] ,CyberCop Sing[27], Honeynet [29], Open Source honeyd [28j etc. Inacademia, there are number of projects in progress suchas ISIC Honeypot Project [ lo ] , Distributed HoneypotProject [ I l l , honeynet Project [12]. Honeypot is avaluable tool aiding traditional security technologies toimprove corresponding performance.This paper introduces honeypot and honeypot relatedtechnologies from the viewpoint of security managementfor network. Basic conceptions, general model andtaxonomy for honeypot are given in section 2. Keyproblem and focuses in honeypot research are addressedin section 3. Typical honeypot system is reviewed insection 4. Finally, trends of honeypot and the featuresthat should be aken into account while designing futurehoneypot are summarized.

11. Honeypot BasicsThis section refers to the basic conceptions, thegeneral model and taxonomy of honeypot.1. C o n c e p t i o n s a n d IdeasA. HoneypotDifferent researcher may give different definitionsaccording to particular scenarios. We incline to take thefollowing definition, honeypot is a security resourcewhos value lies in being probed, attacked orcompromised [15]. It catches the nature of honeypot--ifno one attack honeypot, it is nothing. Still, honeypot isvaluable security tool by some active nature. Othersecurity tools such as firewall and IDS are completelypassive for that their task is to prevent or detect attacks.Honeypot actively give way to attacker to gaininformation about new intrusions. This nature makeshoneypot outstanding to aid other security tools.Honeypot is also integrated technology. Later we willdemonstrate honeypot exploits IDS, firewall, routingcontrol to realize an integrated active defense system.Therefore, We define honeypot in three folds. As asecurity resource whose value lies in being scanned,attacked or compromised, As a security tool whos e valuelies in actively luring attacks to attain intrusion

0-7803-7840-7/03/$17.00 02003 IEEE.-231-

mailto:uestc,edu.cnmailto:uestc,edu.cnmailto:uestc,edu.cn

8/8/2019 Honeypot-A Supplemented Active Defense for Network Security 2

2/5

information and impro ving performance of other securitytools such as IDS, As one technology wh ose value lies inbeing an alternative methods for network security.Honeypot differ according to different use.'It could bean emulated application, a full functional operatingsystem with default configuration or an actual netincluding different OS and applications, even anemulated network on a single machine. We will coverdifferent kinds of honeypot in section 4.One basic assumption for honeypot is that allconnections outward and inward honeypot areconsidered conspicuous [ lS , 161. Tha t is rational for thathoneypot itself doesn't provide public product services,and that Connections inbound and outbound honeypotare probably initiated from attacker to probe or attack thetarget. There maybe some m istyping IP but the chance islittle.B. Production Honeypot and Research HoneypotTraditional honeypot is used to protect network ofcorporation. production honeypot is aimed to do so.Always does product honeypot come in company withproduction systems such as mail server and www server.They protect the target system by deceiving anddetecting attacks, giving alert to administrator.Research hone ypot is primarily for learning newattacking methods and tools, gaining new informationabout attacks though it can be used for productionhoneypot. It provides more interactive chances forattackers and takes more risks being controlled at thesame time. Research honeypot take an effective datacontrol mechanism to prevent from being a jump toattack other computer system [16].C. HoneynetHoneynet has particular meaning comesponding tohoneypot. Firstly, it is mainly used for research work.Secondly, there me multiple system in a honeynet. Allsystems placed within the Honeynet are standardproduction systems. Nothing is emulated nor is anythingdone to m ake the systems less secure. Honeynet is moreinteractive than honeypot and strongly resemble anactual net (it is truly an net with router, workstations,popular operationg systems and default configuredservice installed in default signature). Honeynet projectfocuses on honeynet related technologies. Thisorganization give many useful advices making honeyneteasier to deploy and difficult to detect. Honeynet andhoneypot advance together by sharing attacks deceptions,data capture a nd data control technology.D. Data Control and Dat a Capt ureData control and data capture are two essentialrequirements lie in all kinds of honeypot. The main taskof honeypot is luring attacks and gaining intrusioninformation while preventing being used to attack othersystem. Data capture fulfill recording intrusions andattacks to honeypot. Data control measures up to preventthe compromised honeypot being an gangplank andprotect the record data. Research works on data controlrefer to connection control and routing controltechnologies, and that data capture is a layered

architecture to record data from link layer, IP layer andapplication layer. Related fields cover firewall, routerand IDS.2. General Model for H o n e y p o tIn 2.1.4, we interpret two essential requirements ofho ne yp ot da ta control and data caputure. the followingmodel fulfills the basic two requirements and performseffectively.We deploy IDS component, firework component,router control component, log component In th egeneral model, target OS and applications with defaultconfigured. AU of them cooperate one another to form ahoneypot system. We will analyze it how to work andfulfill two requirem ents.

s,.lllSll I. C*.~..l =*dc , re,

Data control includes connection control and routingcontrol. Firewall component (connection control)controls the outbound and inbound connections.Certainly, we allow all the inbound connections to thehoneypot or we can't trap any attacks. Outboundconnections should be controlled because connectionsinitiated from honeypot is probably he used to attackother computer system. Alternative measures could hetaken, just count and setup an threshold for outboundconnections, add intelligence by analyzing activities ofapplications respectively to determine if an outboundconnection should be blocked. Routing conaolcomponent is the second layer for access control. Itblocks any non-honeypot-IP packets so as to preventmost IP spoofed attacks to other system. Routing controlcomponent also supplements firewall component tocontrol outbound connections.Data capture uses a 3-layer hierarchy to capture andstore data. Firewall component is the first layer (IP layer)to capture outbound and inbound connection data. All theconnections are considered suspicious. These data arecritically useful when watching and analyzing attackprocess. Second layer of data capture is IDS component,which captures all the network activities of honeypot inlink layer. It lies in the same network with the targethoneypot system and gather data in a hidden way. Thethird layer is log component which logs all the activitiesof the honeypot OS in application layer. Log data arestored remotely in strong access controlled log server.Experienced attacker would discover the remote log andtry to destroy log server. It need more advanced skills tosucceed compromising the security enhanced log server.

-232-

8/8/2019 Honeypot-A Supplemented Active Defense for Network Security 2

3/5

Even if attacker really hack the log server, we havefirewall and IDS component record the attackingprocess.Layered data control and data capture gives attackersgreat flexibility to interact with honeypot and provides amore secure way protecting intrusion process data. Datacontrol and data capture can be deployed in a distributedlayered net environment for secure reason or deployed inone single mach ine for portability.3. Honeyp ot Taxonomyhoneypot can be classified by security goals orapplication goals. Related research work focusesdifferent fields accordingly. We break honeypot into fourbroad categories according to security goals, prevention,detection, reaction and research. The fust three focusesdiffer ent cycles in security, while the last one focuses thewhole attacking process.Prevention honeypot stops attacker compromisingproduction system indirectly. It applies effective attacksdeception methods such as IP address deception (usingmulti-homed capability in a single LAN interface),network traffic simulation and information deception.Hacker wastes time attacking honeypot system instead ofproduction system. In this way, honeypot deters attacksin and protects production system from being comprised.Its true that new automated attacks and worms caninfiltrate the production system. honeypot still moreeasier to capture the auto-rooters and worms because ofknow vulnerabilities to provide information in advance.Detection honeypot gives alert when attack occurs.Main difference between detection honeypot and IDSlies in that honeypot detects compromises by virtue ofsystem activities while IDS compares intrusion modewith known signature. So detection honeypot is effectivein detecting new or unknown attacks. The othercontribution to intrusion detection is that it can reduceboth false positive rate and false negative rate. Falsepositives are alerts that were generated when IDS sensorrecognizes signatures are intrusions but are valid inreality. False negatives are opposite meaning, IDS failsdetects valid intrusions. Reducing false positive rate is abig problem IDS facing. Outbound and inboundhoneypot connections can be attacks to honeypot orattacks initiated from compromised system. Thus alertgenerated from honeypot is lower false positive rate andfalse negative rate. D etection h oneypot ca nt be deployedsolely because honeypot itself would be comprised andcontrolled. Detection honeypot can be a powerful toolsupplements IDS in attacks detection.Reaction honeypot is a companion system forproduction system. It provides a environment similar toproduction system for taking measures to find the causeand patch vulnerabilities after the production system isattacked and compromised. It is always a great loss totake production system off-line for a full analysis afterintrusion occurs, but we cant have a completely checkon on-line target system for that there are active usersmaking their dea ls and perhaps the attacker is just a ctivein system. Reaction honeypot removes the difficulties.

Incident team can take off-line the reaction honey pot andinvestigate in detail what failed, what damage was done,what entrance of attacker used and what he did. Lessonslearned from reaction honeypot can be used to identifyfaults and recovery production system.Research honeypot focuses threats informationincluding motives, tools, methods and skills. It is aplatform with common vulnerabilities and OS holes toattain information from the opponent. Unlike the abovethree honeypot, research honeypot doesnt alwayscompany with production system but give attacker greatflexibility. The goal of research honeypot is securityresearch. Researchers analyze new attacking tools aswell as worms extracted from recording information.Remedies or solutions can be applied to enhance normalsystem security.O ne honeypot maybe carry several responsibilities ofboth security goal and research goal. We kn ow . hatprevention, detection and reaction relate one another insecurity life cycle. Research honeypot can be modifiedand adap ted to particular security life cycle too.Honeypot can be classified according to applicationgoals. The kind of application-oriented honeypotdedicate to solving a certain application security problem.The following are several application-oriented solutions.A case in point is antispam honeypot, which filters spamwithout eliminating legitimate mail [ZO, 211: DOS andDDoS honeypot detect attacks by signature matching andactively directing attacking packets to honeypot throughtransparent packet forwarder [ZZ]. Worm honeypot trapsa robot intruder indefinitely by manipulating the TCPsession parameters. Almost no intruder .could escape1241.

111. Reseamh Focu sTh e total goal of improvem ent is ,making honeypoteasier to deploy and more diffcult to detect. qesentresearch p oints to the following fields.1. Detection MethodTracking attackers activity instead of m erely countingtheir outbound connections. An activity is asserted to bean attack according to actual ,activ ity i n honeypot.Assertion is made basing on common-use commandsequence or tools such as tip, telnet. Data mining methodof sequence analysis is introduced to add intelligence forattacks detection [ 9 ] .2. Reaction MethodWe have mentioned that all outbound connectionsabove the threshold would be blocked. In this way, .weprevent the comprised system being a gangplank butrisks implying, the existence of connection control(firework). Valuable information on attackers activityafter compromising a system cant be attained. We hopea way that is effective and far more d ifficult to detect.Data control can be replaced by a 2-layer gateway, whichwould modify several bytes of packets considered to beattacks [16]. Attacker still .can create con nections withother system send ordinary request but cant receive

, ,

-233.

8/8/2019 Honeypot-A Supplemented Active Defense for Network Security 2

4/5

proper response packets. This is a preferable responseway without knocking the attacker.3. Data Capture and Data Store MethodHow to capture and store data in a trick way ispermanent problem. Honeynet project propose an artfulsolution to data capture. Attckers activity is captured bykernel module of honeypot OS, which encapsulates.thecaptured data with a spoofed IP and common useprotocol such as NetBIOS. Honeypot gateway activelycaptures, decrypts, and reconstructs these data. Capturedata in kernel module make it independent of thecommunication means, such as SSH, SSL, or IPSEC.Spoofed ip and encapsulation are used to trick attackersU61.4. Virtual HoneypotIt combines data capture and data control as well asother components of honeypot in a single machine.Virtual honeypot even can simulate different kinds anddifferent number of honeypot in a device. Relatedtechnologies includes virtual environment in home OS,IP stack simulator and application simulator.

IV. Honeypot ExamplesWe select several honeypot systems to show the statusof honeypot products. Each is a sample of one kind. Weinvestigate different honeypot system concerningsecurity value, interaction an d virtualization.1.Backofficer Friendly (BOF) ,BOF is developed by Marcus Ranum. It is alightweight honeypot and free to distribute. We chooseBOF because it represents an accurate distillation of theideas and insights of honeypot. BOF emulates severalcommon services such a s http, ftp, telnet, m ail andBackonif ice. BOF logs, alerts and responses a fakereply whenever someone connects to such ports. BOFuser can have clear view of the attacking process [25].2. SpecterSpecter is a commercial production honeypot whosevalue lies in detection. Spector can simulate 13 differentoperating systems in application level includingWindows, Linux, Aix, Solaris, MacOS etc. Its awindows based software which offers 14 differentnetwork services and traps. The other character isactively gathering attackers information such as Whoisand DNS lookup. Specter is a low interactive honeypotwhich fakes the reply of attackers request. Attackercant utilize the application to interact with t he OS [261.3. HoneydCreated by Niels Provos, Honeyd is an powerfulproduction honeypot, which can be used for attacksdetection and reaction. It represents todays level ofproduction honeypot in many fields. First, it can emulateover 400 kinds of OS at IP stack level. This hides theguest OS before attacker. Second, emulating hundreds ofcomputers at a single machine by use of Arp spoofing.Third, Honeyd i s Open S ource honeypot system. It isfieo use and easy to modify for particular requirement.Honeyd still use the simulated service reply to attackers

request, hut administrator can customize the reply scriptto provide attacker more flexibility [28 ,30 ].4. HoneynetHoneynet represents the highest level of researchhoneypot. We have pointed out that it is a highinteraction hon eypot w hich is primarily used for research.It can also be modified to production honeypot forattacks detection and reaction. New methods of datacapture and data control proposed by Honeynet projectshow greater flexibility and higher access contrl ability,which can he applied both research honeypot andresearch honeypot [29].

V. ConclusionHoneypo t is not a solution to network security hut agood tool supplements other security technologies toform an alternative active defense system for networksecurity. Working with IDS and firewall, Honeypotprovides new way to attacks prevention, detection andreaction. Honeypot can serve as a good deception toolfor prevention of product system because of its ability oftrapping attacker to a decoy system. Supplemented withIDS, honeypot reduces false positives and false negatives.Intelligence routing control provides flexible response toattacks. Different kinds of honeypot share the commontechnologies of data control and data capture.Researchers focus the two to make honeypot easier todeploy and more difficult to detect. From the advances inresearch and production honeypot nowadays, we predictthe future honeypot has the features of integration,virtualization and disbihution. Integrated honeypotencapsulates all the components in a single device.Virtual honeypot creates large number of honeypotsystems in one machine. Distributed honeypot comprisesdifferent honeypot system in an actual network to offerhigh interaction between attacks an d system. All of themmake future honeypot cheaper to apply and easier tomaintain .

RE FE RE NCE S[I] Gary McGraw , Greg Morrisett. Attacking MaliciousCode: A report to the Infosec Research C ou nci l, May.2001. http://citeseer.nj.nec.com/498998.html[2] Felix Lau, Stuart H. Ruhin, Michael H. Smith,Ljiljana Trajovic. Distributed Denial of Service Attacks.IEEE International Conference on Systems, Man, andCybernetics,pp. 2275-2280,Oct. 2000.[3] CERT Coordination Center, Results of thedistributed systems intruder tools w orkshop, N ov. 1999.http://www.cert.org/reports/dsit-workshop.pdf.[4] Sotiris Ioannidis, Angelos D. Keromytis, Steven M.Bellovin, Jonathan M. Smith.Implementing a distributedfirewall. ACM Conference on Computer andCommunications Security, pp.190-199, 2000.[5 ] Dan Schnackenherg, Kelly Djahandari, D. Strene.Infiastructure for Intrusion Detection and Response.Proceedings of DISCEX, January 2000

-234-

http://citeseer.nj.nec.com/498998.htmlhttp://www.cert.org/reports/dsit-workshop.pdfhttp://www.cert.org/reports/dsit-workshop.pdfhttp://citeseer.nj.nec.com/498998.html

8/8/2019 Honeypot-A Supplemented Active Defense for Network Security 2

5/5

[61 Alan M . Ch ristie. The Incident Detection, Analysis,and Response (IDAR) Project.http://www.cert.orglidar/papers/IDAR_paper.pdf[71 Gene Spafford, Mark Crosbic, COAST group. Dept.of computer science. Active Defense of a ComputerSystem using Autonomous Agents Technical repot?110.98-005, Dept. of Computer Science, PudueUniversity.[81 Eleazar Eskin. Anomaly Detection over Noisy Datausing Learned Probability Distributions. Proc. 17thInternational Conf. on Machine Leaning. MorganKaufmann, San Francisco, {C A] , pp.255-262. 2000.191 Terran Lane, Carla E. Brodley. Temporal sequencelea nin g and data reduction for anomaly detection. ACMTransactions on Information and System Security, V01.2,No.3, pp. 295-331. 1999.[IO] Ireland Security Information Center and DuBlinCity University. ISIC Honeypot Project.http://www.isiclabs.com/honeypoW.[ I11 Distributed Honeypot Project.h t t p : / / w . l u c i d i c . n e t .[12lhonepet Project .h~p:l/www.honeynet.orgrgimisc/project.html,[I31 Reto Baumann, Christian Planner. Honeypots,Diploma thesis. Feb, 2002.http://security.rbaumann.net/download/diplomathesis. pdf[I41 Reto Baumann , Christian Plattner. White Paper:Honeypots. Feh, 2002.http://security.rbaumann.net/download/whitepaper.pdf[I51 Lance Spitzner. Honeypot: Definitions and Values.May, 2002. http://www.spitzner.net[I61 Honeynet Project. Know Your Enemy: Honeynets.h ttp://www.honeynet.org/papers/honeyneW[17] Honeynet Project. Know Your Enemy: A ForensicAnalysis. http://www.honeynet.org/papers/forensicd[IS] Honeynet Project. Know Your Enemy: Motives.http://www.honeynet.org/papers/motives/[191 Mich ael Clark, V irtual Hone ynets. N ov, 2001.http://online.securityfocus.com/infocus/[20]Spencer, Fighting Relay Spam the Honeypot Way.http://fightrelayspam.bomestead.com/[2I]Jack Cleaver. Jackpot Mailswerver: a SMTP RelayHoneypot. http://jackpot.uk.ner/[22]Nathalie Weiler. Honeypots for Distributed D enial ofService Attacks. Eleventh IEEE International Workshopson Enabling Technologies: Infrastructure forCollaborative Enterprises (WETICEO Z). P. 109, Jun,2002.[23]Infonnation Security Inc. 2001 Industry Survey onComputer Attacks.http://www.infosecuritymag.com/articledKtoberOlimageslsurvey.pdf[241 Tom Liston. Trapping Worms in a Honeypot: TheTarpit. http://www.threenorth.com/LaBrea/[25] Marcus h u m . Backofficer Friendly (B o g .http://www.n~.neWproducts/.[26]Spector. http://www.specter.com/defauItSO.htm[271 CyLwC op Sing. CyberCop Sting Getting StartedGuide.

h t t p : / / www. u m . e s / f m i ~o r / f t p . m c a f e e . c o m / s ~~ i t ~ / c c stinglman ual/Cstguide.pdf(281 Niels Provos. Open Source honeyd.http://www.citi .umich.edu/u/provos/oneyd/[291 Honepet. Tools for Honeynets.bttp://w.honeynet.org/papers/honeynet/tc&l1301 User-Mode Linux: an Opensource solutionto create a virtual Machine.http://user-mode-linux.sf.nethoneypots.ht m1,

-235-

http://www.cert.orglidar/papers/IDAR_paper.pdfhttp://www.isiclabs.com/honeypoWhttp://w.lucidic.net/http://security.rbaumann.net/download/diplomathesis.pdfhttp://security.rbaumann.net/download/whitepaper.pdfhttp://www.spitzner.net/http://www.honeynet.org/papers/forensicdhttp://www.honeynet.org/papers/motiveshttp://online.securityfocus.com/infocushttp://fightrelayspam.bomestead.com/http://jackpot.uk.ner/http://www.infosecuritymag.com/articledKtoberOhttp://www.threenorth.com/LaBreahttp://www.specter.com/defauItSO.htmhttp://www.citi/http://user-mode-linux.sf.nethoneypots.htm1/http://user-mode-linux.sf.nethoneypots.htm1/http://www.citi/http://www.specter.com/defauItSO.htmhttp://www.threenorth.com/LaBreahttp://www.infosecuritymag.com/articledKtoberOhttp://jackpot.uk.ner/http://fightrelayspam.bomestead.com/http://online.securityfocus.com/infocushttp://www.honeynet.org/papers/motiveshttp://www.honeynet.org/papers/forensicdhttp://www.spitzner.net/http://security.rbaumann.net/download/whitepaper.pdfhttp://security.rbaumann.net/download/diplomathesis.pdfhttp://w.lucidic.net/http://www.isiclabs.com/honeypoWhttp://www.cert.orglidar/papers/IDAR_paper.pdf