International Research Journal of Engineering and Technology (IRJET)
e-ISSN: 2395 -0056
Volume: 04 Issue: 07 | July -2017
p-ISSN: 2395-0072
www.irjet.net
Modern Attack Detection Using Intelligent Honeypot Rahul koul1, J. W. Bakal2, Sahil Dhar3 1Department
of Computer Engineering, PCE College, New Panvel, Maharashtra, India Jondhale College of Engineering, Thane, Maharashtra, India 3Security Analyst, Security Innovation Pvt. Ltd., Pune, Maharashtra, India ---------------------------------------------------------------------***--------------------------------------------------------------------2S.S.
Abstract - In today's networked world, it is very important
for any organization to protect its assets from being attacked by attackers. To pursue the dream of total security, one needs to be one step ahead from the attackers or we can say one needs to determine the possible attack before its been taken place. One such tool to monitor the behaviour of attackers is honeypot. A Honeypot is a network system to determine the unauthorized use of information system by analyzing the behaviour of attacker in an isolated and monitored environment. But, there are tons of honeypot implementation implemented till date, however one thing missing from each of the honeypot implementation is continuous learning of trending attack scenarios and no human decision-making capabilities. In this paper, we proposed a solution for detecting modern attacks by introducing a semi automatic approach of attack detection via honeypot coupled with human decisionmaking capabilities. We have introduced a separate team that will analyze the uncommon web/network attack pattern and update the honeypot attack detection database and thus improving the overall attack detecting efficiency of honeypot. Key Words: Honeypot, Attack, Detection, Behaviour Analysis, Attack Pattern, Manual Analysis.
1. INTRODUCTION In the past few years many security tools have been developed to protect organizations from cyber threats. Despite of these security tools and security layers such as traditional Firewalls, IDS, IPS etc. in place, attackers were still able to carry out high level targeted attacks. A failure in operational security depends on numbers of variables, however majority of them depends on differentiating between an attacker and a legitimate user. To overcome the failure in understanding the difference between a legitimate request and a malicious request, tools such as Honeypots were introduced. A Honeypot is a information system whose values lies in monitoring, detecting and deflecting possible attacks from the attacker by posing itself as a vulnerable system. The purpose of Honeypot systems is to log every possible malicious activity of an attacker depending on the type of Honeypot system implemented within infrastructure. Honeypot systems can be used to identify different types of malicious activities such as web application attacks, known vulnerability exploitation, exploitation of outdated software/system and automated attacks by malicious bots. Apart from detection of different types of attacks, a well implemented Honeypot system can also be used to detect Š 2017, IRJET
|
Impact Factor value: 5.181
|
lateral movement attacks i.e. Privilege escalation attacks and their possible causes. The logic of identifying different Privilege escalation attacks revolves around implementing an infrastructure with vulnerable systems and week configurations. When an attacker exploit any of these week configurations or credentials from these intentionally vulnerable systems, Honeypot can detect that an attacker has compromised one of the intentionally vulnerable systems and is in the process of lateral movement. A modern Honeypot can combine the mentioned and different other techniques such as identifying network scans, performance monitoring, Log analysis etc. to effectively analyze the behaviour of attacker and make definite decisions to either log/block the activity of an attacker.
2. LITERATURE SURVEY Liberios Vokorokos, et.al, 2013 [1], proposed the urbane hybrid honeypot system. These systems Propagates and maintains the interaction with attackers and record all activities and perform data analysis, thus allowing improving security of computer systems. Furthermore in order to induce security authors also did managed to amalgamate passive fingerprinting technique. It also promotes the implementation of multiple Decoys (two Decoy Servers) in order to reduce the probability of missing the malicious activity on the server by changing the level of interaction. Albert Sagala, 2015 [2], emerged with an idea of collaborative honeypot and intrusion Detection System where in the logs file from Honeypot server is passed on to the snort in order to generate the rules for Snort that acts similar to the firewall. The rules for the SNORT will be inevitably generated by the IDS using the logs provided by the honeypot tracked by the system. The rules generated are in the form of alerts for illegal activity. Pavol Sokol, Martin Husak and Fratisek Liptak, 2015 [3], Sketched the issues related to privacy from the technical aspects pertaining to the honeypots and honeynet. The concepts like Privacy, Network Monitoring, storage Management, Inaccurate Results, discovery and fingerprinting, risk of taking over. It also covers the role and concepts of Privacy and honeypots mentioned in EU law, network and Monitoring, data retention, collected data and legal collection of data collection. Marius Alin Lihet, Vasile Dadarlat, 2015 [4] had successfully implemented a honeypot applying Kippo honeypot suite which is an Ubuntu VPS application on to the cloud. The Author manipulated series of configuration especially SSH port to 22 instead of 2222 to deceive the attackers. Results ISO 9001:2008 Certified Journal
|
Page 2866