Honeypots: Deployment and Data Forensic Analysis

V.Maheswari Dr. P. E. Sankaranarayanan

Assistant Professor & HOD Dean (Academic & Research) Sathyabama University Sathyabama University Chennai, India – 600 119 Chennai, India – 600 119

Abstract Information security is a growing concern today for organizations and individuals alike. This has led to growing interest in more aggressive forms of defense to supplement the existing methods. One of these methods involves the use of honeypots. A honeypot is a security resource whose value lies in being probed, attacked or compromised. In this paper we have deployed various honeypots under different environment and a forensic analysis of the data collected have been done. We have summarized the various results obtained in the experiment and given the possible measures that can be taken to use honeypot as a valuable tool.

1. Introduction

The need for honeypot arises due to today’s security threats that keep changing day to day. More traditional services are extended to Internet. At the same time, attacks and intrusions in the web application system become more popular. Early and successful detection can prevent or mitigate the compromise of data and resources.Honeypots are a relatively new security technology and are unique for two reasons. First, they work by having the bad guy actually interact with them. Second, honeypots are not a solution; they do not fix a specific problem. Instead, they are a highly flexible tool with multiple applications for security, from preventing attacks, to detecting unauthorized activity, to gathering intelligence hackers. The rest of the paper is organized as follows. In section 2 we examine the related work and the different types of honeypots. Section 3 describes about the experiments conducted and the results were discussed in section 4. Section 5 concludes the paper.

2. Related work & Background Research in this area has been undertaken as this is an upcoming technology. The research is oriented towards the deployment techniques used for honeypots, which also takes care of deception, data control and data capture. Several papers have explored the use of honeynets as an educational tool for IT students and academic institutions [1], [2]. This research indicates that honeynets can be an effective tool in security education. A significant amount of work is available that details the benefits of honeypots. Other papers go into some detail about the strategic considerations involved when using honeypots There are also papers that describe specific applications of honeypots as building blocks for a system such as a honeycomb, which is used to create intrusion detection signatures [3]. In this paper we have deployed the different types of honeypot under varied environment and analysed and summarized the results of these honeypots and explore the different types of attacks.

2.1. Honeypots

Though there are different views and definitions given to honeypots, the general definition covering all the different manifestations of honeypots is “ A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource”[5]. The general categorization of honeypots is based on their level of interaction. The simplest honeypot is simply a socket-based program that opens up a listening port. It ranges from simple port

International Conference on Computational Intelligence and Multimedia Applications 2007

0-7695-3050-8/07 $25.00 © 2007 IEEEDOI 10.1109/ICCIMA.2007.274

129

International Conference on Computational Intelligence and Multimedia Applications 2007

0-7695-3050-8/07 $25.00 © 2007 IEEEDOI 10.1109/ICCIMA.2007.274

129

monitor to full product systems, which can be emulated under various OS.A honeypot is a closely monitored capturing resource that we intend to be probed, attacked or compromised.

3. Experiences with Honeypots The central idea of honeypots is, that any traffic directed to the honeypot, is considered an attack.. In order to get an impression of what attack traffic to a honeypot actually looks like, in our work some honeypots have been set up and the results have been analyzed. To evaluate what existing honeypots are capable of, several projects of freely available honeypot software have been tested under lab conditions and in real use. The results show which approaches fit the requirements and which features are missing.

3.1. Deployment of Low interaction Honeypot

Low interaction honeypots are mainly used to detect the hackers and deceive them by emulating the operating system services and port services on the host operating system. The interaction with the other hosts is limited in this type of honeypots, which reduces the propogation of attacks. We have tested with three different honeyptos under various operating systems. The first low interaction honeypot Honeyd is an open source low interaction virtual honeypot created and maintained by Neils Provos[4]. It is intended initially for UNIX and now extended for Windows also. The second low interaction honeypot was KFSensor, a Windows-based honeypot. It was deployed in a physical machine running Windows XP platform. This honeypot can emulate the ports like FTP, TCP, UDP and HTTP. The third honeypot Specter cannot monitor the unused IP address; it can only monitor the IP address assigned to the host machine.

3.2. Deployment of High interaction honeypots

Unlike the low interaction honeypots high interaction honeypots as the name itself indicates make the hackers to interact more by using the real operating system services rather than the emulated services. But since the chances of exploitation are more here, care should be taken that the production systems are not used as honeypot environment. So the data control should be taken care by the high interaction honeypot. Generation II honeynet was deployed by installing it in a LINUX platform. It was not used under a research environment, as there were chances that the attackers can compromise the machine easily.

4. Results and Discussion

The logged files of the various low interaction honeypots gives the details of unauthorized access of various ports and the attacks in the form of worms or virus which try to enter through the unauthorized IP address. Honeypots were also deployed by placing them behind the firewall and tested. The data logging was very less when compared to the honeypot placed before the firewall. The reason was all the unauthorized address or services are filtered by the firewall. So these low interaction honeypots can be used to catch the insider attacks. The various ports that have been probed under various platforms are listed in Table 1. This table shows the various attacks both under the windows platform and UNIX platform. This also shows that the ports are probed more in a windows machine rather than UNIX machine. The honeypots placed before the firewall gives the statistical data about the frequency, origin and type of attacks; whereas the honeypot behind the firewall can be used as intrusion detection system, which is used to identify the attackers who have penetrated through IDS and have control over the internal machines. Hence the low interaction honeypots are very much useful in catching the insider threats. A

130130

proper data control mechanism can be used to get more information about the hacker’s activities.

Table 1

Attacks observed in low interaction /High Interaction Honeypot

Port No./Servvice (Low Interaction)

Attacks observed in a Linux platform

Attacks observed in a Windows platform

Port No/Service (High Interaction)

Attacks Observed(High Interaction)

21(FTP) 8 7 21 35 80 (HTTP) 23 40 80 123 443(HTTPS) 3 4 135 134 23 (Telnet) 6 5 137 112 SMTP 2 2 23 56 SSH 3 - 443 23

Data logging in the high interaction honeypots was done using sebek. The data is then transmitted on the honeypot’s network interface, where it is captured and logged by the honeywall in the course of logging the rest of network traffic. There are then scripts to extract the data, insert it into a database, and browse it with a web-based interface during analysis. The data collected and the summary of the attacks and probes made were given in the Table 1. This table gives the statistical data on the different types of attacks. Other types of known vulnerabilities are Buffer Overflow and Format String attacks through which the system was compromised. Data logging combined along with a efficient Intrusion detection system can help us to profile the attacks. These attack patterns give us a detailed information about the black hat community regarding the i) attackers type, their involvement and their characteristics ii) motivation behind their attacks iii) vulnerability in the system that has been used by the attacker iv) tools that have been used including.

5. Conclusion and Future Work

Honeypots are very much useful for the organizations to learn about the black hats both insider and from the external environment. It helps them to know about the attack patterns, their type and the frequency of attacks. Our experiments show that low interaction honeypot can be used as an active defensive tool within an organization to catch the insider threat. High interaction honeypots provide us with a real value data, which is valuable information for the organization if it effectively profiled. This data can be used to increase the network security measures.

6. References [1] Jones, J.K. and Romney, G.W. Honeynets: An Educational Resource for IT Security SIGITE '04, Salt Lake City, Utah, 2004. [2] Karthik, S., Samudrala, B. and Yang, A.T. Design of Network Security Projects Using Honeypots. Journal of Computing Sciences in Colleges, 20 (4). [3] Kreibich, C. and Crowcroft, J. Honeycomb – Creating Intrusion Detection Signatures using Honeypots, Proceedings of the Second Workshop on Hot Topics in Networks (Hotnets II), Boston, 2003, 51-56. [4] Provos, N., 2004. A Virtual Honeypot Framework, 13th SENIX Security Symposium, August 2004 [5] Spitzner.L. Definition and value of Honeypots, in Tracking Hackers.2003

131131