intrusion detection system using shadow honeypot · intrusion detection system using shadow...

3
International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com (ISSN 2250-2459, Volume 2, Issue 8, August 2012) 498 Intrusion Detection System Using Shadow Honeypot Navita Sharma 1 , Gurpreet Singh 2 1 Department of Computer Science & Engineering, MIMIT Malout, Punjab (INDIA) [email protected] 2 Department of Information Technology, MIMIT Malout, Punjab (INDIA) [email protected] Abstract— The immense advancement in attacks against network give rise to interest in more contentious forms of defense to supplement the existing security approaches. Honeypots are physical or virtual machines successfully used as Intrusion detection tool to detect threats. In this paper we proposed a shadow honeypot based intrusion detection system. Shadow honeypot is used to collect the intrusion from the network. To improve the detection performance of intrusion detection system, shadow honeypot is combined with it. This proposed system may improve the overall security of large scale networks by minimize the rate of false positives and detect better intrusion. Keywords— anomaly detection, intrusion detection system, honeypot, honeynet, shadow honeypot. I. INTRODUCTION In recent years, intrusion and other types of attacks to the computer network systems have become more and more widespread and sophisticated. Intrusion detection is defined as "the problem of identifying individuals who are using a computer system without authorization and those who have legitimate access to the system but are abusing their privileges (insider threat)’’. An intrusion detection system (IDS) is an essential part in a good network security environment. It enables detection of suspicious packets and attacks. With the help of IDs, all network traffic can be observed. It is easy to detect malicious traffic on a honeynet as well as decode and log some interesting packets at a centralized point. Intrusion detection techniques are traditionally categorized into two methodologies: anomaly detection and misuse detection. Anomalies based intrusion detection: Anomaly based intrusion detection systems base their decisions on anomalies, things that do not normally occur. If a user suddenly starts a new program he never used or logs in to a machine at 4 o’clock in the morning (what he never did before), the system generates an alert announcing that something isn’t running as usual. We will focus on network and signature based intrusion detection, as they are most important for honeypots. Host based intrusion detection are more dangerous to use because of the possibility of getting detected on the host (honeypot itself). Misuse detection: Misuse detection catches intrusions in terms of the characteristics of known attacks or system vulnerabilities; any action that conforms to the pattern of a known attack or vulnerability is considered intrusive. There are three main components to the Intrusion detection system [7]. Network intrusion detection: Network intrusion detection systems listen to network communications. They recognize intrusions which come through the networking environment. Basically a network intrusion detection system (NIDS) is a service which listens on a network interface looking for suspicious traffic. Network intrusion detection systems are mostly signature based. Host Based Intrusion Detection: Host intrusion detection systems (HIDS) reside on a resource which they supervise. This resource is mostly a computer server or workstation. HIDS look at generated log files, changes in the file system or check for changes in the process table. Their goal is to detect intrusions into a host. Signature based intrusion detection: Signature based intrusion is based on signatures of known attacks. These signatures are stored and compared against events or incoming traffic. If a pattern matches, an alert is generated. Honeypot is an unreal network system designed to trap crackers and intruders. This system was introduced initially by Clifford Stoll in 1990[1].The honeypot is used as bait in the form of a vulnerable system to trap hackers and keep away from accessing the critical information in the main system.

Upload: vuonganh

Post on 17-Aug-2018

213 views

Category:

Documents


0 download

TRANSCRIPT

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, Volume 2, Issue 8, August 2012)

498

Intrusion Detection System Using Shadow Honeypot

Navita Sharma1, Gurpreet Singh

2

1Department of Computer Science & Engineering, MIMIT Malout, Punjab (INDIA)

[email protected] 2 Department of Information Technology, MIMIT Malout, Punjab (INDIA)

[email protected]

Abstract— The immense advancement in attacks against

network give rise to interest in more contentious forms of

defense to supplement the existing security approaches.

Honeypots are physical or virtual machines successfully used

as Intrusion detection tool to detect threats. In this paper we

proposed a shadow honeypot based intrusion detection

system. Shadow honeypot is used to collect the intrusion from

the network. To improve the detection performance of

intrusion detection system, shadow honeypot is combined with

it. This proposed system may improve the overall security of

large scale networks by minimize the rate of false positives

and detect better intrusion.

Keywords— anomaly detection, intrusion detection

system, honeypot, honeynet, shadow honeypot.

I. INTRODUCTION

In recent years, intrusion and other types of attacks to

the computer network systems have become more and

more widespread and sophisticated. Intrusion detection is

defined as "the problem of identifying individuals who are

using a computer system without authorization and those

who have legitimate access to the system but are abusing

their privileges (insider threat)’’.

An intrusion detection system (IDS) is an essential part in

a good network security environment. It enables detection

of suspicious packets and attacks. With the help of IDs, all

network traffic can be observed. It is easy to detect

malicious traffic on a honeynet as well as decode and log

some interesting packets at a centralized point.

Intrusion detection techniques are traditionally

categorized into two methodologies: anomaly detection and

misuse detection.

Anomalies based intrusion detection: Anomaly based

intrusion detection systems base their decisions on

anomalies, things that do not normally occur. If a user

suddenly starts a new program he never used or logs in to a

machine at 4 o’clock in the morning (what he never did

before), the system generates an alert announcing that

something isn’t running as usual.

We will focus on network and signature based intrusion

detection, as they are most important for honeypots. Host

based intrusion detection are more dangerous to use

because of the possibility of getting detected on the host

(honeypot itself).

Misuse detection: Misuse detection catches intrusions in

terms of the characteristics of known attacks or system

vulnerabilities; any action that conforms to the pattern of a

known attack or vulnerability is considered intrusive.

There are three main components to the Intrusion detection

system [7].

Network intrusion detection: Network intrusion detection

systems listen to network communications. They recognize

intrusions which come through the networking

environment. Basically a network intrusion detection

system (NIDS) is a service which listens on a network

interface looking for suspicious traffic. Network intrusion

detection systems are mostly signature based.

Host Based Intrusion Detection: Host intrusion detection

systems (HIDS) reside on a resource which they supervise.

This resource is mostly a computer server or workstation.

HIDS look at generated log files, changes in the file system

or check for changes in the process table. Their goal is to

detect intrusions into a host.

Signature based intrusion detection: Signature based

intrusion is based on signatures of known attacks. These

signatures are stored and compared against events or

incoming traffic. If a pattern matches, an alert is generated.

Honeypot is an unreal network system designed to trap

crackers and intruders. This system was introduced initially

by Clifford Stoll in 1990[1].The honeypot is used as bait in

the form of a vulnerable system to trap hackers and keep

away from accessing the critical information in the main

system.

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, Volume 2, Issue 8, August 2012)

499

It observes the adversary activities and detects new

information coming from the intruders. Honeypots alone

are not sufficient for solving or preventing network crimes.

The collection of honeypots is called honeynet. A

Honeynet contains one or more Honeypots, which are

computer systems on the Internet expressly set up to attract

and "trap" people who attempt to penetrate other people's

computer systems. a honeynet usually has real applications

and services so that it seems like a normal network and a

worthwhile target. However, because the honeynet doesn't

actually serve any authorized users, any attempt to contact

the network from without is likely an illicit attempt to breach its security and any outbound activity is likely

evidence that a system has been compromised. For this

reason, the suspect information is much more apparent than

it would be in an actual network, where it would have to be

found amidst all the legitimate network data.

II. RELATED WORK

Zhang Li-juan [2] describes a honeypot based defense

system research and design in which he combines the

advantages of the existing distributed trap network to

embed a low alteration honeynet into a virtual honeynet,

which can collect all the IP values unused in the network to

set up trap, in this trap network there are actual network

services be used to interact with the hackers, so that the risk

of entire trap network being found will be reduced. Babak

Khosravifar [3] discuss about improving intrusion detection

system false alarm ratio. In this adversaries initially

detected by IDS and then routed to a honeypot for more

investigations. If it found that alarm decision made by IDS

is wrong the connection is guided to the original destination

in order to continue previous interaction. Kostas [4]

describes shadow honeypot which is combination of

honeypot and anomaly detection. Shadow is used to detect

potential attacks; it is instance of protected application that

shares all internal state with normal instances of

application. Traffic is validated by shadow honeypot that

was misclassified by anomaly detector and handled

correctly by the system. Yun Yang [5] presents the

combination of protocol analysis and signature detection

module in order to improve the detection performance of

IDS system.Ozgur Depren [6] describes hybrid IDS consist

of both anomaly and misuse detection model and decision

support system combining the result of these two detection

models.it uses J.48 decision tree algorithm to classify

various types of attacks.

III. SHADOW HONEYPOT

Traffic that is considered anomalous is processed by a

"shadow honeypot" to determine the accuracy of the

anomaly prediction [4]. The shadow is an instrumented

instance of the application that can detect specific types of

failure and is instrumented to detect potential attacks.

Attacks against the shadow are caught, and any incurred

state changes are discarded. Legitimate traffic that was

misclassified will be validated by the shadow and will be

handled correctly by the system transparently to the end

user. The outcome of processing a request by the shadow is

used to filter future attack instances and could be used to

update the anomaly detector.

Shadow honeypot can be tightly coupled with both

server and client applications.

In tightly coupled with server the applications are

integrated with the honeypot, mirroring functionality and

state. The server is protected by diverting suspicious

request to its shadow. In tightly coupled with client, for

replaying the attack in the shadow the context of attack is

considered. It deals with passive attacks where attacker

lures the user to download data containing attack.

The misuse detector signal to the protected application

whether a request is potentially dangerous. Depend upon

the prediction of misuse detector, the system take decision

whether invoke regular instance or shadow instance.

Shadow detects specific type of failure and rollback to the

safe state.

IV. PROPOSED SYSTEM ARCHITECTURE

In this work IDS used both anomaly and misuse detection

with honeypot to overcome the deficiencies of IDS system.

Components of proposed system are detector, anomaly

detection, misuse detection, honeypot and alarm module.

The system structure is shown in fig.1[3]:

Fig 1: Architecture of Shadow Honeypot based IDS

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, Volume 2, Issue 8, August 2012)

500

A. Detector

It is located at the base of the system; it collects the

unrefined data from the network based on set of rules and

submits this data to anomaly detection module for analysis.

The main task of detector is to audit the IP address and

network. The detector inspects either or both directions of

each network flow, which may contain malicious requests

towards vulnerable services or malicious content served by

some compromised server towards a vulnerable user.

B. Anomaly detection Module

It verifies the unknown attacks on the bases of set of

rules. It decomposes the packet which the detector

submitted and matches them by calling protocol tree

structure. Then system calls the alarm if packets routed are

abnormal. Otherwise anomaly detection module

continuously analysis the packets. It analysis the attacks

against TCP, UDP, ICMP protocols.

C. Misuse detection module

In misuse detection, the system analyses the information

which it gathers from anomaly detection module and

compares it to large databases of attack signatures which

are store in intrude database. Each rule should have the

source IP address, target IP address, protocol type, source

port, destination port, attack signature.

D. Intrusion Extraction

It extract the intrude data which is identified by

honeypot and store the data into intrude database. Genetic

algorithms are used for mining invasion feature from

honeypot audit records.

E. Shadow honeypot

It collects the data which is analysis by misuse detection

module for further investigations. If data is infected then it

reroutes towards shadow version of honeypot; otherwise it

routed to its destination application for continuity of

process. The data which is misclassified by anomaly

detector is handled and validated by shadow honeypot.

The level of prediction used by shadow is depending

upon amount of latency we want to impose on infected

traffic.

This is the working of proposed model. By

implementing this model in the network we can protect our

applications from attackers and their new techniques

because it detects the malicious traffic more accurately than

IDS system.

V. CONCLUSION

In this paper we present an intrusion detection system

using shadow honeypot. The shadow honeypot collects

packet from IDS and check the packet whether it is

malicious or not. If packet is suspicious then it transfers to

shadow version and processed. The state changes effected

by malicious packet are rolled back to its safe state. As

honeypot alone does not work properly than it works with

other security tools. This proposed system may improve the

overall security of the system by reducing false alarm ratio

and detect efficiently.

REFERENCES

[1]. L.Spitzner, Honeypots: Tracking Hackers. Addison Wesley, 2003.

[2]. Zhang Li-juan, “Honeypot based defense system research and design”, 2nd IEEE international conference on computer science and

information technology, 2009.

[3]. Babak Khosravifar Jamal Bentaha, “An experience improving intrusion detection system false alarm ratio by using honeypot”, 22nd

international conference on advanced information networking and

applications, 2008. [4]. Kostas G.Anagnostakis,Periklis Akritidis, “Shadow honeypot”,

international journal of computer and network security,2010.

[5]. Yun Yang, Jia Mi, “Design and implementation of distributed intrusion detection system based on honeypot”, 2nd international

conference of computer engineering and technology, 2010.

[6]. Ozgur Depren,Murat Topallar, Emin Anarim,“An intelligent intrusion detection system for anomaly and misuse detection in computer

networks”, Expert system with applications, November 2005.

[7]. Understanding Intrusion detection systems http://www.sans.org/reading_room/whitepapers/detection/understandi

ng-intrusion-detection-systems_337