ISSN : 0976-8742
EISSN : 0976-8750
MRIGA GUPTA1*, KRISHAN KUMAR2*
1Computer Science and Engineering, SBSCET, Ferozepur, Punjab, India.
2Computer Science and Engineering, SBSCET, Ferozepur, Punjab, India.
* Corresponding Author : k.saluja@rediffmail.com
Received : 12-01-2012 Accepted : 15-02-2012 Published : 24-03-2012
Volume : 3 Issue : 1 Pages : 102 - 104
J Inform Syst Comm 3.1 (2012):102-104
In today’s society people becomes more and more dependent on computer systems. The Internet shows an increasing trend regarding the usage of malicious activities such as intrusion attempts, denial-of-service attacks, phishing, spamming and worms which makes use of compromised web servers. To try to minimize this threat, it would be nice to have a security system which has the ability to detect new attacks and react on them. Use of honeypots provides effective solution to increase the security and reliability of the network. Honeypots, systems to lure and research attackers, are subject to intensive research for quite some time. They do not 'fix' anything. Instead, honeypots are a tool. How you use that tool is up to you and depends on what you are attempting to achieve. It is hoped that this paper helps in clear understanding of honeypots.
Honeypots, security, interaction.
There are mainly two reasons why information security continues to receive an increasing amount of attention. Firstly, new services providing critical services demand an increased level of security. Secondly, there is an ever growing increase in reported incidents and attempted attacks on computer systems [1] . As in the military, it is important to know, who your enemy is, what kind of strategy he uses, what tools he utilizes and what he is aiming for [2] . By knowing attack strategies, countermeasures can be improved and vulnerabilities can be fixed. To gather as much information as possible is one main goal of a honeypot [2] . A honeypot is a resource which pretends to be a real target. A honeypot is expected to be attacked or compromised. The main goals are the distraction of an attacker and the gain of information about an attacker, his methods and tools [3] .
A honeypot is a trap for people who tamper with computers maliciously through the Internet, just as a pot of honey traps flies. A honeypot is generally a computer that is rigged to look more vulnerable than it really is and to keep records of everything that happens to it. Honeypots serve several purposes: to catch individual crackers, to determine whether they can get into a network, and to observe how they carry out their attacks.
A definition of a honeypot provided by Lance Spitzner, President of the Honeynet Project, is, “An information system resource whose value lies in unauthorized or illicit use of that resource†[4] . The concept of a honeypot is simple. It is a resource that has no productive value. There is absolutely no reason for anyone to interact with a honeypot. Thus, any attempt to communicate with the system is most likely a probe, scan or attack. Conversely, if the honeypot initiates any outbound connections, the system has probably been compromised [5] .
Honeypots are categorized on the basis of their level of interaction. The level of interaction defines how much functionality or activity an attacker can have with a honeypot. The more interaction available to the attacker, the more you can learn about the attacker [6] . However, the greater the interaction, the more work you'll have to deploy and maintain the honeypot and, in general, the greater the risk to your systems.
There are three types of honeypots: low-interaction honeypots, medium-interaction honeypots and high interaction honeypots.
• Low-interaction Honeypots- A low-interaction honeypot limits the level of interaction between the attacker and the honeypot by emulating services. These honeypots are typically the easiest honeypots to /, configure, deploy and maintain [7] . Since low interaction honeypots are simple, they have the lowest level of risk [8] . An obvious advantage of this type of honeypot is its lack of complexity and ease of deployment. Conversely, the simplicity of a low-interaction honeypot is one of its weaknesses, in that its limited interaction makes it easier for an attacker to determine that he or she is engaged with a honeypot [4] . An example of a low interaction honeypot is Honeyd.
• Medium-interaction Honeypots- Medium-interaction honeypots offer attackers more ability to interact than do low-interaction honeypots but less functionality than high-interaction solutions. They can expect certain activity and are designed to give certain responses beyond what a low-interaction honeypot would give. There are several problems with this approach. First, it is very complex; a great deal can go wrong or be misconfigured [7] . Second, it is very difficult to give the virtual environment the full functionality and interaction of a true operating system [4] .
• High-interaction Honeypots- Real Services: These are the most elaborated Honeypots. In contrast, high interaction honeypots do not emulate services; instead they provide real applications for attackers to interact with. A high-interaction honeypot requires additional resources for deployment and maintenance. An example of a high interaction honeypot is Honeynets [6] .
• Honeypots are employed primarily for either research or production purposes, as defined by Snort creator Martin Roesch. Production Honeypots: In the production category, honeypots are applied to preventing attacks, detecting attacks, and responding to attacks. A production honeypot determines how an attacker gained access to the network. The primary value of production honeypots is detection. Because production honeypots greatly reduce the problem of both false negatives and false positives, they make an extremely efficient technology for detecting unauthorized activity [9] . For prevention purposes, production honeypots are of minimal value [9] .
• Research Honeypots: In the research mode, a honeypot collects information on new and emerging threats, attack trends, motivations, behavior, intentions, and identity of attackers which essentially, characterizes the attacker community. This information is then used to better understand and protect against these threats. When deploying honeypots, it is critical that organizations have a clearly defined security policy stating what activity is and is not authorized, including the use of honeypots to detect and monitor [9] .
Deploying a honeypot requires careful consideration of the legal issues involved with monitoring, gathering information on, and prosecuting an individual based on the use of a honeypot [3] . Some of the legal concerns are as follows [4] :
• Liability: You can potentially be held liable if your honeypot is used to attack or harm other systems or organizations. This risk is the greatest with high-interaction honeypots.
• Privacy: Honeypots can capture extensive amounts of information about attackers, which can potentially violate their privacy, such as IRC chats or emails. This could violate the privacy of the attacker, or more likely people he is communicating with. Once again, this risk is primarily with high-interaction honeypots.
• Entrapment: For some odd reason, many people are concerned with the issue of entrapment. Entrapment is a legal defense used to avoid a conviction, you cannot be charged with entrapment. Most legal experts believe that entrapment is not an issue for honeypots.
Cost of deployment can be next to none as many low interaction honeypots are available free of cost on the internet. The high interaction honeypots require real operating systems to work with as compared to the low interaction honeypots; as a result cost for deploying high interaction honeypots is very high. Cost of maintenance is no more than any other desktop or server in the enterprise and monitoring should be automated, making the increased monitoring cost merely marginal as well.
Examples of freeware honeypots include:
• Deception Toolkit [10] : DTK was the first Open Source honeypot released in 1997. It is a collection of Perl scripts and C source code that emulates a variety of listening services. Its primary purpose is to deceive human attackers.
• LaBrea [11] : This is designed to slow down or stop attacks by acting as a sticky honeypot to detect and trap worms and other malicious codes. It can run on Windows or UNIX.
• Honeywall CDROM [12] : The Honeywall CDROM is a bootable CD with a collection of open source software. It makes honeynet deployments simple and effective by automating the process of deploying a honeynet gateway known as a Honeywall. It can capture, control and analyze all inbound and outbound honeynet activity.
• Honeyd [13] : This is a powerful, low-interaction Open Source honeypot, and can be run on both UNIX-like and Windows platforms. It can monitor unused IPs, simulate operating systems at the TCP/IP stack level, simulate thousands of virtual hosts at the same time, and monitor all UDP and TCP based ports.
• Honeytrap [14] : This is a low-interactive honeypot developed to observe attacks against network services. It helps administrators to collect information regarding known or unknown network-based attacks.
• HoneyC [15] : This is an example of a client honeypot that initiates connections to a server, aiming to find malicious servers on a network. It aims to identify malicious web servers by using emulated clients that are able to solicit the type of response from a server that is necessary for analysis of malicious content.
• HoneyMole [16] : This is a tool for the deployment of honeypot farms, or distributed honeypots, and transport network traffic to a central honeypot point where data collection and analysis can be undertaken.
In the corporate environment, the following commercial products are available:
• Symantec Decoy Server [17] : This is a "honeypot" intrusion detection system (IDS) that detects, contains and monitors unauthorized access and system misuse in real time.
• Specter [18] : This is a smart honeypot-based intrusion detection system. It can emulate 14 different operating systems, monitor up to 14 different network services and traps, and has a variety of configuration and notification features.
Honeypots are positioned to become a key tool to defend the corporate enterprise from hacker attacks it’s a way to spy on your enemy; it might even be a form of camouflage. Hackers could be fooled into thinking they've accessed a corporate network, when actually they're just banging around in a honeypot -- while the real network remains safe and sound.
Honeypots have gained a significant place in the overall intrusion protection strategy of the enterprise. Security experts do not recommend that these systems replace existing intrusion detection security technologies; they see honeypots as complementary technology to network- and host-based intrusion protection.
The advantages that honeypots bring to intrusion protection strategies are hard to ignore. In time, as security managers understand the benefits, honeypots will become an essential ingredient in an enterprise-level security operation.
We do believe that although honeypots have legal issues now, they do provide beneficial information regarding the security of a network .It is important that new legal policies be formulated to foster and support research in this area. This will help to solve the current challenges and make it possible to use honeypots for the benefit of the broader internet community.
[1] Gordon L.A., Loeb M.P., Lucyshyn W. and Richardson R. (2004) The ninth annual CSI/FBI computer crime and security survey. Computer Security Institute.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[2] The Honeynet Project. Problems and challenges of honeypots.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[3] John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy, Martin Abadi (2011) Heat–seeking Honeypots: Design and Experience.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[4] Cole E., Krutz R., James W. Conley (2005) Network Security Bible.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[5] Spitzner L. (2002) Honeypots: Definitions and value of honeypots.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[6] Singh R.K., Ramanuajm T. (2009) International Journal of Computer Science and Information Security, 2(1).
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[7] Spitzner L. (2002) Honeypots: Tracking Hackers.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[8] Stoll C. (1988) Communications of the ACM, 484-497.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[9] Know Your Enemy: Honeynets (2005) http://www.honeynet.org.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[10] http://www.all.net.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[11] http://labrea.sourceforge.net.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[12] http://www.honeynet.org.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[13] http://www.honeyd.org.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[14] http://honeytrap.mwcollect.org.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[15] https://www.client-honeynet.org.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[16] http://www.honeynet.org.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[17] http://www.symantec.com.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus
[18] http://www.specter.com.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus