Home > Computer science essays > Dissertation: Attackers Detection Using Honeypots

Essay: Dissertation: Attackers Detection Using Honeypots

Essay details and download:

  • Subject area(s): Computer science essays
  • Reading time: 48 minutes
  • Price: Free download
  • Published: 17 September 2015*
  • File format: Text
  • Words: 14,849 (approx)
  • Number of pages: 60 (approx)

Text preview of this essay:

This page of the essay has 14,849 words. Download the full version above.

Problem Description
The mode of this study and this dissertation is to identification, detection and isolation of unknown worms, attacks by sundry attackers on existing work network at various or particular places.
This thesis describes a project that utilizes honeypots to detect worms, attacks and attackers. A detailed description of existing worm, attacks and attackers detection techniques using honeypots is given, as well as a study of existing worm propagation models. Simulations using some of these worm propagation models are also conducted. Although the results of the simulations coincide with the collected data from the actual outbreak of a network worm, they also conclude that it is di’cult to produce realistic results prior to a worm outbreak.
A worm detection mechanism called Honey Comb is incorporated in the honeypot setup installed at my home, and experiments are conducted to evaluate its e’ectiveness and reliability. The mechanism generated a large amount of false positives in these experiments, possibly due to an error discovered in the implementation of the detection algorithm.
An architecture using honeypots for detection of unknown worms is pro- posed. This architecture is based on a combination of two recently published systems with the extension referred to as a Known-Attack ‘lter. By using this ‘lter, it is believed that the amount of tra’c needed to be pro- cessed by the honeypot sensors will be considerably reduced.
In past years, So many attacks been done on the computers network. Several worms’ attacks on the internet caused major problem worldwide. There are some recent attacks which takes place in Oct, 2013 list is given below:
List of worldwide Cyber-attacks in Oct, 2013
Cyber Attack in 2013
The world’s biggest attack in March, 2013 which is called as ‘Spamhaus DDoS Attack’. As per analogy it shows that he was capped with his system when he entered into the virtual logged system to go through the money factor. A cyber-attack which happened in March, 2013 caused ‘ Worldwide disruption of the functionality’ a DDoS attacks takes place when hacker pass on infected programs along the servers, then server take some time to schedule these programs as per its own security scenarios, till that time the whole jobs are stuck in queues. Cause a server shutdown in process. Under the DDoS attacks this attacks send infected file to the server at 50GB data per second, But in this recent attack there is record that server took 300 GB data rate per second.
There is need for mechanisms which detects and stop the unexpected attacks on the facilitated systems. Honeypots is the tool of concept which can handle these outbreaks and prove itself as a code of conduction against the cyber-attacks.
Project Statement:
‘ Documentation on the attacks detection with the methods involving the use of honeypots.
‘ Attack detection systems in the honeypot setup installed at home and conduct experiments with the system and evaluate its effect and stability on detection.
Initially, the objective was to implement so many attacks detection mechanism utilizing honeypots in the home setup, in regard to perform a comparative analysis.
A theoretical survey on this subject attack detection is conducted. This survey also includes a comparative analysis of some attack models. While this research tool box, the experimental tools are installed and tested in order to get most familiar and effective weight of research on Attacks and Honeypots.
The attack detection system is based upon the experimental study and the knowledge gained while doing theoretical research on it.
B. TYPES OF HONEYPOTS (Level of honeypots, Values of honeypots)
A honeypot is a security tool whose values based upon detecting attacks. Honeypots are the first documented concept in 1990-91 by Clifford Stoll’s. The first revised version 0.1 released on 1997 by Fred Cohen’s. In 1998 this concept been converted into public and commercial based product which is compatible with virtual and multi conceptual proposed within year of 1998 it took so many changes by various scientific plans Marty Roesh and GET networking develop a NetFacade for honeypot solutionary. In 1999 the honeypot formed to help and increase awareness and validate the honeypot technologies. After 1999 the honeypot technology drained in the new concept of detecting attacks and finding new threats. Honeypots are highly flexible technology that can be applied to variety of situations. A security tools. They have specific advantages, honeypots collect small amount of data, and honeypot is the one of the main and unique security management tool in that they are intended to be probed, attacked and compromised in direct and in direct way. It help and enable to protect the system against the attackers.
A honeypot act as intermediate in between user and attackers, it use the main IP of computer by making virtual real user’s IP from the sense of the attackers. Within that elusion when attacker attacks on the same system then Honeyd with honeycomb capture the attackers activities using LCS algorithm on the second layer of TCP/IP protocol.
Main Objective of honeypot:
The main objective of the honeypot is to reduce the prevent the users system away from the attacks and non-production of computers.
There are two types of admiral honeypots one is Client and second is Server honeypots
Client Honeypots ‘ This honeypots serves web interacting with other systems.
Server Honeypots- This honeypots wait until someone request a service.
Types of honeypots:
The classifications of the honeypots depends upon their of level interaction. Level of interaction depends or defines that how much services and activities a attacker can have with the honeypots. They are been categorized by the level of interaction in which they offer to interact the attackers to make attack.
01- A low interaction honeypot
02- A high interaction honeypot
Low interaction honeypot: it works on the certain services and operating systems. For example, FTP services is only acting at respective ports might via using FTP login this level has a small number of services on real software platform. It offers a basic functionality of monitoring the whole ports to deploy and maintain but a limited information, it captures a limited information. It enhances the attackers that a real service is running currently.
High interaction honeypot: these are more complex because they involve a real operating system and applications. For example a FTP server to collect the information about the attack on the particular FTP services. These are working same as low interaction honeypots and provide same functionality to the attacker as like low interaction honeypots. Due to high interaction factor this honeypot is much more tuff to trace out the chances of the attacks and particular attackers which launch an attack is of higher or lower density attack.
Honeypot Security:
Security upon the system does not interlinked directly to the GUI of user in the productive system, but the all incoming information via network are subjected to the honeypot system only.
KF Sensor:
This sensor serves as the honeypot and intrusion detection system. It is window based and available on several platforms with the UGI. This is a low interaction honeypot it keeps the track of all communications in between the server and outsiders users activities. It notice down all the TCP and UDP ports. It has GUI which encrypt the most over current running services.
Value of Honeypots:
From starting end point honeypots were used to capture the data, and the ability to divert attackers away from the online system. The basic and more needy part of the honeypot is its own simplicity. It normally allows to traffic to pass in and pass out from the one connection to other connection. Every time connection is interlinking from the honeypot.
Due to this phenomenon, the honeypots collect every bit of data and high value of the data. When the huge data comes from other device and other source of information, it become lazy to collect high prior data. Honeypots always provide such a true and good formatted information to the users. It is very tuff to find out that to detect network intrusion and network activity, dropping packets, and potential attacks. But the honeypots are very far from this problem they may have each and every information, activity, dropping information with particular references.
One of the pros of the honeypots is about the activity factor. Is attacker send any informational factor to the honeynet then it will active unless this it will still always in the rest mode. It is not true to say that the honeypots are not counted in risk factors. Honeypot do not change any security mechanism. They can only work with adding up the values to the security systems.
A recent blogging on Honeypots annual report by David, Jamie, Steve and Arthur briefs that the deployments of honeypots and honey net technologies deployed. These technologies categorised with Long term data and Short term data.
Legal Issues:
Entrapment: It just acts as trapping the attackers only but could be used in as alternative way. But most of the scenarios. It is only used under the law of enforcement to convict and protect the system from the attackers. It is not prosecuted by law firms and could be used to defence your system. It performs its own action when an attacker try to break the honeypot system it doesn’t react immediately it hold and ellus the attacker any giving so many fake ways. To notify the source of attacks and attackers.
Honeypots are so strong by the point of view of Honeypots. It is not easy to say that any system could monitor all the activities in the network. It would be very interesting to know that what attackers want to do and what procedure they use to break the system. How honeypot monitor all of them and how it emerge the strategies to stop them from breaking the system. Honeypot used most of the packet and keystroking tracking’s within the security system and it allow the user to view all the activities on the GUI interfaces. That what extend the attackers are coming from , what type of network has a traffic flow over the honeypot. Everything nearly you can examine that what attackers have are doing and want to do on your system.
Sebek is a kernel system module which is installed on the High interaction level for data collection from the honeyed about the worms which has been signature by the security system. it helps to collect the data and attackers activities of keystroke on the honeyed system to the user.
Honeypot is server system and protection for the users to and having a set up to observe the hacker attacks. It is a system which has been built up around the users machine in the regard to elute and trace the attackers. Throughout the attacking process.
Recording in honeypots resting on the third layer NETWORK and Fourth Layer Data of TCP/IP protocol having Protocols, IP addresses and ports. There are three types of recordings in the honeypots.
01- Network recording ‘ It presents on the 3rd and 4th layer of TCP/IP protocol having inbuilt of source and destination IP addresses, Protocols and Ports. The entire data been capture by the honeynets firewalls as well as IDS. It also includes the connections, internal connections between the honeypots.it enhance to recording the Log as compared to production of the system. Which afford all logs within the packets transactions.
02- Traffic and Host recording ‘ It includes the recording of the attacker’s activities, such as keystorkes and attackers attempting on the users system. While this the traffic the host recoding accurs at same time it said to be a combine recording at particular time decade.
Basic working of the honeypots:
Now it is very important to us to know that what the basic is and fundamentals and the values of the honeypots.
Honeypots are security resources that have no production value; no person or resource should be communicating with them. As such, any activity sent their way is suspect by nature. Any traffic sent to the honeypot is most likely a probe, scan, or attack.
According to Cuckoo’s Egg when anyone attempting his compromised system, collect raw data and throw away what is expected and what remains for you.
Role of honeypot on overall security system
Prevention doesn’t mean that honeypot do not allow to enter the attackers inside the system or submitting the extra information within the network such as disabling and insecure services. Another security mechanism prefer to keep away bad conduction far from network but vice e versa honeypots attract the honeypots to put himself with his own data inside of network. The basic idea behind this technology is to plan out the attackers within the system by allowing him to spend more time to detect him systematically.
Perhaps this depiction most probably fails against more than one attack. More over in these days attacks are found are automated. These attacks fetch attack and expose everything possibly. These threats will attacks on the honeypots not on the organization, they just do only quick attack.
It is very hard to detect the attacks by attackers. A heavy loging giga bits data login server has high bit data transmission rates from node to node. To detect a virtual attack within a specific part of server of might be tuff to say that it happens. So to get rid these kinds of hurdles intrusion systems has been designed to detect attacks. It has some time mixup combination of true and false signalling on the attacks firewalls couldn’t stop data packets online and pot sensor hardly able to detect the rated attack on way of valid traffic of data by firewalls, but honeynets easily capture the attacks that they come in their way. However to simply understand the concept of detection in the honeypot is also just like a
When a network media has compromised then activity has been accrued and fact that data has become polluted. So while this user and system doesn’t determine the internal activity. So to gather the polluted data from compromised system it is far difficult to estimate the systematic environment.
There are two kinds of honeypots which is called Production and Research. Security is the main frame for the data and for the community but due to the lack of data of information such as threat, attacks, spies, hackers who always seeking a bit delay in security for the viral attacks. Several of the term FBI/RAW and other significant spend millions of dollars to protect the information and data. Honeypot has research based platform to substitute to know the bad guys to know them and research on them more deeply. To record them step by step, watching what they do with system and what phenomenon they used for the attacks and what strategies they being use to precede. The honeypots capturing the automated attacks.
The first honeynet module was developed by Honeynet project in 1999. Till 2005 it improved continuously by amending various aspects in its inside. Honeynet is only high level interaction design system which uses several Boolean expression and other services. Each of these honeynet and sensor are basically connected to the Honeywall. Which is always exist in Layer two of TCP/IP to control the flow of data and refining data and capturing them instantly.
Honeynet is specially designed ti invite the attacks top attack on the system in the regard the user would be able to research and study the behaviour, method and procedure as well of the attackers. Honeynet is frame on the entire network which acts as bodyguard for the network to protect it by attempters. Honeynet has its own real services and applications just because of that it seems like a normal network not a framed network it just act like as a trap for the attackers who want to attempt the data of the other users. According to Lance Spitzner, one of the future goals of the Honeynet Project is to develop a centralized data collection system that can correlate information from several distributed honeynets. The system should also be able to correlate and analyse the incoming data in real-time, providing early warning and protection systems with reports of zero-day attacks.
Risk at honeypots
Honeypots are always used to increase the compatibility and network security, but even though this honeypots might have several risk factors which interact and faced by honeypots directly and indirectly.
Honeypots: There are many types of honeypots (Low level and High level interaction) that achieve many different things like trapping, detection, information capturing etc.
Risk-01 ‘ Compromising Most of the honeypots are detection based system, in this criteria a user may setup the honeypots to perform on the users expectations such as if user wish to detect it will, but while detecting it prompt to an attacker and he may able to know to avoid the honeypots system as soon to be far away.
Risk-02- Identifying an object the main biggest task for the honeypots is to identify, detect, and capture the attacker’s activity. Sometimes honeypots may fetch or capture a activity by an admin. It is just same as a to caught a fish from highly flow of water, anything you may caught to will treat at that time as a fish only might that would be a snake or anything else.
There is also a chance that research-honeypots are fed with poisoned data, leading to compromised experiments. The latter argument is also one of the reasons why the risk of any of the honeypots being used as a launching pad for new attacks is considered to be very low. In addition, all the honeypots used in the experiments are low- interaction, only running a set of emulated services on a minimal operating system, and they are all patched with the latest security updates the honeypots have been ‘ngerprinted or used to attack other systems, several precautions are taken to minimize the risks during the experiments in this thesis. A ‘rewall con’gured with a default drop policy is used to protect the machine hosting the low-interaction honeypots. The alerts, system logs and password ‘les are inspected daily to check for irregularities. In case of any such irregularities, the honeypot system should be locked down, the project supervisor and the network administrators should be informed and the system design should be carefully re-evaluated before redeployment.
The honeytoken first coined by Augusto paes de barros in 2003. A honeypot is not a system / computer it is some kind of entity. A honey token could be a digital concept. All Microsoft product are data based. Honeytokens are come with many types and shapes. However all share same equation of digital information, it has authorized use. This is only for privacy of the information and data protection. Honeytokens are an exciting new dimension for honeypots, especially for the insider threat. They are cost effective, simple to deploy, and highly effective. Honeytokens represent an entirely new field for honeypot concepts, and expect to see much more development in this area. Next month we cover a deployment concept for honeypots: the honeypot farm. Instead of deploying honeypots all over your networks, you install all your honeypots in one place, then let the attackers come to you.
A. About worms (History, Functions (Infection, Payloads, Propagations) )
B. Honeypots against worms
C. Worms behaviour
D. Honeypots v/s worm in diff. ways.
E. Conclusion
Introduction to Worms
The real term of the worms was first context in John Burner’s novel in 1975. In this novel briefs that the Nichlas Haflinger designs and sets off a data gathering worm which act as attack against that activity who circulate electronic data web information system with mass confirmatory.
Robert Tappan Morris was a first graduated student who released an internet based virus in 2 Nov 1988. A virus becomes a Morris virus / worm. Worm is a program that calls itself over the network. Morris worm and a series of the malicious worms over the last years, the term computer worm has come to be associated with a malicious piece of software, much like a computer virus.
What is a computer worm?
A computer worm is a set of programs that recall itself in order to harm the computers while on the network. It relays on the security failure and misplanning of network replications. Many worms has been designed and Morris worm is one of them which is payload free it causes network traffic
What are the key characteristics and distinguishing of worms, viruses?
Virus is a program that does things without the user’s knowledge. Some viruses are being used to remove the other viral infection from the computers which are over the network.
Worm is a virus that can recall itself. A worm, like the sasser worm, can infect on it’s own without the user making a mistake vulnerability found, exploited, worm installed, spread to other pcs- and you didn’t have to do anything. Most worms rely on email though- you open the wrong email or attachment, you get infected, and your computer spams out the worm to others, making it self-propagating
How to identify worm in the user’s computer system?
Some times, it happens when a user install a antivirus to detect viruses from system internally but there is not 100% surety that antivirus is work properly to detect the viruses such as Trojan and Worm etc. Many of the Trojans and worms do not predict them self in the system. Simuntaneously some of the Trojan worm do inform their presence in the system. Trojan are kind of worms which are installs them selves secretly without any information to system BIOS. An increase in the outgoing web traffic is the general indication of an infection; this applies to both individual computers and corporate networks. If no users are working in the Internet in a specific time period (e.g. at night), but the web traffic continues, this could mean that somebody or someone else is active on the system, and most probably that is a malicious activity. In a firewall is configured in the system, attempts by unknown applications to establish Internet connections may be indicative of an infection. Numerous advertisement windows popping up while visiting web-sites may signal that an adware in present in the system. If a computer freezes or crashes frequently, this may be also related to a malware activity. Such malfunctions are more often accounted for by hardware or software malfunctions rather than a virus activity. However, if similar symptoms simultaneously occur on multiple or numerous computers on the network, accompanied by a dramatic increase in the internal traffic, this is very likely caused by a network worm or a backdoor Trojan spreading across the network. An infection may be also indirectly evidenced by non-computer related symptoms, such as bills for telephone calls that nobody made or SMS messages that nobody sent. Such facts may indicate that a phone Trojan is active in the computer or the cell phone. If unauthorized access has been gained to your personal bank account or your credit card has been used without your authorization, this may signal that a spyware has intruded into your system.
Detecting a virus or Trojan in your computer in some cases may be a complex problem requiring a technical qualification; however, in other cases that may be a pretty straightforward task ‘ this all depends on the degree of the malware complexity and the methods used to hide the malicious code embedded into the system. In the difficult cases when special methods (e.g. rootkit technologies) are employed to disguise and conceal the malicious code in the system, a non-professional may be unable to track down the infected file. This problem may require special utilities or actions, like connecting the hard disk to another computer or booting the system from a CD. However, if a regular worm or simple Trojan is around, you may be able to track it down using fairly simple methods.
The vast majority of worms and Trojan need to take control when the system starts. There are two basic ways for that:
A link to the infected file is written to the auto run keys of the Windows registry;
The infected file is copied to an auto run folder in Windows.
The most common auto run folders in Windows 2000 and XP are as follows:
%Documents and Settings%%user name%Start MenuProgramsStartup
%Documents and Settings%All UsersStart MenuProgramsStartup.
History of Worm:
Worms are the most infected files which are always successful to install them self into the system without any panel protection. There is no theme line has been finalised for the worms
Worms starts their own function from the host channel in various ways. It might be come from via attachments, plugin and plug out of devices and execute automatically by taking bootup at once. Basically it effect the host which is a primary host to work insight and instead of networking. These are the self call files which is the very unique code of conduction in the history of the computers. Worm are very dangerous from viruses once they effect the worm and then try to over reach to the another host via network or another data media anonymously and try to access then by sending a self copy into another system and perform the same action as original it is.
Conclusionally: ‘A worm is a set of computer program which call itself and execute when system boot-up and propagate on the network with or without any human interactions’.
Worm Detected on Date Symptom Damage
Morris 02.11.1988 It call itself by sending it code of conduction copies to other systems via network and remote system Over 6 to 11 million $(USD)
MyDoom (W32) 26.01.2004 Sending heavy emails in junks, by a text message ‘andy; I’m just doing my job, nothing personal, sorry,’. It slowdowns the internet Microsoft Windows/ $ 38 billion
Sobig.F 09,2003 Destroying internet gateways and email servers, and global internet access $ 37 billion
ILOVEYOU (a.k.a) 04.05.2000 Text msg’I LOVE YOU’ 10 million windows, File exe hidden, $ 15 billion Govt / Non Govt.
Code Red 06, 2001 Microsoft windows, servers, web msg online ‘Welcome to http://www.worm.com! Hacked by Chinese!’ $ 2 billion
Table: Worm History Summary
Morris: The Morris Worm, named after its author Robert Tappan Morris, emerged on the Internet in November 1988. It bene’ted from the fact that the hosts that constituted the Internet in 1988 were largely homogenous and tightly connected with respect to trust relationships. The limited number of hosts (approximately 60.000) that formed the Internet at the time made scanning for new victims by probing random IP addresses ine’ective. In- stead, the worm searched for new hosts to infect on the already infected hosts. It exploited multiple vulnerabilities in order to propagate. In that sense, it was not only the ‘rst worm to be observed on the Internet, but also the ‘rst multi-vectored worm.
Upon infection, the source code of the worm was transferred to and com- piled on the newly infected host. This made it possible to attack di’erent architectures. The worm’s sole purpose was to further propagate itself to new hosts, and even though it had no malicious payload, the propagation process consumed vast processing resources.
The outbreak of the Morris Worm resulted in the formation of the Com- puter Emergency Response Team (CERT), the purpose being to study and distribute information about security vulnerabilities and incidents [CER].
My Doom
My doom has been written by Novarg, Mimail.R and Shimgapi, is a computer worm affecting Microsoft Windows. It was first detected on 26 January 2004. It became the fastest-spreading e-mail worm ever , exceeding previous records set by the Sobig worm. Mydoom appears to have been commissioned by e-mail spammers so as to send junk e-mail through infected computers. The worm contains the text message ‘andy; I’m just doing my job, nothing personal, sorry,’ leading many to believe that the worm’s creator was paid. Early on, several security firms expressed their belief that the worm originated from a programmer in Russia. The actual author of the worm is unknown. MyDoom slowed down global Internet access by ten percent, and caused some website access to be reduced by 50 percent. Upon infection, it looked for email addresses from contact lists and sent itself to any addresses it found. It was said that during the first few days, one out of ten email messages sent contained the virus. It was only stopped from spreading after about a month.
This worm was been detected in 2003 which is written by a unknown as a Sobig.F. It completely crashes the internet gateways and other email servers by resulting it glope the whole global internet access and server down factor. By Sep 2003 a program was develop by the by a deactivating itself counter part query.
It is a computer worm that successfully attacked tens of millions of Windows computers in 2000 when it was sent as an attachment to an email message with the text ‘ILOVEYOU’ in the subject line. The worm arrived in email inboxes on and after May 4, 2000 with the simple subject of ‘ILOVEYOU’ and an attachment ‘LOVE-LETTER-FOR-YOU.TXT.vbs’. The final ‘vbs’ extension was hidden by default, leading unsuspecting users to think it was a mere text file. Upon opening the attachment, the worm sent a copy of itself to everyone in the Windows Address Book and with the user’s sender address. It also made a number of malicious changes to the user’s system. The virus was written by a Filipino programmer who was still a college student at that time. He said the release of the virus was only ‘accidental.’ This virus spread throughout the world in just a day, infecting computers of large corporations and governments, including the Pentagon in the United States. It caused $15 billion in damages. The actual ‘damage’ occurred during the removal of the infection from computers, as email servers and computer networks had to be shut down before the virus could be removed.
Code Red
After many attacks the world of computers again thunder when code red attacks on the systems again. Now this time it attacks on the data source like Microsoft windows, Microsoft servers, Software’s, while on the internet a website displays a message ‘Welcome to http://www.worm.com! Hacked by Chinese!’.
Worm propagation model
As given theoretical and practical proof by Zesheng Chen and Chaunyi Ji. Research interest focus on the network security and spreading of Malware, Worm, Trojan and to detection system and the effective defence system. This article describes that worm spreading dynamics using different methods.
For a simple epidemic model, each host has only two states: susceptible and infected. A susceptible host can be infected by other infectious hosts, while an infected host can be recovered and become susceptible. Combining infection and recovery provides one of the simplest models, the susceptible->infected->susceptible (SIS) model.
Traditionally, epidemic model describes the SIS model using a nonlinear differential equation to measure the infected-population dynamics:
where n(t) is the fraction of infected hosts among all vulnerable hosts, ?? is the birth rate (the rate at which an infected host infects other susceptible hosts), and d is the death rate (the rate at which an infected host becomes susceptible). The solution to the above where ??=d/?? and n0=n(t=0). When the random-scanning worm propagation is concerned, The birth rate ?? becomes sN/2 32, where N is the total number of vulnerable hosts and s is the scanning rate (the number of scans that an infected host sends per unit time).
Another discrete-time and continuous state deterministic approximation model, called Analytical Active Worm Propagation (AAWP) model, has been proposed by Chen et al.to model the spread of active worms that employ random scanning. A nonlinear difference equation is used to model the worm propagation dynamics
Worms behaviour
01- Infection ‘ Foe example a recent worm Slapper infection in the honeypot system. In the system there are free to deploy honeypots in any configurations, but to detection of new worms honeypots system updates on the patches and exploit there pervious vulnerabilities. Each honeypots system manager process is responsible for communicating with other hosts via internet, sensors, internal connections and generating signature when infection occurs. By configuration the sensor like masquerading firewall for the honeypot, then the sensor can proxy all the connections from the honeypots and allow it to communicate with the infectors. To spread out the infection within the Petri Culture these attempts to routed and other honeypots. Once infection has spread amongst the honeypots each member of the honeypots becomes unreviewable. As the result the system with honeypots observe many outputs and details about the infection including all those contents such as traffic, packets, worms signatures, virtualizations etc.
02- Payloads ‘ Honeypots are using to catch worms and analyse them. To catch worm system have to let it infect a host. A honeypot either could be a normal host without any latest updates on it. Both of them are not able to bounce other through the internet to others, it work only in the limited area specifically. It act as defence level machine which has be left to pickle the worm always wait for infection then it might be possible to see through the infection. . These worms are only made up of small codes and few lines of instructions just because of that I would be ease to chase up nad module up. But if the worm slightly heavy then it converted into the packets and network level and then at that time analyse become more tuff and ruff.
03- Propagation – When a worm call itself the randomly it targets the IP addresses. In the entire list to targets there are some of the IP’s are pending to allot to the worm which found with the packets. These worms get recived automated invitation over the network which match the internal proxy IP’s over the network through virtualizing and they try to jumped up from original location to invited location.
4- Worm Measures
A worm measure is defined as an action to blese to slow the propagation rate of a worm by detection and protection.
Worm detecting is a kind of technology which reflects a manual process. It explains how it is possible for a system to automatically extract suspicious from a client’s network. A worm such like Nimda. Code red, fluet by attackers to access over the machines. The exploit is typically a buffer overflow attack, which is caused by sending a packet (or packets) containing a field that has more data than can be handled by the buffer allocated by the receiver for the field. If the receiver implementation is careless, the extra data beyond the allocated buffer size can overwrite key machine parameters, such as the return address on the stack. A buffer overflow allow the attacking machine to run code on the client machine. These code fetch so many IP addresses and sends similar packets to the new target machines.
Chirstian heribich and jon crowcroft briefs that a system for automated generation of attack signatures for network intrusions detection system. This work focuses on signature generations only. To fetch these signatures there is a system which is called Honeycomb. This system uses different scanning patterns techniques and packet scanning via traffic capturing on the honeypots. Honeypots works on different lines of TCP/IP and UDP. The concept of honeycomb comes from combing in hairs to get rid bad debts and elements from hair. Same like that honeycomb act as same which comb the honeynet traffic and filterates the data packets from network traffic and remove them. The main good thing about the honey comb is that it reminds the last attacks and presently creates new IDS (Intrusion detection signature). The detection pattern of the honeycomb is is algorithm based because each and every packets carry worms when it propagates by an extensive amount. So to track them there are two patterns has been designed for the worm detections. Which are done by two aspects one is called Horizontal Detection and second is called Vertical Detection .
Horizontal Detection:
In this pattern this detection system performed a action of comparing all massages at same integral and same instance. Each packet of network traffic has been pass out by honeycomb by flagging its own LCS (Longest common substring) in this method honeycomb reminds the last attacks which been done on network if packets match together is will flagged up and claim as internet attack on system.
Honey comb is the mixture of honeyd honeypots two ways by plugin and event hooks. Honeycomb is used is used to analysis packets, Honeyd creates the network traffic so honeycomb guessing the traffic onto the honeyd.
A. About Honeyd
B. Inside Honeyd
C. Configuration Honeyd
D. Script Honeyd
A Virtual Honeypot.
Honeyd is a framework for setting up virtual honeypot with honeyd it is possible to set up a honeypots with different personalities and services on single machine. Honed is able to fool the attackers by using fool fingerprints technology. Honeyd relies on the N.., maping fingerprinting technology which is used to identify different kind of operating system and their respective stacks.
Configuration: the installation of the honeyd is straight forward. Honeyd is a low interaction system and opened source package. This low interaction will allow only emulating services which do not allow the attackers to in touch with users system / operating system of the honeypots. KF sensor always activate on TCP second layer which decoy the attackers and track the activity. Honeyd is type of system that provides a harmed replies to the connections to sent unvalued addresses on them. It detect the traffic which has unauthorized data which has been monitored by a LAN for non-responding ARP. Unused addressed could assign to honeyd which simulate them to honeypots at unused IP addresses, however honeyd is counter of attacks and scanning worms on the internet.
It is specially designed for UNIX system but due to change in terms it become more plated for all platforms such as Windows, Andriod etc. KF sensor is only designed for windows . Honeyd is is designed as a production of lower level honeypot to give the attacker a fake green signal as a illusion of a real system with the KF sensor which use the computer IP address as the main KF sensor server. Either the host use the IP while that time attackers gets it as main IP of real running server. Honeyd monitor a large number of hosts and network traffic. The honeyd only work on TCP port as compare it to KF sensor to module the TCO and UDP ports.
When honeyd receive the data packets (Worms) of the virtual honeypots. It process by central packet dispatcher. It is formulated for to check the length of the worm IP packets. There are three protocols have been emulated which are known by ICMP, TCP and UDP.
ICMP- it only support for the current packets by giving an ECHO protocol request, then the packet dispatcher assign the same packet by assigning ICMP_ECHO value to the packet for next process.
TCP and UDP ‘ Packet dispatcher creates an external services and external program which receive data on <STDIN libraries > which is called standard input (executable in C, C++ and C#) and send the output to <STDOUT>
TCP- it contains the state machine which is a multi panel working sides.
UDP- When packet delivered it closed the port properly. And answered with ICMP Port which unreachable message.
Now, before reverting the packets to the network. It has been processed by the personalities engine, it adjust the packet contents and make able according to the IP stack.
How does honeyd works-
When a connection is made up via low interaction honeypot on the second layer of TCO/IP port the services is start being capture the services. Honeyd get a fresh Ip which will not use by other system on the network. There are some of the steps involves which make s honed more feasible in use.
Configuration of file- The configuration file is a location where we define the operating system is being stored.
Honeyd is assigned as IP address that is not in use it must be new one by any system on the network. Therefore attackers are accessing the system which doesn’t exist, most like the scan or attack. It has been designed as a dynamically reconfigurable runtime adaptive multi grained system. A VHDL briefs a hardware implementation on RTL (Register Transfer Level) which cover all the hardware applications requests. Then ALU which counts the integrated operations. LUT counts the sizes and available functionality. It encaps with the array structure all the data transport within the array are fully synchronized with handshake protocol to keep data consistency. The complete array is made up of three different cell types for data calculations and the data path cell. The second cell cells are memory cells which offer the memory space inside of array so that memory can be locally increased and optimized. The third cell is the kind of input and output interfaces that have been improved by implementing configuration sequence.
Instead of honeycomb array consist of all type of identical block having a routing unit,(RU)Functional Unit(FU), it is flexible for the user to use his own requirements. The detection of honeycomb is totally based on the fact of worm propagation while accessing an extensive amount of specific packets and multi pattern hosting under identical payloads. Every transformed packet on each connection must be compared by another side of the destination’s data packet presence. The detection of the worms has been done by two ways in which it takes place two version sides one is Horizontal detection and second is Vertical detection. Honeycomb automatically generates snort and bro signatures for whole traffic scenarios. Old signatures are continuously updated till network traffic becomes activate. Sometimes or most probably attacks are not verified in any way.
Horizontal Detection:
Honeycomb applies LCS while its own detection system. LCS (Longest Common Sequences) is the set of sequences which identifies the pattern in the flow of massages at the same depth.
Fig 01- Horizontal pattern detection between network traffic.
LCS (Longest Common Substring) Algorithm:
LCS is popular and fast algorithm for detecting the pattern from multi strings used by automatic digital signature. The LCS is computed between two packets for similar incoming and outgoing.
Which states that follows X= {x1,2,3”.n} and Y= {y1,2,3”n}. However X & Y having their prefixes {x1,2,3’n && y1,2,3’n}
LCS(Xi, Yj) is the set of longest common sequence having their Xi, Yj. These xi and yi are the oldest signature which are always updated while traffic is continuously run through the honeycomb and xi and yj are message flow which contrast the data packets. If they are respective to each other the it makes the sequence LCS(Xi-1, Yj-1) if the statements become long and are nor justify to each other then the alter sequence will adaptive as like LCS(Xi, Yj-1).
Vertical Detection:
Vertical detection is been carried out by linking whole or number of massages from one packet stream into a long chain string and contrast the packet data which from with its corresponding string from other network traffic flow. It also makes TCP/IP dynamic it split the message into the slicing and concatenates to prove as a valuable.
Fig 02- Vertical detection pattern in between traffic flow
The actual worm detection is only based on mechanism perpendicular on the low interaction honeypot. It makes it possible while reducing the unaddressed data packets.
Signature Generation
A signature generation is being done on second layer of TCP/IP model with two ways. On the first level streaming applied to the packets. Stream is the process in which the data packets have been saved automatically and directed to their respective direction. On second level in this level same auto saved packets contrasted by bidirectional protocol which specified the direction of second pair of first data packets which already saved in stream unit and by two dimensional LCS algorithms. While LCS if it perform another unaddressed packets taged with a special signature and put out on other unit. Which treat as worms on the internet.
Signature Refining: Honeycomb has a memory unit for holding all those unauthorized packets which has been signature by replacing a new generated signature it doesn’t mean that lod one has to be destroyed.
Why signatures are required?
Signature processes only detect the unknown worms with this process. There are some difficulties for that signature has been assigned to the honeypots to detect worms.
01- Signature must be flexible and enough to defined against the polymorphic worms.
02- It safe the system and help to maintain the timing of signature generating and comparison of them to the internal network traffic.
03- The signature must be ease to detect the worm.
04- The system must be free from noise and tolerance.
05- The signature must be produced when the low false positive and false negative worms will detect.
Polygraph: There are polymorphic worms are on internet to identify the polymorphic nature of the orm by opposing a polygraph system. There are three kinds of signatures which are used to identify the polymorphic worms. These are built up from tokens which are substring having of byte sequence of minimum longer. The clustering of these tokens have been done by hierarchical. This signature has been categorised in two common types.
01- Exploit specific- These are based on the worm’s implementation and content based. These are the flaw files. When an attackers hits on the network them on sudden signature assemble them and impose to detect it sequence wise. Signature on exploit based run hardly.
02- Vulnerability specific- these signatures access the nature of worm. Actually these are the flaw but exploit inherit the characteristics of vulnerability flaw worms. Signature on this based run efficiently
These signatures are classified on HOST and NETWORK based, although the host based signature are more accurate and can have better coverage.
Newsome at el discussed the polymorphic that it generates multiple substrings. Which are present in all payload of polymorphic worm? The maximum observation in substring includes byte framing protocol. Polygraph divides signature into tokens. The system extract tokens auto parity and represent the worm or suspicious flow of data packet included tokens.
Three signatures-
01- Conjunction Signature ‘ it is the set of unsorted tokens. If a signature and oncoming flow id same as the existing tokens they become quite and equal. Unless this flow of conjunction will simply generates the signature by simply extracting tokens.
02- Bayes Signature ‘ it is designated unit of scored values of packets which would be collected and grouping then finally it rationalize and match together with flow of network traffic. If the sum is greater than group then it assumed as a worm.
03- Token Subsequence Signature ‘ these are the set of sorted tokens it assume a low is true by virtues if its all tokens are same as desired set of tokens in signature.
A. About Honey-stat
B. Worm Protection
C. Defences
Honeystat is a Local Worm Detection System; it is used to modify the honeypots to generate the scan ability to high rated with low false positive rates. Honeystat nodes are the script driven, automated and large coverage for IP spaces.
Three alters which are best symptoms of Honeystat:
01- Memory Alert: This performs on buffer overflow detection and process management
02- Disk write Alert: This performs a registry keys and typical files for the packets and authentications
03- Network Alert: This performs a alert on the network which preep the flow of the data.
If any of the alert has been issued to the data which is collected automatically. It help to improve and decrease error caused by noise, monitoring efforts and gather more data. Honeyd offers a way to detect and disable worms. All these services can catch zero infilament attacks. Honey stat are believe to capture relevant data when any of the above alert been triggered. Trace of files and secure login system are the best identification of this system.
Methods for worm detection:
01- Mr. Singh Purposed a system to detect for detecting a new worms and creating signatures which is known as Early Bird. The aim of the system is detecting worms and traffic which has been characterized by highly repetitive content. Increasing number of destinations being targeted.
Worm Protection:
There are so many ways in which the system could be saved or ways of protecting a system against worm’s attacks and other kind of traffic stuck within the network. A system should be always a system whose patches will always be activated all the time.
Defence system:
Network Based Defence:
Network firewalls are the devices that encrypt the Local network security to block unwanted traffic flow. There are some kinds of firewalls.
Packet flirting ‘ In this router decides whether has to allow the data packets In and Out of IP sources
Application level – Application filters are traffic based filters which examine the traffic on the live network.
Circuit gateway – These are very hard for the trust on internal and external network connections that do not allow end-to-end TCP/IP protocol connections. Once the connection is made up the circuit gateway relay on the traffic without any content.
Firewalls could provide the worm protection at a certain level. Network intrusion detection system which monitor incoming and outgoing network traffic looking for a unusual activity that could be a part of an attack.
Host Based Defences:
A host-based intrusion detection system monitors the user activity and the system’s state. This type of intrusion detection system is able to detect and respond to irregular behaviour by the user, as well as processes that try to execute commands they are not supposed to.
A host based firewall can serve a best complement to the network firewall, providing a control of service and traffic to allow for host. To detect the worms by using signatures to search a Milton files on the system. It will quadrate with the worms and able to remove it,
A. Aim of detection
B. System
C. Architecture
Aim of detection:
Worm detection architecture aimed to detect a worm and unknown worm is purposed. The system is based on sweet-bait and honey-stat.
Sensor Positioning
The sensors are the main part of the architecture in which it has to be observed the activities. They are the backbone to monitor all the activities and traffic which has been distributed on the network. There are so many advantages are given as below.
The delay between a worm outbreak and detection in such a system is minimal, as every packet from one network to another has to go through these network elements.
The detection mechanism is transparent to any local network, provid- ing scalability and ease of deployment. When the detection sensors are placed in the local networks, the tra’c load experienced is minimal compared to the backbone approach. Thus, payload examination and worm detection in local networks is feasible and is used in the architecture proposed in this chapter. The detection sensors used in such a system can be either network elements, honeypots, or host-based sensors. In a local network, an inter-domain signature distribution mechanism is needed as part of the detection system. By globally distributing newly gen- erated worm signatures through, e.g., a global signature repository, networks in other domain scan be warned about global worm out break sand thereby be able to block a worm even before it has reached the domain. To accomplish immunization against rapidly spreading worms, this signature distribution mechanism has to be a fully automated process. To avoid false alarms in such a scheme, several precautions must be taken. First, every sensor has to be authenticated before uploading new signatures to the global repository and the communication channels must be secure. Second, a signature should be received by a certain number of distinct sensors before it can be considered a valid signature.
Types of sensors:
Network Sensor: Top soften the network traffic there is set of lines in which sensor has to be installed on the local network. These are located on the network gateway to monitor the traffic and network transactions.
Host Sensor: These are the network protection sensor, which act as the IP stack guard. It protect the network directly and authentic. These sensors are used directly to protect the production network directly. It is much possible to dtect the worms from the hit list by a host.
Honeypots: This is a main sensor which receives the data over the network within the traffic with the shape of packets which has been signature by IDS. Honeypots only can detect the traffic and time of detection of worm.
A- Architecture:
Architecture of detection of unknown worm
Local area network
The detection in the high Interaction system. To able to detect many worms attempts as possible,
Gateway: The gateway is main source from where data traffic comes from and Boolean the process.
Sensor: These are the main and backbone for the honeypots , Sensor Such as Network , Host Based, Honeyd etc collect the data and monitor the whole and entire network activities and internet based transactions over the live network.
NIPS: Network Intrusions Protection System. It is a protection system and combination of Hardware and software system which protects computers network from wrong access. It always monitor the continuously traffic over the network. Creation of patterns, Alerts, and stop the intrusion at the possibility. The NIPS is placed in the system to protect the production network. It can ‘lter tra’c that is unwanted based on certain ports as speci’ed by the network administrator, as well as tra’c that have been declared malicious as a result of signature updates from the LCU. Similar to the KA ‘lter, it is also possible for the NIPS to report back to the LCU on the activity level of the received signatures
Honeypots: honey pot is a trap to detect and avoid the unauthorized access over the network. Honeypot actually analysis, and monitored the data. Which contains the information and value of the attack and attackers and are easy to use, capture only limited information, and are used primarily by companies or corporations; Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers.
Production Network: The type of event ‘ along with all relevant, captured data such as stack state for memory events, outgoing packet payload for network events and information about ‘le changes for disk events. The operating system used on the honeypot, as well as the patch level to trace ‘le of network activity prior to the event.
The main focus of the system is to detect and produce a signature for the worm. It recorded everything. Interesting events, an outgoing packet from the infected host (network event) indicates that the honeypot is either downloading the actual worm payload for the new hosts to infect. On this point, it is therefore assumed that enough data has been recorded to enable a successful signature generation, and the virtual honeypot is immediately in the scheduled reset.
LCU: Local control unit. The entire generation has been handover to the Local Control Unit for processing and signature generation. To make double sure that no attacker will alive to make a new attack again so message digest and digital encryption are required.
The left part of this section must be used in the local network.
AU-: Analysis Unit- The main objective s to maintain and hold it in the exact shape the data which is gather from the honeypot and signature to a desired worm. The incoming events are stored in the log database and correlated with older events. If a similar chain of events has been received a certain number of times before, it is assumed that the events are caused by a worm. If not, the events are simply stored and the AU returns to idle state. The network packets causing the same chain of events are compared. Before storing the newly generated signature in the database, it is compared with the already existing ones. It can then either be stored directly in the database as a new entry or help to improve one of the older ones.
CU-: Communication Unit- the Communication Unit’s (CU) main purpose is to exchange signatures with the GCU as well as issuing signature updates to the KA ‘lter and NIPS. Updates are pushed from the CU to the local KA ‘lter and NIPS every time a new signature is generated or improved. The KA ‘lter and NIPS will in turn report the activity levels of each signature on a regular basis.
GCU-: Global Control Unit- the GCU serves as a central signature storage and distribution unit. It receives signature updates from the distributed LCUs and is able to correlate received data from di’erent locations to compose improved signatures. Based on the received data, it issues periodic updates to the LCUs. As the GCU is a potential single point-of-failure and the e’ects can be catastrophic if it is compromised, the requirements regarding security are strict. All communication between the GCU and LCUs should be authenticated and encrypted in order to avoid forged signature updates
To make a live experiments on the detection of Worm on over the network. Here I am going to demonstrate software which acts as like honeypot to attract the Hackers and detect them and the worms such a system is called ‘KF SENSOR’.
By using it act as decoy server. It reflects the from as a machine which hardly detectable by any lean software or smart system and provide a higher level of information that could be used by using firewalls.
This system is specially designed for window based environment and contains various unique features such as remote system, snort, Signature and networking protocol. The GUI is the main feature which helps to the user to view and help to estimate the overall activities over the network.
Just because of the window based it controls over all activities. There by no need to edit the configuration files and to have to do there will need a have number of pre- configured files. It works on the application layer of TCP/IP protocol. The allow to use the windows full access and mechanism such as networks libraries, compromises and customization of IP stacks.
By professionally KF Sensor generates used to refine firewalls use and produce a new signatures for the network intrusion detection system.
Product Overview:
New threats are constantly emerging to the security of organisations’ information systems infrastructure. Firewalls and VPNs cannot prevent all intrusions and do little to prevent attacks from within the organisation itself. The increasing quantity and diversity of legitimate network traffic has resulted in ever increasing hardware costs and the large number of false positive alerts generated can be too much to analyse effectively.
What Technology it inherits.
Honeypot is a system which is put on the network with the intension that it can be probed and attacked. In order to gain information on attacker. By allowing the attacker into the system a user and system would be able to capture the attacker’s activities and system could gather specific information of attackers attack source. KF Sensor has been developed from the ground up, as a production honeypot system, dedicated to the task of intrusion detection. Used as part of a comprehensive security strategy, KF Sensor adds an additional layer of protection to detect security breaches that may not be picked up by other means.
Procedure of KF Sensor over the network.
It is easy to install and hardly takes few minutes to install. There is any specification is required to its design able to cooperate with at present platform on the window machine. It gives the direct benefits. KF sensor works with simultaneously system and services. At the highest level of OSI model’s application layer. This system always collaborate with Security mechanism, network libraries, risk of detection, customisation with IP stacks.
Special feature of KF sensor for the Users environment to understand the detection concept much adequately’.
Monitoring Port- It monitor the entire activities of network, Traffic flow most of them it is so professional to monitor the TCP and UDP ports, as well as to detecting the ICMP or ping type messages.
Multi-Tasking- It deals with handling in multi ports and IP addresses. And able to resist the script driven formatting, buffer overflow, and denial of services etc.
Flexibility- Due to heal flexi in its own structure it responds to the number of connections in different ways. Simple listing, complexion, web server simulation which reply to valid and invalid requests.
Remote assessment- It enable various system and self-multivalued Honeypot installations even though different sensor across the network are concatenated in the real time
Signature production: it has a very fast and unique signature detection system which impact on the system performance.
Service of KF Sensor over the network and at GUI level-
Whether KF Sensor in awesome in feature either it is most of the service providers to the GUI level and system level.
Configuration: It provides different services on multiple ports with different host IP addresses.
Port Messaging: It has trap scenario, It holds the open port read the content and revert the message back.
Banner: While transmitting of data and messages it would care about the display of service prompt, error message services within the limited capabilities.
Command: It also emulates the command format within the window to bind up those worm who could circulate with DOS and CMS .exe files format pattern.
HTTP and STMP: This a fully web based working that correctly emulates handle the long chain request from the client sides controls. However the Simple mail transfer protocol is capable of acting as a open relay server.
MS SQL SERVER: it supports the both TCP and UDP server ports while using it can capture the passwords which are used y spies to attmpts the access of users system.
Alerts within the KF Sensor-
There is only a single system which has a special facility to give a alert to the user for the final formulation and timely occained to user about presence of activities on the network. KF Sensor has a variety of alerts over the internet and according to the nature of activity done on the system.
Audio Alert: When any activity occurs within the system such as example of messages.
Email Alert: It send alert through email with two different formats. Short message and long alert message service. A short provides minimal information and long term informs about a long and about serious facts what will done in the system.
System Log Alert: A system a when a user log in the unix system
External Alerts: It provides the ability to invoke an external application to handle an alert event.
System Requirements-
As it briefs before that it is window based system allow to run on different operating systems.
– Win XP, Win server 2003, 64bit
– Processor1.5hz ‘ so on
– 2Gb hard disk
– 2Gb Ram
– LAN Card
In the criteria there is a concept which is regarding worm detection using honeypot in different module. What results I will get from this experiment are given.
The experiments in this project should be conducted with an improved version of Honey Comb. The results from this experiment presented in this thesis. It is even possible to replay the tra’c dumps captured during the experiments of this project.
Further studies on the proposed worm detection architecture could be carried out. Project could be creating a proof followed by experiments and a possible implementation of the entire architecture.
By user ‘SM852’ on Window 8.1
User Level Procedure for implementing KF Sensor in Window 8.1-
I am using window 8.1 professional for this system to detect worm as a proof of experimental work instead of this project ‘Detection of Worm using Honeypot’.
01- This is first step to download KF Sensor on user level to determine the actual scenario of this software, that how to download to what extend it work. It is just trial base software which will end 30 days or less than 30 days.
02- However I just discussed before that just because of on the trial basis will not give full authorization to user to extend of use the full feature due to some company policies and profitability of the company along this product.
03- Start Downloading it is about 2.6 MB a very low space covering software.
04- While double clicking on the downloaded setup of KFSensor with 4.9.2 version, window 8.1 has a special feature which shows one of the best alert in this sensor which is called system , Login alert and message alert that it is not compatible for you system rather than this would you like to continue with this setup, because due to temporarily trail version. Window 8.1 one only best for key based product but it is according to the user environment, like of that it runs every product as per users recommendation.
05- User agreement which has all the term and conditions to use and contrast with it.
06- By default each and every setup will be directed to C:/ drive automatically user can change it to accordingly by clicking Browser. If user could understand the pros and cons of any setup. It requires 6.91 MB space on the hard disk which is enough for Window 8.1 because my system has 350 GB.
07- It is first time in my life when a set ask me to put downloaded setup in which group of my system it is quite confused for me to select, I will leave it on the system because system can deal with it more accurately by examining all those factors which may be good and bad for the system, A wrong decision might be risky for my system and internal system information and other documentation which is important for me and my all the scenarios.
08- By default system recommendation system has selected the final designated folder in which setup wish to be grouped in. Now this setup is ready to go.
09- System starts setup down in my system. It took hardly 5 seconds to installing in this system.
10- Now, after installation system needs to reboot and boot up again for refreshing the setup for good running of this honeypot on my system environment. I will not bootit up yet because several files are might on the risk. And could be destroyed by restaring because some of them are not saveable.
11- Setup has finished and ready to run on my system.
12- It optionallized the me that in which mode I have to run this Tool as a Administrator or as a User. But on the trial basis it wouldn’t allow me to module this this tool.
After interacting with KF sensor I realized the actual activities which has been done on the network. I realized that how a system capture a minor internal and external activity on the network transaction.
There are main three activities can be find out via this system.
Activity on Ports
Activity on Visitor
Activity on event
Port activities of KF Senso
A red speaker button at top is called Port system in the KF Sensor. This system bep a alert when I try to open a URL of IIS web browser when this system was activated on this machine. In the above Scrn Shot it is cleared that it capture the network transaction of a url interchange on port 80.
When I click on the 80 IIS recent activity. Throughout the GUI interface it update me that which activity has made on the system, by altering me. It shows the user by assigning ID to the activities with the current date .
On the right click it given the detail about the three events
How it works and how to use the KF Sensor to examine the actual activities which are currently existing within the Honeypot.
Overall overview of KF Sensor:
In short the KF system is a kind of module which shows the real image of network and network transactions as well.
These are the panel button of KF sensor in which a user could STOP/ PAUSE/ RESTART the server as per requirement of the user and the condition.
This button on the KF sensor is the sign of ports
When all of these become Green while KF Sensor operation. It means that there is no activity takes place yet.
When all of these become Yellow while KF Sensor Operation. It let know to the user that, the activity is been captured recently on the port / ports.
When all of these become Red while operation, then a user could examine the exact time period of activity over the network.
When these become Gray while operation, then a user could examine that the port is inactive and could not generate any events.
When these become Blue while operation, Then a user could examine that, there is already activities are taking place on the ports.
SERVER : It views that there are three views on KF Sensor. The first system which is Green step keep that to start the server, middle is about to stop the sever which signalized by Red and the Third one which mode Yellow. Which induct to restart the server.
In this section there is lead function which helps us to modulate and demodulate the system to interact the attackers along the user network, which simplify by other basic and advance scenarios.
The DOS attack settings: (Denial of Services) it is very fast to indicate the visit of known and unknown visitors on the user’s network. A user could customize it according to his own requirements to identify the attacks and type of attacks. It helps to prevent the hacker generating and unauthorized access and events.
Let fog on the DOS commands:
Maximum clients KF Sensor allows the user to +/- the number of users. The byte range over the network could be adjusted as per system the creap that the hacker must load the data bytes to the network for busy the users services as well as the KF Sensor may be able to log it that how much the data byte has to be log in the system to record the activity of attackers and network transactions.
Concurrent Connection: This is connection that a single visitor can access number of connection by allowing the visitor a user could allow the attacker lock out and close in the Lock out: The user can lock the attacker for temporarily basis or permanently.
Close: In this the connection will closed suddenly but the visitor will be able to proceed for further connection making schedule.
Max connection IP: As in the above discussion that the user could make many more connection up to unlimited IP ports by allowing the users sensitivity.
Lock Out and Ignore: The user has KF sensor could block the visitor for specific time period, but in the ignore visitor.
Visitor and Attack on TCP and UDP:
Max Connection IP: A visitor makes number of data bytes over the network but a user can have the right to allow and dictated the visitors by locking out and ignoring it for a specific time period.
Global DOS Attacks:
In this a user can set up the visitor globally wizard to hook them up to visit by allowing the opening scenarios and inviting the number of connections and rest of that will enabkle to lock them by referring the lock hours.
KF Sensor Alert:
A one of the active and recent command which help to alert the user to aware about the recent activity over the network and network credentials which is called Email Alert by setting up a mail wizard in the KF Sensor.
In this alert the user must have to set up the wizard to control. I just setup the wizard for the email alert which enable me to know that who visit and attack on my network and where it come from and what type of attack he has and what procedure he use to applies on the system.
Event Colours:
It is hard to identify that what happen in the KF Sensor and to what extend I have to examine the visitor activity. For to know and extract the recent activities in this system I can use the Event colours to identify and synonymous the transactions by giving colour on that. This easily triggered me to finalize and helps me to find out that what happen suddenly.
To know the various activities on the network and different levels I setup the colours for TCP and UDP and ICMP messages.
The above content was just a review about the software tool that I made use to show the Honeypot concept.
Now let me introduce you to that how it works.
This is the main section about the Ports in which attacker will make a one or more than one connection by through the user’s customization. In this some of the ports are lined and blue in colour having some errors which are only authorized to the admin panel for the enterprises business. If it will run as Admin it will be clear so I couldn’t use it for this I have to purchase it.
These are the visitors on my network in which I have to introduce you that DGroupsLtd is on KF Sensor and DGroupsltd.Home is server which is installed on this machine with win 8.1. That is used for different and some own purposes. Rest of that the Unknown / Cheema PC and Jo-AnndeLeon PC are the visitors on this network .
This is a summarized data from 20/01/2014 to till the date has been collected by KF Sensor on the DGroups.Ltd system initially.
This software works on the UDP level and assigned by highest priority of activities which are identified by RED in colour.
I installed KF Sensor on my Server addition not on the Win 8.1 so due to that some of three Unknown, Cheema, and Jo-AnnDeLeon continuously visit on the server addition.
There are two visitors on my system and been detected by KF Sensor when they visit system alarmed me and I can identify by segregating them as type wise. These visitors severally attack or request on my system from last 202/2014 to till time. Which has been signature by KF system by signed ID’s
This is my System built up with win 8.1
This is my server additionally
By most of research I configured that KF allow them to visit on the system but not allow to access of my server and window to grasp the data in directly and indirectly.
They always use same port to access my data from Port no 138 and 67 respectively might they know that these are must to be easy to access as compare to the other ports.
My system is being targeted by unknown visitor by access port 138 but the Cheema always try to access my server by connecting Port 67 till the date it has been cleared that Cheema could is very serious and continuously try to access my system so I have to block it.
To know the detail about the Cheema that where it come from. Lets extract the ID no 46 to 52 because he knows that I am trying to protect something suspicious.
ID No- 46
By summarising the data from ID 46 it has been clear that
It has been tagged by signature process and tagged by 46 it starts from 22/01/2014 to 28/01/2014 simultaneously.
To know about this I just took check it from online services
It is a Private Lan IP which do not show its properties.
It details the IP that how much data byte send to the user and receive from the user, which senor capture it and at what protocol.
It review that it enclasped with my work group which is fake in nature .
All the visitors are trying to access my workgroup but they couldn’t because I just close them not block then I allow them to connect me lot so I would be able to know that which port seems to be very weak and to what extend. I have to create rules for them to avoid from this system.
KF Web Server 3.2.0:
Although, where KF Sensor protect the system, has been used to remove the attackers from the network in the regard to prevent the spies from the database of the user either it enables the user to view the actual and pecific image of network and network transactions as e=well as system matters adequately. For this I need to get know that what happen on my ranged network what kind of activities are being done over there. So for this I need a best tool for the graphing a network image. For this KF provides a best tool to capture the real image of network.
So to know the actual image and overall performance I run it on 24/01/2014 to 28/01/2014 continuously. This server is been running from 4 days 9 hours and 6 min continuously without any shutdown.
a web URL KF Web Server.
I can run it on two modes HOME base and SERVER base
Home Base Server: It work systematically but not like Server base.
Server Base Server:
Admin Server is running on web based system to capture exact image of network performance on port 9727 as Admin.
Summary wise: This system allow to bind and defined unlimited websites in his own cache unit to record the existing activities by bind up IP address and Ports in the regard of the client base view on the website.
In the genral settings the Clients range could be Increased and Decreased as per user specifications.
In this section we can create a server path to get more information about the network activities.
Log Level: The user can change the log level by selecting Emergency / Alert/ Critical/ Error/ Notice/ Information/ Debug. It
W3C’.. format is best format for the KF web server which preep the below information about the network activities.
It stands for Multipurpose Internet Mail Extension. It standardise of classification of way of file over the internet. Such as Web Servers, Web Browsers so that would be able to transfer the same file in same way. MIME has A TYPE and SUB TYPE fpr example any software called type and a Sub Type is their tools and functions.
Server Statics of KF Web Server
Real network Image:
The overall real Image of the network shows that the system is fully secure from any threat and attack from the attackers and other crashers of the network.
The goal of this project is to study of worm detection using detection models. The honeypot latest version installed at local machine which extending the pattern of worm detection criteria. The existing system and detection topologies on TCP and UDP level intercepting. The overall output of this experiment is to evaluate the effective and reliability over the worm detection.
The LCS algorithm in the payload has affected the adaptive ability to generate correct signatures. It simulates and describe the while the during data analysis.
The system prospect and the proof from experiment from network detecting system while creating signature, Allowing, Ignoring, user manual etc. It spot many of the same false positive large amount signature generation. As per study over the experiment in this project. The proposed architecture is only based on worm detection architecture and honeypot. The main purpose of this ‘lter is to remove known attacks from the tra’c directed towards the honeypots in order to reduce the amount of traf- ‘c needed to be processed by the honeypot sensors.
[1]Black hat .com http://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-oudot/slides/bh-asia-03-oudot.pdf (12/12/2013)
[2] Adison Wesley, Honeynet Security Console and honeypot legal issues 2002 http://searchsecurity.techtarget.com/feature/Honeynet-security-consoles-and-honeypot-legal-issues (12/12/2013)
[3] Lance Spitzner, June 2003. Honeypot Are they legal. ttp://www.symantec.com/connect/articles/honeypots-are-they-illegal (13/12/2013)
[4] Lance Spitzner, http://www.amazon.com/Honeypots-Tracking-Hackers-Lance-Spitzner/dp/0321108957(13/12/2013)
[5] Andrew Lockhart, O’Reilly, 30 oct 2006. NETWORK SECURITY HACKS. http://books.google.co.uk/books?id=6weH75ATpbUC&pg=PA407&dq=what+is+the+tracking+in+honeypot&hl=en&sa=X&ei=k8nbUqf9LsWShQfC9oC4CQ&ved=0CE4Q6AEwBQ#v=onepage&q=what%20is%20the%20tracking%20in%20honeypot&f=false (13/12/2013)
[6] Anton Chuvakin, Kevin Schmidit, Chiris Philips, 31 Dec 2012 LOGING AND LOG MANAGEMENT. http://books.google.co.uk/books?id=Rf8M_X_YTUoC&pg=PA110&dq=what+is+the+recording+in+honeypot&hl=en&sa=X&ei=zM7bUvCqEoexhAfcm4GoAw&ved=0CDQQ6AEwAA#v=onepage&q=what%20is%20the%20recording%20in%20honeypot&f=false (13/12/2013)
[7] Nguyen Anh Quynh and Yoshiyasu Takefuji, 11th Australian Conference ACISP 2006 http://books.google.co.uk/books?id=oY-nQReJNpkC&pg=PA111&dq=what+is+the+privacy+in+honeypot&hl=en&sa=X&ei=SdbbUqKyHoyVhQelq4D4Dg&ved=0CD8Q6AEwAg#v=onepage&q=what%20is%20the%20privacy%20in%20honeypot&f=false (13/12/2013)
[8] Bill Hutchinson 2nd conference limited 2003 on Information Warfare and Security. http://books.google.co.uk/books?id=zrg3cMbSWjwC&pg=PA342&dq=what+is+infection+in+honeypot&hl=en&sa=X&ei=AOXbUu20DsyThQfMooDoCg&ved=0CDoQ6AEwAQ#v=onepage&q=what%20is%20infection%20in%20honeypot&f=false (13/12/2013)
[9] Mohsen Guizani, Ammar Rayes, Bilal Khan. John Wiley & Sons 26 Jan 2010 Technology and Engineering. http://books.google.co.uk/books?id=S5HSa3uZ8C0C&pg=PA48&dq=what+is+infection+in+honeypot&hl=en&sa=X&ei=AOXbUu20DsyThQfMooDoCg&ved=0CDIQ6AEwAA#v=onepage&q=what%20is%20infection%20in%20honeypot&f=false (13/12/2013)
[10] http://www.symantec.com/connect/articles/fighting-internet-worms-honeypots (13/12/2013)
[14] http://paulsparrows.files.wordpress.com/2013/10/1-15-october-2013-cyber-attacks-timeline1.png (13/12/13)
[15] http://www.ibtimes.com/spamhaus-ddos-attack-16-year-old-london-teenager-arrested-worlds-biggest-cyber-attack-dutch-site (13/12/2013).
[16]http://www.ispor.org/workpaper/Modeling_Methods/Modeling_Good_Research_Practices_Overview-1.pdf (13/12/2013).
[18] http://my.safaribooksonline.com/book/networking/security/0321108957/history-and-definition-of-honeypots/ch03lev1sec1 (14/12/2013).
[19] http://www.symantec.com/connect/articles/value-honeypots-part-one-definitions-and-values-honeypots (14/12/2013)
[20] Blog: http://www.honeynet.org (14/12/2013)
[21] http://searchsecurity.techtarget.com/definition/honeynet (15/12/2013)
[22] http://www.it-docs.net/ddata/792.pdf (15/12/2013)
[23] http://www.symantec.com/connect/articles/problems-and-challenges-honeypots (16/12/2013)
[24] http://en.wikipedia.org/wiki/Computer_worm (16/12/2013)
[25] http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp (16/12/2013)
[26] http://computer.howstuffworks.com/virus5.htm (17/12/2013)
[26] http://www.mathaware.org/mam/06/Chen.pdf (17/12/2013)
[27] A. Ganesh, L. Massoulie, and D. Towsley, ‘The Effect of Network Topology on the Spread of Epidemics,’ in Proc. of INFOCOM 2005, Miami, March 2005 (17/12/2013)_
[28] Z. Chen and C. Ji, ‘Spatial-Temporal Modeling of Malware Propagation in Networks,’ in IEEE Transactions on Neural Networks: Special Issue on Adaptive Learning Systems in Communication Networks, vol. 16, no. 5, Sept. 2005 .(19/12/2013)
[28][Wiki09][Darrell03][Eisenberg89][Chen04][Symantec99][Arbaugh00][Cliff02][Chen03][Cynthia04]) (19/12/2013)
[29] http://wildammo.com/2010/10/12/10-most-destructive-computer-worms-and-viruses-ever (19/12/2013)
[30] http://searchitchannel.techtarget.com/feature/Detecting-worms (20/12/2013)
[31] http://cdn.ttgtmedia.com/searchSecurityChannel/downloads/NetSecKIACH04-P374463.pdf (20/12/2013)
[32] http://www.icir.org/christian/honeycomb/(23/12/2013)
[33] http://www.cl.cam.ac.uk/research/srg/netos/papers/2003-honeycomb-hotnets.pdf
[34] https://groups.google.com/forum/#!topic/android-developers/VlcWY9AnbC0
[35]http://books.google.co.uk/books?id=bf4_AAAAQBAJ&pg=PA15&dq=honeycomb+architecture&hl=en&sa=X&ei=tyzXUqKpDYGihge88YG4BA&ved=0CDoQ6AEwAg#v=onepage&q=honeycomb%20architecture&f=true (25/12/2013 )
http://en.wikipedia.org/wiki/Longest_common_subsequence_problem (27/12/2013)
[37] http://www.dcs.kcl.ac.uk/staff/csi/publications/IR07NewLCSAndConstrainedLCS.pdf (27/12/2013)
[38] http://www.cl.cam.ac.uk/research/srg/netos/papers/2003-honeycomb-sigcomm-poster.pdf (28/12/2013)
[39] http://searchsecurity.techtarget.com/Using-HoneyD-configurations-to-build-honeypot-systems(29/12/2013)
[40] http://research.ijcaonline.org/nsc/number3/SPE037T.pdf (29/12/2013)
[41] Dr I. Muttik , McAfee Labs, UK: ZERO-DAY MALWARE ,Virus bulletin conference September 02010 (29/12/2013)
[42] Honeynet Project. Know Your Enemy: Statistics. ttp://project.honeynet.org/papers/stats/, July 2001 (29/12/2013)
[43] Kreibich, C., Crowcroft,J.: Honeycomb-Creating Intrusion Detection Signatures Using Honeypots. ACM SIGCOMM Computer Communication Review 34(2004) (31/12/2013)
[44] Pascal Gamper. Honeypot signature generation.ftp://ftp.tik.ee.ethz.ch/pub/students/2007-So/MA-2007-09.pdf (01/01/2014)
[45] Ed Gibbs, IDS mailing, http://seclists.org/focus-ids/2005/May/49 (01/01/2014)
[46] Golbeck, J and J Handler Reputation Network Analysis (CEAS 2004) (01/01/2014)
[47] Intrusion detection, Honeypots and http://www.honeypots.net (02/01/2014)
[48] Kim and B Krap Autograph: Towords automated Worm Signature Detection (Security 2004) san diego Aug 2004 (02/01/2014)
[49] Newman Et al.. 2002 S. Forrest, J. Balthrop, B.Krap, Polygraph Automatically Generating System. For polymorphic worms.
[50] M. Roesch. Snort – Lightweight Intrusion Detection for Networks. In Usenix LISA
Conference, 1999 (03/01/2014)
[51] S. Singh, C. Estan, G. Varghese, and S. Savage. Automated Worm Fingerprinting.
In 6th Symposium on Operating System Design and Implementation (OSDI), 2004.(03/012014)
[52] S. Skiena. Implementing Discrete Mathematics: Combinatorics and Graph Theory,
chapter Graph Isomorphism. Addison-Wesley, 1990 (03/01/2014).
[53] Sophos. War of the Worms: Top 10 list of worst virus outbreaks in 2004. http:
[54] S. Staniford, D. Moore, V. Paxson, and N. Weaver. The Top Speed of Flash Worms.(03/01/2014)
[55] S. Staniford, V. Paxson, and N. Weaver. How to 0wn the Internet in Your Spare
Time. In 11th Usenix Security Symposium, 2002. (04/01/2014)
[56] S. Venkataraman, D. Song, P. Gibbons, and A. Blum. New Streaming Algorithms
for Fast Detection of Superspreaders. In Network and Distributed Systems Symposium (NDSS), 2005. (04/01/2014)
[57] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham. A Taxonomy of Computer Worms. In ACM Workshop on Rapid Malcode, October 2003. (04/01/2014)
[58] 7th international WISA 2006, Jeju Island , Korea. Aug 2003-2006.Information Security and applications. http://books.google.co.uk/books?id=kf_r4ukxl-kC&pg=PA47&dq=structural+of+polymorphic+worm&hl=en&sa=X&ei=JR_bUtLKNaWM7QatpoCwBQ&ved=0CDQQ6AEwAA#v=onepage&q=structural%20of%20polymorphic%20worm&f=false (05/01/2014)
[59] Reto Baumann GCIA, CCNA http://security.rbaumann.net/download/honeyd.pdf (06/01/14)
[60] Monkey.org development http://www.honeyd.org/configuration.php(07/01/2014)
[61] Niels Provos, Centre of Information Technology Integration http://www.citi.umich.edu/u/provos/papers/honeyd-eabstract.pdf (08/01/2014)
[62] David dagon , Local Worm Detection by Honeystat. http://citeseerx.ist.psu.edu/viewdoc/download?doi=
[63] Sumeet singh , Cristain Estan, University of California, San Diego. The Early Bird System for Detection of Worms. http://www.cs.unc.edu/~jeffay/courses/nidsS05/signatures/savage-earlybird03.pdf (10/01/2014)
[64] Richard P. Wenzel and Chris Gennings, 20 September 2010. http://aac.asm.org/content/54/12/4956.full.pdf (10/01/2014)
[65] http://ccdcoe.org/cycon/2012/workshops/Internet_Internet_Comms.pdf(10/01/2014)
[66] William R. Cheswick, A firewall ‘ A sort of crunchy shell around a soft’, Chewy center.
[67] Roy Nielsen, GIAC Certification, SANS Institute. Host Based Cyber Defense System http://www.sans.org/reading-room/whitepapers/basics/introduction-host-based-cyber-defense-1517 (11/01/2014)
[68] Ikkyun Kim, Daewon Kim, Byoungkoo Kim, Yangseo Choi, Seongyong Yoon, Electronics and Telecommunication Research Institute. Architecture of Unknown attack detection system for unknown worm. http://www.wseas.us/e- library/conferences/2008/venice/acs/acs33.pdf (11/01/2014)
[69] S. Andersson, A. Clark, and G. Mohay. Network-based buffer over’ow detection by exploit code analysis. In Information Technology Security Conference 2007, pages 39’53, 2007. (11/01/2014)
[70] S. Hittel. Detection of jump-based idsevasive noop sleds using snort, May. http://aris.securityfocus.com/rules/020527-Analysis-Jump-NOOP.pdf. (11/01/2014)
[71] S. Singh, C. Estan, G. Varghese, and S. Savage. The EarlyBird system for realtime detection of unknown worms. Technical Report CS2003-0761, UC San Diego, August 2003.(12/01/2014)
[72] T. Toth and C. Kruegel. Accurate buffer over-‘ow detection via abstract payload execution. In In RAID, pages 274’291, 2002 (12/01/2014)
[73] J. Newsome, B. Karp, and D. X. Song. Polygraph: Automatically generating signatures for polymorphic worms. In IEEE Symposium on Security and Privacy, pages 226’241. IEEE Computer Society, 2005. (12/01/2014)
[74] M. Mahoney and P. Chan. Phad: Packet header anomaly detection for identifying hostile network traf’c, 2001. (13/01/2014)
[75] Dezun Dong, Mo Li, Detection of Worms and Sensor Network. http://www.cs.iit.edu/~xli/paper/Journal/wormholeTop_ToN_Final_0.1.pdf (13/01/2014)
[76] Johannes Kinder, Stefan Katzenbeisser, Member, IEEE, Christian Schallhart, and Helmut Veith, Protective Detection of Computer Worms Using Model Checking. http://www.cs.rhul.ac.uk/home/kinder/papers/tdsc10.pdf (14/01/2014)
[77] http://searchsecurity.techtarget.in/definition/network-intrusion-protection-system-NIPS (14/01/2014)
[78] Niels Provos. http://static.usenix.org/event/sec04/tech/full_papers/provos/provos_html/(15/01/2014)
[79] Micheal May, Lorenza saitta springer Oct 2010. http://books.google.co.uk/books?id=RBPwvPf4Sk4C&pg=PA155&dq=what+is+KF+sensor&hl=en&sa=X&ei=eMncUtb3OMWUhQf28YHIDQ&ved=0CDIQ6AEwAA#v=onepage&q=what%20is%20KF%20sensor&f=false (15/01/2014)
[80] http://acidlab.sourceforge.net/ (16/01/2014)
[81] http://secureideas.sourceforge.net (17/01/2014)
[82] SnortSignatureDatabase. Web-miscwebdavsearchaccess. http: //www.snort.org/pub-bin/sigs.cgi?sid=1070(17/01/2014)
[83] http://www.honeyd.org (17/01/2014)
[84] http://www.mynetwatchman.com/kb/security/ research/newbieroshare.htm(18/01/2014)
[85] http://www. mynetwatchman.com/kb/security/articles/popupspam/ (19/01/2014)
[86] W32.http://securityresponse.symantec.com/avcenter/venc/data/w32.gobot.a.html

...(download the rest of the essay above)

About this essay:

If you use part of this page in your own work, you need to provide a citation, as follows:

Essay Sauce, Dissertation: Attackers Detection Using Honeypots. Available from:<https://www.essaysauce.com/computer-science-essays/essay-attackers-detection-using-honeypots/> [Accessed 02-03-24].

These Computer science essays have been submitted to us by students in order to help you with your studies.

* This essay may have been previously published on Essay.uk.com at an earlier date.