sign in sign up
<<
Home , Internet bot

DESIGN OF A BASED NETWORK DEFENSE SYSTEM TO COUNTERATTACK AND A FRAMEWORK DESIGN 1Suhel Ahamed 1Assistant Professor Department of Information Technology, Institute of Technology Guru Ghasidas Vishwavidyalya (Central University)Bilaspur, India Email:[email protected]

Abstract— Today the world requires secure David Chess, coined the term in the wild to and trust based computing, wherein describe that was encountered Malwares (Virus, Worms, Trojans, etc.) and on public network and production systems [4]). intrusions are continues threat to trust based writing also evolved through new computing. Nowadays script kiddies with technologies from simple file infectors or less knowledge are more malicious then the cloner to polymorphic, metamorphic, and retro expert malware writer. They cause the virus. Several malwares Use packing, outbreak of several digital disasters without obfuscation to avoid detection; whereas control. Also the botnet plays important role , function hooking is used to gain to propagate malwares and support control of the machine and to convert it to Bots. anonymous intrusion. The proposed solution Where polymorphic virus use mutation engine targets these script kiddies by using social to generate a new variant or mutant of the virus engineering on a honey pot based system. to avoid detection; retro type virus and The proposed system counterattacks the malwares use the techniques to destruct the remote machines on botnet by a benevolent computer / network defense system and looking bait to gain control and to break the antivirus programs. propagation chain up to a certain extent. In The malware writers and intruders also use this paper a framework design is presented Social Engineering to gain access and for the proposed solution. propagate through networks. Social engineering is not a technical attack; it does not exploit Keywords— Honeypot; Social Engineering; vulnerability in a program. Instead, it is a Network Defense System; Script kiddies; psychological attack which exploits Botnet; ; Trojans; Virus; Worms. vulnerabilities of the user. Intruders build up trust of the user, pretending to be a person or I. INTRODUCTION organization the user knows. They then exploit From first large-scale computer virus this trust by obtaining access to the computer outbreak in history to recent threats like heart- and/or passwords of user. These attacks are bleed, Malwares and intrusions proves to be a launched using the same tools the end user uses serious threat to trust based computing. In the every day, such as email, phone, and web [2], past few decades there where several new types e.g. the malwares such as Simpsons.Trojan [8], of malwares found in the wild (IBM researcher and W32.Fujacks [7] uses this technique that

ISSN (ONLINE): 2395-6151, VOLUME-1, ISSUE-4, 2015 1 INTERNATIONAL JOURNAL OF ADVANCES IN ELECTRICAL POWER SYSTEM AND INFORMATION TECHNOLOGY (IJAEPSIT) exploits the sentiments of end user to create a II. HONEYPOT profit chain. , networks of malware-infected A. Definition machines that are controlled by an adversary, A honeypot is a deception trap, designed to are the root cause of a large number of security entice an attacker into attempting to problems on the . Bot is a type of compromise the information systems in an malware that is written with the intent of taking organisation. If deployed correctly, a honeypot over a large number of hosts on the Internet. can serve as an early-warning and advanced Once infected with a bot, the victim host will security surveillance tool, minimising the risks join a botnet, which is a network of from attacks on IT systems and networks. Honeypots can also analyse the ways in which compromised machines that are under the attackers try to compromise an information control of a malicious entity, typically referred system, providing valuable insight into potential to as the Bot-master. Botnets are the primary system loopholes[3]. means for cyber-criminals to carry out their nefarious tasks, such as sending spam mails, Fred Cohen introduced the first publically launching denial-of-service attacks, or stealing available honeypot solution, the deception personal data such as mail accounts or bank toolkit in 1997[4]. Honey pots can be a credentials. This reflects the shift from an computer or a network of computer, or a service environment in which malware was developed or can be a simple file with some valuable looking data that attracts the attacker to for fun, to the current situation, where malware compromise it. Honeypots are generally is spread for financial profit [1]. classified in to two types, low interaction In the past few years, virus writers have honeypot and high interaction honeypot. A low become more cautious, and craftier. These interaction honeypot generally emulates any days, many elite Malware writers do not spread network service or a simple file; whereas a High their works at all. Instead, they ''publish'' them, interaction honeypot presents itself as a by posting their code on Web sites, often with vulnerable real computer with an operating detailed descriptions of how the program system or a network of computer that may works. Essentially, they leave their virus lying include some real computer and some virtual around for anyone to use. The people who machines. release the virus are often anonymous mischief- makers, or ''script kiddies.'' That's a derived B. Previous Work term for aspiring young hackers, usually Some important honeypots are mentioned teenagers or curious college students, who don't here for the purpose of this paper. yet have the skill to program computers but like Honeyd [9] by Niels Provos it is a small to pretend they do. They download the virus, daemon that creates virtual hosts on a network. claim to have written them themselves and then The hosts can be configured to run arbitrary set them free in an attempt to assume the role of services, and their personality can be adapted so a fearsome digital menace. Script kiddies often that they appear to be running certain operating have only a dim idea of how the code works systems. Honeyd enables a single host to claim and little concern for how a digital plague can multiple addresses. rage out of control [6]. HIHAT [10] The High Interaction Honeypot In this paper a solution is proposed to deal Analysis Toolkit (HIHAT) allows to transform with these problems. A framework design is arbitrary PHP applications into web-based high- presented here for a honeypot based network interaction Honeypots. Furthermore a graphical defense system that uses social engineering user interface is provided which supports the against these script kiddies and tries to gain process of monitoring the Honeypot and control over the botnet machines to break their analyzing the acquired data. chain of propagation up to a certain extent thus preventing the digital disaster at the network LaBrea [11] also called sticky honeypot level and reducing the effect of overall damage.. developed by Tom Liston can capture ARP request on your network, very effectively slowing down worms on a network. LaBrea takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet. The

ISSN (ONLINE): 2395-6151, VOLUME-1, ISSUE-4, 2015 2 INTERNATIONAL JOURNAL OF ADVANCES IN ELECTRICAL POWER SYSTEM AND INFORMATION TECHNOLOGY (IJAEPSIT) program answers connection attempts in such a System. As illustrated in the block diagram way that the machine at the other end gets Fig.1 the honeypot based network defense "stuck", sometimes for a very long time. System has three main components:

C. Why Honeypot for this project? A. A new type of Honeypot Honeypots have the capability of attracting Traditional honeypots does not fulfill the the intruders by using Social Engineering requirement of this project as it is only used to against them. For the purpose of this project a record the compromising behavior of the new type of honeypot is required which is intruder or malware, so a new type of Honeypot highly interactive with the remote machines or needs to be conceptualized. bots and which is also capable of enticing the  This honeypot is capable of attracting the intruder to self-inject several programs in to the intruders and malwares by the use of veins of Botnet to prevent the propagation social engineering. chain up to a large extent, thus increasing the  It should create valuable looking security in trust based computing. resources on real or virtual computers III. FRAMEWORK DESIGN sufficient enough to lure the intruder and The Framework design is presented here for malware to compromise it. the proposed Honeypot based Network Defense

Fig. 1. Honeypot Based Network Defense System Counterattacking Botnet chain of Propagation.  It should also contain some benevolent B. Integrated pattern analyzer and Signature looking files with Trojan like program extractor (TroLiP) hidden inside it. So when the intruder tries to steal it using a botnet and The honeypot collects necessary copies the file to the nearest bot, it information, traces, Behavioral Patterns and actually takes a home and samples of malwares through attached sensors unknowingly activates it. The Trojan like and monitors; they are then analyzed by the program inside it then opens up some integrated pattern analyzer and Signature unused ports and downloads other extractor. It is based on the concept discussed supporting programs. by Suhel Ahamed et al. [5].As illustrated in  It will also use rootkits and function Fig.2. Static signature S(sig) obtained by static hooking methods to gain administrative analysis of suspicious malware samples and control over that bot. after that it will start Dynamic signature D(sig) obtained by dynamic cleaning the bot for its entire malcontents. analysis of patterns, traces and behavioral data of intruder or malware an integrated stronger  The Trojan like program will repeat the signature I(sig) can be formulated as: process to all those bots who has copied it, to transfer the valuable looking file to Integrated Signature I(sig) = ∫ ( S(sig) + the master node. D(sig) ) In this way it will be successful in Where ∫() is the integration function to counterattacking the intruder or malware up to create two layer framed and concise signature a large extent depending upon the design of its I(sig) which can be stored in a Signature (DB) distribution channel.

ISSN (ONLINE): 2395-6151, VOLUME-1, ISSUE-4, 2015 3 INTERNATIONAL JOURNAL OF ADVANCES IN ELECTRICAL POWER SYSTEM AND INFORMATION TECHNOLOGY (IJAEPSIT) Database for scanning and identification Knowledge received from integrated pattern purpose in this process. analyzer and signature extractor. Filter also continuously monitors the inbound and C. Network Defense System Filter outbound traffic and collects the suspicious files The third component of Network Defense for analysis and signature extraction. System is a special filter which is a Bastion Host used to protect the private network from 2) Counterattack: On the other direction the outside attacks by intruders and malwares. honeypot based system entice the intruder or malware to steal some valuable looking files and copy to the nearest bot chaining up to the master. Where the Trojan like program (TroLiP) hidden inside it gets activated and starts the cleaning process of bot and breaks the propagation chain of malware and botnet, thus reducing traffic load increased by attacking and slowing down the malware or intruder. IV. SCOPE AND LIMITATION A. Scope Security for Trust based Computing is very important. As discussed in this paper most of the virus and intrusion attempts are done by the Script Kiddies (defined earlier in this paper) Fig. 2. Analysis for malwares and signature who have less knowledge and concern about the extraction. [5] malware and its use and are less worried about the aftermath of the Cyber Crime they have done. Also they are less careful for their operation and very reluctant about the resources they use; such as they do not care about the bots they have used to propagate anonymously through internet, and they also don’t expect the similar counterattack from the target to the Bot. this vulnerability of the attacker can be used against him. This motivates the design of a new type of Honeypot which can use Trojan like Programs (TroLiP) to exploit the vulnerability of the intruder or malware. B. Limitation This design has some limitation with the expert malware writers and smart intruders. 1) The smart intruders may sense the presence of a TroLiP and can stop or delete it. Furthermore he can analyze the TroLiP and can create a vaccination for it. 2) The malware writers can also analyze the TroLiP and can equip their malwares to stop or delete the TroLiP. Fig. 3. Framework Process Flow V. DEVELOPMENT AND EXPERIMENTATION The network Defense System has a two way The author of this paper is very much action plan: interested in Development of the proposed 1) Protecting Private Network: The internal Honeypot based Network Defense System, and Private Network should always be protected so to perform experimentation to prove the it uses cleaning and filtering Techniques for effectiveness of the Solution. A real computer inbound traffic by using the Signatures and network scenario and real computers with

ISSN (ONLINE): 2395-6151, VOLUME-1, ISSUE-4, 2015 4. INTERNATIONAL JOURNAL OF ADVANCES IN ELECTRICAL POWER SYSTEM AND INFORMATION TECHNOLOGY (IJAEPSIT) capability of virtualization are required for the commerce and m-commerce. This paper experimentation work. The Development and presents idea and design of a honeypot based Experimentation should fulfill certain network system to counterattack the malwares requirements: and intruder and breaks their chain of 1) The solution should be platform propagation up to a certain extent. This also independent and required to be developed on requires the development of a new type of such environment and programming languages. honeypot to fulfill the purpose of this project.

2) Core machine level architecture should REFERENCES be considered for time and space complexity. [1] Brett Stone-Gross et.al., “Your Botnet is 3) The network communication parameters My Botnet: Analysis of a Botnet Takeover”, should be considered and therefore the CCS’09 November 9–13, 2009, ACM. components such as TroLiP and other [2] “Cyber Security Newsletter”, The SANS supporting files should be light weight. Institute, 2012, University of Alabama, 4) The TroLiP should use the stealth Birmingham, www.uab.edu/it/security, techniques to hide itself from detection. retrived on 20th april 2014 [3] “Honeypot Security”, february 2008. The 5) The design should have multiple points Government of the Hong Kong Special of operation i.e. the components should be separated on multiple points on real machines. Administrative Region, retrived on June 2013 6) The Experimentation should be done on [4] Peter Szor, “ The Art of computer Virus a secure and emulated environment. Also the Research and Defense”, Symantec Press, monitors should save the output data on a Addison Wesley Professional, 2005. separate machine for securing the [5] Suhel Ahamed, Dr. J.L. Rana, R.K. experimentation results. Pateriya, “Integrated Approach for 7) The experimental network should not be Signature Extraction and Profile Generation connected to internet. It should use an of Malwares with Monitoring and experimental internet in a box facility created Detection”, Proceedings of ICCNS 08 , 27- for the sole purpose of this project. 28 September 2008, pp.30-34 8) The malware collected and used for the [6] Clive Thompson, “The Virus purpose of experimentation should be in tight Underground”, The New York Times, captivity and should not be let loose in outer 2004, www. nytimes.com, retrived on June world. 2013 [7] Robert X Wang, “The Panda 9) All the experiments and developments should follow the national and international Outlaw:W32.Fujacks”, White Paper, legal policies. Symantec Security Response, 2007, www.symantec.com, retrived January 2008 VI. FUTURE WORK AND CONCLUSION [8] “Symantec Newsletter july 2000”, Symantec Antivirus Research Center, In consideration for the limitations discused http://www.symantec.com/avcenter/referen in this paper The future work of the project ce/newsletter/Jul00inews.html retrived June would consider the development of smart 2013. (TroLiP) and related programs that can use [9] Honeyd project, http://www.honeyd.org/ : stealth techniques to hide itself and subvert Downloaded April 2014 detection in the remote bot machine. [10] HiHat, http://hihat.sourceforge.net/: The development of new security methods Downloaded April 2014 and technologies is very important for the trust [11] LaBrea, http://labrea.sourceforge.net/: based computing, and to boost up the trust of Downloaded April 2014 end user to use internet facilities like e-

ISSN (ONLINE): 2395-6151, VOLUME-1, ISSUE-4, 2015 5