A Honeynet Framework to Promote Enterprise Network Security

June 10, 2016 | Author: IAEME Publication | Category: Types, Research
Share Embed Donate


Short Description

This research introduces a mechanism of intrusion detection based on high interaction honeypots to assist efficiently i...

Description

International Journal of Computer Engineering and Technology ENGINEERING (IJCET), ISSN 0976INTERNATIONAL JOURNAL OF COMPUTER 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME & TECHNOLOGY (IJCET)

ISSN 0976 – 6367(Print) ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), pp. 404-413 © IAEME:www.iaeme.com/ijcet.asp Journal Impact Factor (2012): 3.9580 (Calculated by GISI) www.jifactor.com

IJCET ©IAEME

A HONEYNET FRAMEWORK TO PROMOTE ENTERPRISE NETWORK SECURITY Mumtaz M.A. AL-Mukhtar1, Badour W. Kasim2 1 2

(Information Engineering College, AL-Nahrain University, Iraq) (Information Engineering College, AL-Nahrain University, Iraq)

ABSTRACT This research introduces a mechanism of intrusion detection based on high interaction honeypots to assist efficiently in gathering information concerning intruders attacking an enterprise network via Internet. High interaction honeypots are implemented as honeynet, which consists of a network of two servers with controlled services. Controlling the data is performed by means of data capturing and restriction the traffic that enters and leaves the network. The proposed system consists of five constituents' modules: Honeypots, Sniffing, Tracing, Alert and Control. Honeypots provide real operating system files and services. The decoy implemented is based on honeyfiles and setting service configuration to reduce the cost of maintaining honeypots as well as to improve the accuracy in threat detections. Data transfer between honeypots’ modules is accomplished using Windows Communication Foundation (WCF) services that assist in conveying data in a secure way. The main aim of this work is to identify the best traffic features or parameters that can be used to identify intruders and in profiling attacks and attackers. Keywords: Attack Monitoring, High-Interaction Honeypot, Honeynet, Intrusion Detection System, Network Security. 1. INTRODUCTION The challenges of securing enterprise networks in the face of intruders armed with the tools of compromise have become overwhelming and are still growing. With security administrators supporting an ever-growing number of users, such consistent interaction with security mechanisms has become impractical. Therefore, today’s enterprise requires a security solution that will not only prevent the most advanced intruder, but will as well accomplish this with minimal configuration and supervision [1]. 404

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

There have been several attempts to identify originators of attack packets on the network. A common technique is a honeypot and is defined as "a security resource whose value lies in being probed, attacked or compromised" [2]. Honeypots, according to their level of interaction, can be classified into low-interaction, medium-interaction, and high-interaction honeypots [3]. Normally, low interaction Honeypots work exclusively emulating operating systems and services. The attacker’s activities are limited to the honeypot’s level and quality of emulation [4]. Mediuminteraction honeypots are slightly more sophisticated than low interaction honeypots. Mediuminteraction honeypots provide the attacker with a better illusion of an operating system since there is more for the attacker to interact with. More complex attacks can therefore be logged and analyzed [5]. High Interaction Honeypots constitute a complex solution because they involve the utilization of operating systems and real applications implemented in real hardware, without using emulation software, running in a normal way; many times directly related to services such as databases and shared folders [6]. A honeynet is simply a network that contains one or more honeypots [7]. More precisely, it is a high-interaction honeypot that is designed to be attacked with the actual intention for providing extensive information on threats and provides real systems, applications, and services for attackers to interact with, and detect new malicious attempts [8]. The remaining part of this paper is organized as follows: Section 2 reviews related literature. Section 3 gives overall system layout. Section 4 explains the system design and implementation of constituent modules. Finally, section 5 describes the concluding remarks 2. RELATED LITERATURE Previous research in high-interaction-honeypot include detecting threats and improving network security [9,10], designing a honeypot capable of learning from attackers and capable of dynamically changing its behavior using a variant of reinforcement learning [11], utilizing highinteraction honeypot for SQL injection analysis [12], improving the detection speed and attack collection scheme of high-interaction client honeypots [13, 14]. Different aspects of honeynet architectures are brought out in the literature. Honeynet have been used in assessing network security and as proactive security system [15, 16]. Aspects of using honeynets in educational areas are tackled in [17, 18]. Deployment of honeynet for forensic analysis of attacks from the internet is discussed in [19, 20]. Detecting and removing Internet worms and innocuous traffic related packets is proposed in [21, 22]. Detecting and defending Botnet is highlighted in [23]. Managing honeynet as a distributed architecture is disclosed in [24]. Using virtual technology to construct honeynet is enlightened in [25, 26]. In contrast with recent generation of high interaction honeypots, our work goes one step further. We improve the administration and the security enforcement to get an automated protection system serving as an early-warning and advanced security surveillance tool, minimizing the risks from attacks on enterprise networks and ensuring that honeypots retain their usefulness as profiling tools. 3. SYSTEM OVERVIEW System layout is depicted in figure 1. The devised network compromises a pair of nodes configured as honeynet connected by switch to another node which is configured as monitoring station. Each node in the honeynet acts as a high interaction honeypot, using real operating systems and services with decoy files. A firewall is also configured at the monitoring station to accept connections only from honeypots devices as a security issue for the monitoring station. 405

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

Honeypots provide real services for attracting attackers. Once an attacker attempts to access the honeypot server, its data is captured and stored in a database. Then these stored packets are transferred to the monitoring station using web services effectively in a secure way. The monitoring station reads the information acquired to prepare a report as an Extensible Markup Language (XML) file which is sent by an e-mail to the administrator of the network as an alert. It also provides a Graphical User Interface (GUI) to monitor the extracted information.

Fig.1- System Layout

4. SYSTEM DESIGN The designed Honeynet contains two Honeypots, which are servers connected to the Internet and expressly set up to attract intruders. The designed system comprises several cooperating modules organized within the honeypots and the monitoring station. The function of these modules is illustrated in figure 2.

Fig.2- System Modules 406

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

4.1 Sniffing Module It runs in a network attached device that passively receives all data link layer frames passing through the device’s network adapter. The packet sniffer captures the data that is addressed to the honeypot machine, saving it for later analysis. Using the information captured by the packet sniffer, malicious packets can be identified to help maintain network traffic information. The sniffer is designed with four components: A. The hardware: Network Interface Card (NIC) is configured in promiscuous mode. B. Capture Driver: It captures the network traffic from the wire, filters it for the particular traffic. C. Buffer: Once the frames are captured from the network, they are stored in a buffer. D. Decode: This displays the contents of the network traffic with descriptive text. Operation steps of this module are shown in figure (3).

Fig.3- Sniffer Operation The capture process takes place in the kernel level while packet processing is performed at user level. When the kernel gets a packet from the network interface, it copies it from kernel interface space to the user space. The filtering step is used if the system is interested in capturing specific type of packets by instructing the kernel to get a copy of the packets that match a filter expression. Packet processing operation is used to extract packet information and storing it into the database. Thereafter all required packets are sent to the monitoring station to be analyzed. The steps are illustrated in figure (4).

Fig.4- Packet Processing at Sniffing Module 407

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

4.2 Honeypot Servers These servers are designed to allure intruders by providing a web interface through Internet. One server is configured with windows 2012 server operating system while the other is configured with Ubuntu linux operating system providing different web services (HTTP, FTP, SMTP, SSH, and Telnet). Each Honeypot runs two modules: web interface module for connecting with intruders and the sniffing module which is used for capturing network traffic. Service configuration can be done either by using a fake server or by decoy real services. This system is based on honeynet using real services. The decoy method is based on providing honeyfiles. A honeyfile is a bait file that is intended for hackers to open, and when the file is accessed, data is captured and an alarm is triggered. 4.3 Application Server The application server provides an interface with outside networks clients. It is built in order to advertise web services. All requests received by this server are logged into the database. Figure (5) shows a block diagram of application server operation. When attackers access the application server, their browsers send number of headers to the honeypot server. These headers occur during a negotiation process that help the browsers and the honeypot server to determine the best way to provide the requested information. The request parser is used for analyzing these headers to identify the information related to users accessing the server. This information is extracted from http request properties, which contain tokens that provide specific details about the users activating the request including IP address, date, operating system versions, hosting services and time duration of the interaction. Figure (6) shows steps of information extracting process carried out by the application server.

Fig.5- Application Server Operation

408

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

Fig.6- Information Extracting by the Application Server 4.4 Information Transfer To provide a secure way for analyzing data and gather more information about malicious traffic, all data stored inside honeypots database servers are transferred to the monitoring machine. Windows Communication Foundation (WCF) is used to transfer information from the honeypots servers to the monitoring station. In the current design WCF sends data as asynchronous messages from one service endpoint to another. The designed WCF service consists of two components: 409

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

A. Endpoint: Endpoints provide clients access to the functionality offered by a WCF service. Each endpoint consists of three properties: • An address that indicates where the endpoint is found. • A binding that specifies how the monitoring machine can communicate with the service endpoint. • A contract that identifies the operations available by WCF. B. Service Host: Service Host object is part of the process of hosting the WCF service inside the application server within honeypots and registering endpoints. Figure (7) shows the architecture of the designed WCF.

Fig.7- The Architecture of the Designed WCF 4.5 Control Module This is the central module located in the monitoring station. It provides GUI to control and monitor system data and functions. Two modules are integrated inside this module: the Tracing Module and Alert Module. 4.6 Tracing Module The tracing module collects information extracted from honeypots servers concerning each intruder. This information is logged into the system database. Its main function is to analyze information in separate background functions. Each background function analyzes part of the received information in a separate thread. A background function provides a responsive user interface even with long delays associated with such operations. Three backgrounds functions deal with downloading and collecting information received from honeypots devices. Each background deals with a part of honeypot database tables. These background are : A. UsersBackup It is implemented to download and update users information received from TheUsers database table located at honeypots. UsersBackup contains an IpInfo() function that gets a location information from Whois and IP2Location databases. Information collected from this background is: IP, country, city, region, latitude, longitude and ISP of the intruder machine. This is carried out by initiating two connections to the remote location database (Whois and IP2Location databases). The connection to the IP2Location database is established by using HTTP request to the database server while the connection to the whois database is established as TCP connection. 410

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

B. SessionsBackup Second background is implemented to download and updates sessions information received from TheSession database table located at honeypots. Information collected from this background is: IP, HostingSerivce, OS (Operating System), EntryDateTime, ConnectionDuration and OpenPorts. Port scanning is invoked using Asynchronous JavaScript and XML (AJAX) service to determine open ports. Port scan uses AJAX service with WebGetAttribute to send requests to a range of ports at the intruder machine and is configured to use the JavaScript Object Notation (JSON) data format for responses. C. PacketsBackup Third background is implemented to download and update packets information received from ThePacket database table located at honeypots. Information collected from this background is: IP, Protocol and Data. All data packets during each session related to a single user are saved for future analysis by the system administrator. 4.7 Alerting Module Two methods are implemented through this module: logging and alert. The logging method collects and processes data from other modules and make it available as an XML file format. The collected information is used to generate reports and is used by the alert method. The alert method generates alerts via an administrator e-mail at pre-defined time intervals. The frequency of emails and their sender and the recipient can be configured. 5. CONCLUSIONS In this work, we exploited the concept of high-interaction honeypots in depth to capture and analyze intruder's data, help to observe intruder's behavior, providing versatile information concerning security threats and their behavior. However, it can be customized to capture specific data. As honeypots capture the malicious traffic, they also capture the new tools used by the blackhats. Moreover, the geographical location of intruders is explored by utilizing the Whois and IP2Location databases. IP GeoLocation depends on semantic approaches, and therefore could be accurate. The system uses javascript code to scan ports to gain access to the intruder machine even if the firewall running. This enhances system ability to be hosted in different environment (.Net and JavaScript). System testing shows that the developed honeynet can successfully remedy the deficiencies of existing monitoring systems and improve the performance of the safety defense systems. REFERENCES [1] Kuwatly Iyad, Sraj Malek, Al Masri Zaid, and Artail Hassan, “A Dynamic Honeypot Design for Intrusion Detection”, Proceedings of the IEEE/ACS International Conference on Pervasive Services (ICPS’04), pp. 1-10, 2004. [2] Spitzner, L. Honeypots: Tracking Hackers. Addison Wesley, 2003.

411

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

[3] Iyatiti Mokube and Michele Adams, "Honeypots: Concepts, Approaches, and Challenges", Proceeding Of The 45th Annual Southeast Regional Conference (ACMSE'07), pp. 321-326, 2007. [4] Abhishek Mairh, Debabrat Barik, and Kanchan Verma, "Honeypot in Network Security: A Survey", Proceedings of the 2011 International Conference on Communication, Computing & Security (ICCCS '11), pp.600-605, 2011. [5] Pei-Sheng Huang, Chung-Huang Yang, and Tae-Nam Ahn, " Design And Implementation Of A Distributed Early Warning System Combined With Intrusion Detection System And Honeypot", International Conference on Convergence and Hybrid Information Technology (ICHIT '09), pp.232-238, 2009. [6] Briffaut Jeremy, Lalande Jean-Francois, and Toinard Christian, "Security and Results of a Large-Scale High-Interaction Honeypot", Journal of Computers, Vol. 4, No. 5, pp. 395-404, 2009. [7] Yang Y., Yang H., and Mi J., "Design of Distributed Honeypot System Based on Intrusion Tracking", IEEE 3rd International Conference on Communication Software and Networks (ICCSN), pp. 196-198, 2011. [8] Ritu Tiwari, and Abhishek Jain, "Improving Network Security and Design using Honeypots, Proceedings of the CUBE International Information Technology Conference "CUBE '12", pp. 847-852, 2012. [9] Briffaut J., Rouzaud-Cornabas J., Toinard C., and Zemali Y., "A New Approach to Enforce the Security Properties of a Clustered High-Interaction Honeypot", International Conference on High Performance Computing & Simulation (HPCS '09), pp. 184, 192, 2009. [10] Bhumika, and Vivek Sharma, "Use of Honeypots to Increase Awareness Regarding Network Security", International Journal of Recent Technology and Engineering (IJRTE), Vol.1, Issue 2, pp. 171-175, 2012. [11] Gerard Wagener, Radu State and Thomas Engel, Alexandre Dulaunoy, "Adaptive and Self-Configurable Honeypots"12th IFIP/IEEE International Symposium on Integrated Network Management, pp. 345-352, 2011. [12] Jiao Ma, Kun Chai, Yao Xiao, Tian Lan, and Wei Huang, "High-Interaction Honeypot System for SQL Injection Analysis" International Conference on Information Technology, Computer Engineering and Management Sciences (ICM), pp. 274-277, 2011. [13] Hong-Geun Kim, Dong-Jin Kim, Seong-Je Cho, "An Efficient Visitation Algorithm to Improve the Detection Speed of High-Interaction Client Honeypots", Proceedings of the ACM Symposium on Research in Applied Computation (RACS '11) , pp.266-271, 2011. [14] Yagi Takeshi, Tanimoto Naoto, Hariu Takeo, and Itoh Mitsutaka , "Enhanced Attack Collection Scheme on High-Interaction Web Honeypots" IEEE Symposium on Computers and Communications (ISCC), pp. 81-86, 2010. [15] Olivier Thonnard, and Marc Dacier, "A Framework for Attack Patterns' Discovery Honeynet data", Digital Investigation, Volume 5, Supplement, pp.S128-S139, September 2008. [16] Dongwoo Kwon, Hong J.W, and Hongtaek Ju, "DDoS Attack Forecasting System Architecture Using Honeynet", 14th Asia-Pacific Network Operations and Management Symposium (APNOMS), pp.1-4, 2012. [17] Ateeq Ahmad, Muhammad Ali, and Jamshed Mustafa, "Benefits of Honeypots in Education Sector", International Journal of Computer Science and Network Security, VOL.11 No.10, pp. 24-28, 2011.

412

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

[18] O'Leary M., Azadegan S., Lakhani, J., "Development of a Honeynet Laboratory: a Case Study", Seventh ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD'06), pp.401-406, 2006. [19 ] Stephan Riebach, Erwin P. Rathgeb, and Birger Toedtmann, "Efficient Deployment of Honeynets for Statistical and Forensic Analysis of Attacks from the Internet", Proceedings of the 4th IFIP-TC6 international conference on Networking Technologies, Services, and Protocols, pp. 756-767, 2005. [20] Bhatia J.S., Sehgal R., Bhushan, B., and Kaur, H., "A Case study on Host Based Data Analysis & Cyber Criminal Profiling in Honeynets", First International Conference on Communication Systems and Networks (COMSNETS 2009), pp. 1-2, 2009. [21] Pragya Jain, and Anjali Sardana, "Defending against Internet Worms using Honeyfarm", Proceedings of the CUBE International Information Technology Conference (CUBE '12), pp. 795-800), 2012. [22] Kumar Upendra, Kumar Mishra Bimal, and Sahoo G., "Defending Polymorphic Worms in Computer Network using Honeynet", International Journal of Engineering Science and Technology (IJEST), Vol. 4 No.04, pp. 1908-1411, 2012. [23] J.S.Bhatia , R.K.Sehgal , and Sanjeev Kumar, " Botnet Command Detection using Virtual Honeynet", International Journal of Network Security & Its Applications Vol. 3 Issue: 5, pp. 177-189, 2011. [24] Leita C., Pham V.H., Thonnard O., Ramirez E.S., Pouget F., Kirda E., and Dacier M.," The Leurre.com Project: Collecting Internet Threats Information Using a Worldwide Distributed Honeynet", Workshop on Information Security Threats Data Collection and Sharing (WISTDCS '08), pp. 40-57, 2008. [25] Sun Bing, Wang Hai-feng, and Cheng Ling, "Study of Network Security Situation in Honeynet", Proceedings of International Conference on Modelling, Identification & Control (ICMIC), pp. 519 – 523, 2012. [26] Liu Tian-Hua, Yi Xiu-Shuang, and Ma Shi-Wei "Core Functions Analysis and Example Deployment of Virtual Honeynet", First International Conference on Robot, Vision and Signal Processing (RVSP), pp. 212-215, 2011. [27] Dillip Kumar Mahapatra, Tanmaya Kumar Das and Gopakrishna Pradhan, “Guidelines for Managing Distributed Software Project under Deployment” International journal of Computer Engineering & Technology (IJCET), Volume 4, Issue 1, 2013, pp. 34 - 45, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375, Published by IAEME. [28] Syeda Gauhar Fatima, Dr. Syed Abdul Sattar and Dr.K.Anita Sheela, “Energy Efficient Intrusion Detection System for WSN” International journal of Electronics and Communication Engineering &Technology (IJECET), Volume 3, Issue 3, 2012, pp. 246 - 250, ISSN Print: 0976- 6464, ISSN Online: 0976 –6472, Published by IAEME.

413

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF