Design of a Honeypot Based Network Defense System To

Design of a Honeypot Based Network Defense System To

DESIGN OF A HONEYPOT BASED NETWORK DEFENSE SYSTEM TO COUNTERATTACK MALWARES AND BOTNET A FRAMEWORK DESIGN 1Suhel Ahamed 1Assistant Professor Department of Information Technology, Institute of Technology Guru Ghasidas Vishwavidyalya (Central University)Bilaspur, India Email:[email protected] Abstract— Today the world requires secure David Chess, coined the term in the wild to and trust based computing, wherein describe computer virus that was encountered Malwares (Virus, Worms, Trojans, etc.) and on public network and production systems [4]). intrusions are continues threat to trust based Malware writing also evolved through new computing. Nowadays script kiddies with technologies from simple file infectors or less knowledge are more malicious then the cloner to polymorphic, metamorphic, and retro expert malware writer. They cause the virus. Several malwares Use packing, outbreak of several digital disasters without obfuscation to avoid detection; whereas control. Also the botnet plays important role rootkits, function hooking is used to gain to propagate malwares and support control of the machine and to convert it to Bots. anonymous intrusion. The proposed solution Where polymorphic virus use mutation engine targets these script kiddies by using social to generate a new variant or mutant of the virus engineering on a honey pot based system. to avoid detection; retro type virus and The proposed system counterattacks the malwares use the techniques to destruct the remote machines on botnet by a benevolent computer / network defense system and looking bait to gain control and to break the antivirus programs. propagation chain up to a certain extent. In The malware writers and intruders also use this paper a framework design is presented Social Engineering to gain access and for the proposed solution. propagate through networks. Social engineering is not a technical attack; it does not exploit Keywords— Honeypot; Social Engineering; vulnerability in a program. Instead, it is a Network Defense System; Script kiddies; psychological attack which exploits Botnet; Rootkit; Trojans; Virus; Worms. vulnerabilities of the user. Intruders build up trust of the user, pretending to be a person or I. INTRODUCTION organization the user knows. They then exploit From first large-scale computer virus this trust by obtaining access to the computer outbreak in history to recent threats like heart- and/or passwords of user. These attacks are bleed, Malwares and intrusions proves to be a launched using the same tools the end user uses serious threat to trust based computing. In the every day, such as email, phone, and web [2], past few decades there where several new types e.g. the malwares such as Simpsons.Trojan [8], of malwares found in the wild (IBM researcher and W32.Fujacks [7] uses this technique that ISSN (ONLINE): 2395-6151, VOLUME-1, ISSUE-4, 2015 1 INTERNATIONAL JOURNAL OF ADVANCES IN ELECTRICAL POWER SYSTEM AND INFORMATION TECHNOLOGY (IJAEPSIT) exploits the sentiments of end user to create a II. HONEYPOT profit chain. Botnets, networks of malware-infected A. Definition machines that are controlled by an adversary, A honeypot is a deception trap, designed to are the root cause of a large number of security entice an attacker into attempting to problems on the Internet. Bot is a type of compromise the information systems in an malware that is written with the intent of taking organisation. If deployed correctly, a honeypot over a large number of hosts on the Internet. can serve as an early-warning and advanced Once infected with a bot, the victim host will security surveillance tool, minimising the risks join a botnet, which is a network of from attacks on IT systems and networks. Honeypots can also analyse the ways in which compromised machines that are under the attackers try to compromise an information control of a malicious entity, typically referred system, providing valuable insight into potential to as the Bot-master. Botnets are the primary system loopholes[3]. means for cyber-criminals to carry out their nefarious tasks, such as sending spam mails, Fred Cohen introduced the first publically launching denial-of-service attacks, or stealing available honeypot solution, the deception personal data such as mail accounts or bank toolkit in 1997[4]. Honey pots can be a credentials. This reflects the shift from an computer or a network of computer, or a service environment in which malware was developed or can be a simple file with some valuable looking data that attracts the attacker to for fun, to the current situation, where malware compromise it. Honeypots are generally is spread for financial profit [1]. classified in to two types, low interaction In the past few years, virus writers have honeypot and high interaction honeypot. A low become more cautious, and craftier. These interaction honeypot generally emulates any days, many elite Malware writers do not spread network service or a simple file; whereas a High their works at all. Instead, they ''publish'' them, interaction honeypot presents itself as a by posting their code on Web sites, often with vulnerable real computer with an operating detailed descriptions of how the program system or a network of computer that may works. Essentially, they leave their virus lying include some real computer and some virtual around for anyone to use. The people who machines. release the virus are often anonymous mischief- makers, or ''script kiddies.'' That's a derived B. Previous Work term for aspiring young hackers, usually Some important honeypots are mentioned teenagers or curious college students, who don't here for the purpose of this paper. yet have the skill to program computers but like Honeyd [9] by Niels Provos it is a small to pretend they do. They download the virus, daemon that creates virtual hosts on a network. claim to have written them themselves and then The hosts can be configured to run arbitrary set them free in an attempt to assume the role of services, and their personality can be adapted so a fearsome digital menace. Script kiddies often that they appear to be running certain operating have only a dim idea of how the code works systems. Honeyd enables a single host to claim and little concern for how a digital plague can multiple addresses. rage out of control [6]. HIHAT [10] The High Interaction Honeypot In this paper a solution is proposed to deal Analysis Toolkit (HIHAT) allows to transform with these problems. A framework design is arbitrary PHP applications into web-based high- presented here for a honeypot based network interaction Honeypots. Furthermore a graphical defense system that uses social engineering user interface is provided which supports the against these script kiddies and tries to gain process of monitoring the Honeypot and control over the botnet machines to break their analyzing the acquired data. chain of propagation up to a certain extent thus preventing the digital disaster at the network LaBrea [11] also called sticky honeypot level and reducing the effect of overall damage.. developed by Tom Liston can capture ARP request on your network, very effectively slowing down worms on a network. LaBrea takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet. The ISSN (ONLINE): 2395-6151, VOLUME-1, ISSUE-4, 2015 2 INTERNATIONAL JOURNAL OF ADVANCES IN ELECTRICAL POWER SYSTEM AND INFORMATION TECHNOLOGY (IJAEPSIT) program answers connection attempts in such a System. As illustrated in the block diagram way that the machine at the other end gets Fig.1 the honeypot based network defense "stuck", sometimes for a very long time. System has three main components: C. Why Honeypot for this project? A. A new type of Honeypot Honeypots have the capability of attracting Traditional honeypots does not fulfill the the intruders by using Social Engineering requirement of this project as it is only used to against them. For the purpose of this project a record the compromising behavior of the new type of honeypot is required which is intruder or malware, so a new type of Honeypot highly interactive with the remote machines or needs to be conceptualized. bots and which is also capable of enticing the This honeypot is capable of attracting the intruder to self-inject several programs in to the intruders and malwares by the use of veins of Botnet to prevent the propagation social engineering. chain up to a large extent, thus increasing the It should create valuable looking security in trust based computing. resources on real or virtual computers III. FRAMEWORK DESIGN sufficient enough to lure the intruder and The Framework design is presented here for malware to compromise it. the proposed Honeypot based Network Defense Fig. 1. Honeypot Based Network Defense System Counterattacking Botnet chain of Propagation. It should also contain some benevolent B. Integrated pattern analyzer and Signature looking files with Trojan like program extractor (TroLiP) hidden inside it. So when the intruder tries to steal it using a botnet and The honeypot collects necessary copies the file to the nearest bot, it information, traces, Behavioral Patterns and actually takes a Trojan horse home and samples of malwares through attached sensors unknowingly activates it. The Trojan like and monitors; they are then analyzed by the program inside it then opens up some integrated pattern analyzer and Signature unused ports and downloads other extractor. It is based on the concept discussed supporting programs. by Suhel Ahamed et al. [5].As illustrated in It will also use rootkits and function Fig.2. Static signature S(sig) obtained by static hooking methods to gain administrative analysis of suspicious malware samples and control over that bot. after that it will start Dynamic signature D(sig) obtained by dynamic cleaning the bot for its entire malcontents. analysis of patterns, traces and behavioral data of intruder or malware an integrated stronger The Trojan like program will repeat the signature I(sig) can be formulated as: process to all those bots who has copied it, to transfer the valuable looking file to Integrated Signature I(sig) = ∫ ( S(sig) + the master node.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    5 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us