intrusion detection system using shadow honeypot · intrusion detection system using shadow...
TRANSCRIPT
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459, Volume 2, Issue 8, August 2012)
498
Intrusion Detection System Using Shadow Honeypot
Navita Sharma1, Gurpreet Singh
2
1Department of Computer Science & Engineering, MIMIT Malout, Punjab (INDIA)
[email protected] 2 Department of Information Technology, MIMIT Malout, Punjab (INDIA)
Abstract— The immense advancement in attacks against
network give rise to interest in more contentious forms of
defense to supplement the existing security approaches.
Honeypots are physical or virtual machines successfully used
as Intrusion detection tool to detect threats. In this paper we
proposed a shadow honeypot based intrusion detection
system. Shadow honeypot is used to collect the intrusion from
the network. To improve the detection performance of
intrusion detection system, shadow honeypot is combined with
it. This proposed system may improve the overall security of
large scale networks by minimize the rate of false positives
and detect better intrusion.
Keywords— anomaly detection, intrusion detection
system, honeypot, honeynet, shadow honeypot.
I. INTRODUCTION
In recent years, intrusion and other types of attacks to
the computer network systems have become more and
more widespread and sophisticated. Intrusion detection is
defined as "the problem of identifying individuals who are
using a computer system without authorization and those
who have legitimate access to the system but are abusing
their privileges (insider threat)’’.
An intrusion detection system (IDS) is an essential part in
a good network security environment. It enables detection
of suspicious packets and attacks. With the help of IDs, all
network traffic can be observed. It is easy to detect
malicious traffic on a honeynet as well as decode and log
some interesting packets at a centralized point.
Intrusion detection techniques are traditionally
categorized into two methodologies: anomaly detection and
misuse detection.
Anomalies based intrusion detection: Anomaly based
intrusion detection systems base their decisions on
anomalies, things that do not normally occur. If a user
suddenly starts a new program he never used or logs in to a
machine at 4 o’clock in the morning (what he never did
before), the system generates an alert announcing that
something isn’t running as usual.
We will focus on network and signature based intrusion
detection, as they are most important for honeypots. Host
based intrusion detection are more dangerous to use
because of the possibility of getting detected on the host
(honeypot itself).
Misuse detection: Misuse detection catches intrusions in
terms of the characteristics of known attacks or system
vulnerabilities; any action that conforms to the pattern of a
known attack or vulnerability is considered intrusive.
There are three main components to the Intrusion detection
system [7].
Network intrusion detection: Network intrusion detection
systems listen to network communications. They recognize
intrusions which come through the networking
environment. Basically a network intrusion detection
system (NIDS) is a service which listens on a network
interface looking for suspicious traffic. Network intrusion
detection systems are mostly signature based.
Host Based Intrusion Detection: Host intrusion detection
systems (HIDS) reside on a resource which they supervise.
This resource is mostly a computer server or workstation.
HIDS look at generated log files, changes in the file system
or check for changes in the process table. Their goal is to
detect intrusions into a host.
Signature based intrusion detection: Signature based
intrusion is based on signatures of known attacks. These
signatures are stored and compared against events or
incoming traffic. If a pattern matches, an alert is generated.
Honeypot is an unreal network system designed to trap
crackers and intruders. This system was introduced initially
by Clifford Stoll in 1990[1].The honeypot is used as bait in
the form of a vulnerable system to trap hackers and keep
away from accessing the critical information in the main
system.
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459, Volume 2, Issue 8, August 2012)
499
It observes the adversary activities and detects new
information coming from the intruders. Honeypots alone
are not sufficient for solving or preventing network crimes.
The collection of honeypots is called honeynet. A
Honeynet contains one or more Honeypots, which are
computer systems on the Internet expressly set up to attract
and "trap" people who attempt to penetrate other people's
computer systems. a honeynet usually has real applications
and services so that it seems like a normal network and a
worthwhile target. However, because the honeynet doesn't
actually serve any authorized users, any attempt to contact
the network from without is likely an illicit attempt to breach its security and any outbound activity is likely
evidence that a system has been compromised. For this
reason, the suspect information is much more apparent than
it would be in an actual network, where it would have to be
found amidst all the legitimate network data.
II. RELATED WORK
Zhang Li-juan [2] describes a honeypot based defense
system research and design in which he combines the
advantages of the existing distributed trap network to
embed a low alteration honeynet into a virtual honeynet,
which can collect all the IP values unused in the network to
set up trap, in this trap network there are actual network
services be used to interact with the hackers, so that the risk
of entire trap network being found will be reduced. Babak
Khosravifar [3] discuss about improving intrusion detection
system false alarm ratio. In this adversaries initially
detected by IDS and then routed to a honeypot for more
investigations. If it found that alarm decision made by IDS
is wrong the connection is guided to the original destination
in order to continue previous interaction. Kostas [4]
describes shadow honeypot which is combination of
honeypot and anomaly detection. Shadow is used to detect
potential attacks; it is instance of protected application that
shares all internal state with normal instances of
application. Traffic is validated by shadow honeypot that
was misclassified by anomaly detector and handled
correctly by the system. Yun Yang [5] presents the
combination of protocol analysis and signature detection
module in order to improve the detection performance of
IDS system.Ozgur Depren [6] describes hybrid IDS consist
of both anomaly and misuse detection model and decision
support system combining the result of these two detection
models.it uses J.48 decision tree algorithm to classify
various types of attacks.
III. SHADOW HONEYPOT
Traffic that is considered anomalous is processed by a
"shadow honeypot" to determine the accuracy of the
anomaly prediction [4]. The shadow is an instrumented
instance of the application that can detect specific types of
failure and is instrumented to detect potential attacks.
Attacks against the shadow are caught, and any incurred
state changes are discarded. Legitimate traffic that was
misclassified will be validated by the shadow and will be
handled correctly by the system transparently to the end
user. The outcome of processing a request by the shadow is
used to filter future attack instances and could be used to
update the anomaly detector.
Shadow honeypot can be tightly coupled with both
server and client applications.
In tightly coupled with server the applications are
integrated with the honeypot, mirroring functionality and
state. The server is protected by diverting suspicious
request to its shadow. In tightly coupled with client, for
replaying the attack in the shadow the context of attack is
considered. It deals with passive attacks where attacker
lures the user to download data containing attack.
The misuse detector signal to the protected application
whether a request is potentially dangerous. Depend upon
the prediction of misuse detector, the system take decision
whether invoke regular instance or shadow instance.
Shadow detects specific type of failure and rollback to the
safe state.
IV. PROPOSED SYSTEM ARCHITECTURE
In this work IDS used both anomaly and misuse detection
with honeypot to overcome the deficiencies of IDS system.
Components of proposed system are detector, anomaly
detection, misuse detection, honeypot and alarm module.
The system structure is shown in fig.1[3]:
Fig 1: Architecture of Shadow Honeypot based IDS
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459, Volume 2, Issue 8, August 2012)
500
A. Detector
It is located at the base of the system; it collects the
unrefined data from the network based on set of rules and
submits this data to anomaly detection module for analysis.
The main task of detector is to audit the IP address and
network. The detector inspects either or both directions of
each network flow, which may contain malicious requests
towards vulnerable services or malicious content served by
some compromised server towards a vulnerable user.
B. Anomaly detection Module
It verifies the unknown attacks on the bases of set of
rules. It decomposes the packet which the detector
submitted and matches them by calling protocol tree
structure. Then system calls the alarm if packets routed are
abnormal. Otherwise anomaly detection module
continuously analysis the packets. It analysis the attacks
against TCP, UDP, ICMP protocols.
C. Misuse detection module
In misuse detection, the system analyses the information
which it gathers from anomaly detection module and
compares it to large databases of attack signatures which
are store in intrude database. Each rule should have the
source IP address, target IP address, protocol type, source
port, destination port, attack signature.
D. Intrusion Extraction
It extract the intrude data which is identified by
honeypot and store the data into intrude database. Genetic
algorithms are used for mining invasion feature from
honeypot audit records.
E. Shadow honeypot
It collects the data which is analysis by misuse detection
module for further investigations. If data is infected then it
reroutes towards shadow version of honeypot; otherwise it
routed to its destination application for continuity of
process. The data which is misclassified by anomaly
detector is handled and validated by shadow honeypot.
The level of prediction used by shadow is depending
upon amount of latency we want to impose on infected
traffic.
This is the working of proposed model. By
implementing this model in the network we can protect our
applications from attackers and their new techniques
because it detects the malicious traffic more accurately than
IDS system.
V. CONCLUSION
In this paper we present an intrusion detection system
using shadow honeypot. The shadow honeypot collects
packet from IDS and check the packet whether it is
malicious or not. If packet is suspicious then it transfers to
shadow version and processed. The state changes effected
by malicious packet are rolled back to its safe state. As
honeypot alone does not work properly than it works with
other security tools. This proposed system may improve the
overall security of the system by reducing false alarm ratio
and detect efficiently.
REFERENCES
[1]. L.Spitzner, Honeypots: Tracking Hackers. Addison Wesley, 2003.
[2]. Zhang Li-juan, “Honeypot based defense system research and design”, 2nd IEEE international conference on computer science and
information technology, 2009.
[3]. Babak Khosravifar Jamal Bentaha, “An experience improving intrusion detection system false alarm ratio by using honeypot”, 22nd
international conference on advanced information networking and
applications, 2008. [4]. Kostas G.Anagnostakis,Periklis Akritidis, “Shadow honeypot”,
international journal of computer and network security,2010.
[5]. Yun Yang, Jia Mi, “Design and implementation of distributed intrusion detection system based on honeypot”, 2nd international
conference of computer engineering and technology, 2010.
[6]. Ozgur Depren,Murat Topallar, Emin Anarim,“An intelligent intrusion detection system for anomaly and misuse detection in computer
networks”, Expert system with applications, November 2005.
[7]. Understanding Intrusion detection systems http://www.sans.org/reading_room/whitepapers/detection/understandi
ng-intrusion-detection-systems_337