SlideShare ist ein Scribd-Unternehmen logo

Icmis

Sandeep Saxena
Sandeep Saxena

published in ICMIS in iiit allahabad

1 von 4
Downloaden Sie, um offline zu lesen
Enhancing the efficiency of IDS system with Honey pot placement in Network Architecture Vijay K. Chaurasiya1, Ashish Srivastava2 Shuchi Chandra3Shashank Srivastava4, Sandeep Saxena5, Manish Rai6, IIIT-Allahabad, India The Intrusion Detection System specially involves two types of techniques: Anomaly Detection involving the Abstract -- Increasing technology space has pressurized the detection based on behavior/heuristic rules and Misuse orgainsational enviroment to safegraurd its network from Detection involving the detection based on patterns and outside as well as inside attack. Any malicious intrusion can signatures. Anomaly detection lags behind as it requires dragdown a highly reputed organisation to the floors of too much time to detect the behavior and Misuse defamation and even insolvency. Henceforth network Detection lags behind for detection of new attack security is one of the biggest challenge for organisation. Although traditional concepts of firewall and intrusion signature. So Honeypot is used as a tool to support the detction system is prevailing yet there is a need to secure the technique of Misuse Detection so that new attacks can be enviroment from the so called zero day attacks. Attackers detected before they can harm internal network and the every now and then generate exploits to penetrate the secure signature can be framed in the IDS to defend the network network enviroment and the existing known signatures are from internal and external threat of such attack in future. not able to detect such an attack. This paper brings forth the concept of deployment of honeypot so as to make the IDS Honeypots are Bait Servers which are not the part of any system more effective and efficient for the zero day attack production server in the organization and are just placed leading to least penetration to the network enviroment. This isolated so as to attract the attackers to plug and play with paper lays down a new network architecture so that the IDS it and at its end it logs all the actions of the attacker so system can be updated with the latest attack scenarios. The that it can be analyzed further to generate signatures for aforesaid objective is achived with the help of establishment of honeypot. Later tcpdump is used for he further analysis of IDS. Attackers before making an attack performs a ping payload so as to generate alert signautre in IDS(Snort v2.0). sweep and if the honeypot is pinged. As the request reaches the honeypot server it records all the activities, even the keystrokes typed by the attackers so every command entered by the attacker becomes a part of log to I. INTRODUCTION the honeypot server. It also stores all tools used by the intruders in records as a forensic machine. The high use of internet in today’s IT world has purged in The given paper describes how the data returned from the the concept of security deployment in the organization so honeypot server is used to write custom IDS rules. Thus as to make it almost immune to various upcoming attack new network architecture is designed to collect the scenarios. One of the critical areas is the protection of response to write custom IDS rules by seeing the data internal network from new attacks. Although the most payload and writing the rules matching the payload. desirable is the deployment of intrusion and prevention system in the network architecture but this system is still II. RELATED WORK vulnerable to zero day attacks. The IDS generally includes signatures for known attacks and generates the alerts for the same but if any new attack penetrates the One of the drawback stumble upon with network intrusion system then it lacks behind. To deal with this problem the detection systems is that the logging of failed connection concept of honeypot can be used along with any packet attempts just occurs when services are not listening on a analyzing tool so as to generate signatures for zero-day scanned port. When a RST signal terminates a TCP attacks in IDS. connection attempt, the system never logs the data packet that the remote machine was trying to send into the network. A honeypot as a one of the greatest security tool
suggests a mechanism by completing the connection attempt and providing an attacker a false illusion of accessing the critical servers and then recording the interactions between the honeypot and the remote machine. Honeypot placement is one of the greatest issues to be taken care of to optimize the efficiency of the implemented Intrusion Detection System. Various network architectures are presented till now to achieve the aforesaid motive but the basic idea behind this as we suppose is detection of hackers scripts and actions to penetrate into the system and henceforth the proposed architecture is presented which will help the organizational security to build up patches for the existing loophole and make their system robust and stringent to attack scenarios. III. PROPOSED DESIGN AND IMPLEMENTATION Fig 1.1 Deployment of IDS & honeypot in the LAN Architecture In this configuration, main network is a “TCP/IP based In this section we outline the requirements of the network” which contains clients and servers. Snort 2.0 is proposed infrastructure which is considered as a solution used as IDS and is capable to be configured with server. to decrease the malicious inflow of packets in the Honeyd is a honeypot system that is configured as a organizational environment and enhance the efficiency of separate server and is connected to the main server. We IDS system deployed. assume a”switched network” in our approach, with a configurable switch which is connected to the main server The real honeypot server is used to safeguard the main and the respective clients. As the LAN architecture is server from if the hacker is able to compromise the developed in within a primary network henceforth the honeypot server. Although it is hard to implement the real server is supported with two Ethernet cards eth0 and eth1. honeypot but it is desirable for large organizations as such Eth0 directs the internet connection to the main sever and servers do not hamper the production process in the eth1 manages the intranet traffic within the private LAN organization and only IT staff is able to access the 192.168.0.1. required logs. Neither the attacker nor the organizational The attacker first performs a ping sweep attack to detect staff knows where honeypot is placed. the available servers in the network and the honeypot server entices him to perform attacks to penetrate the The given network architecture is used to develop an network. Once the requests are directed to the honeypot understanding as to why and how honeypots are used to server the incoming connection is established with the enhance the work of IDS system. attacking system. As the attacker gets a feel of entering into the server it performs all his efforts to penetrate into different servers. Honeypot gives him the illusion of different servers and constantly interacts with him to record his activities and send the specific response to the syslog server for future analysis and investigation.
IV. EXPERIMENTAL SETUP %01/..%01/..%01/..%01/..%01/..%01/..%0 1/..%01/..%01/..%01/. To implement honeypot an additional tool Arpd is .%01/..%01/..%01/..%01/..%01/..%01/..% embedded in it. Honeypot cannot do everything alone and 01/..%01/..%01/..%01/ ..%01/..%01/..%01/..%01/..%01/..%01/.. requires the help of Arpd. Arpd is used for ARP spoofing; %01/..%01/..%01/..%01 this is what actually monitors the unused IP space and /..%01/..%01/..%01/..%01/..%01/..%01/. directs the attacks to the honeypot. Honeyd is only able to .%01/..%01/..%01/..%0 interact with attackers. For example if the aim is to 1/..%01/..%01/..%01/..%01/..%01//etc/s monitor all the unused IPs in the 192.168.1.0/24 network, hadow HTTP/1.1 the required commands to start both Arpd and Honeyd are Host: 202.174.22.145:10000 as follows: It is visible that the attacking port is 10000 thus port 10000 is of interest. The various ip addresses from where arpd 192.168.0.1/24 such request came can be filtered using tcpdump analysis. honeyd -p nmap.prints -f honeyd.conf 192.168.0.1/24 Based on the commands, the Arpd process monitors the B. Results and Discussion unused IPs, directs all corresponding attacks to the honeyd and spoofs the victim’s IP address with the MAC Once the analysis is done now it is the time to write the address of the honeypot. For the honeyd command –p snort rule. By the analysis of the payload it is visible that nmap.prints refers to the nmap fingerprint database and -f the string started with “GET/unauthenticated/” honeyd.conf is the honeyd configuration file. thus following snort rule can be set: Once the installation is honeypot server is completed the alert tcp $EXTERNAL_NET any -> traffic directed to honeypot server is dumped o other $192.168.0.1 10000 (content:"GET /unauthenticated/"; system using packet analyzing tool tcpdump with the help msg:"Get unauthenticated";) of following command: tcpdump -nn -x -s 1500 host 192.168.0.145 -w store.cap Now any attack coming from the specified port will The tcpdump command will dump all the malicious generate the alert to the administrator of penetration for packets directed to the honeypot and hence will help in unauthorized access in the network environment by the writing the snort rule set by analyzing the payload. attacker. If the set rule has to be further customized then the A. Writing of Snort Rules: following payload can be added: alert tcp any any -> any 10000 Penetrating in the network to gain access by getting the (content:"GET /unauthenticated/..%01/..%01/"; msg:"Get etc/passwd file in the Linux environment or the password unauthenticated";) shadow file i.e. etc/shadow which contains the username The point of concern here is that adding too much of and password of all users. No such rule is defined in the payload may result in false negatives which will overall latest snort rule set. Suppose you get the following log lower down the implementation of snort in organizational generated in honeypot: network. # cat 44F75D6380122.shell :::::::::::::: V. CONCLUSION GET/unauthenticated/..%01/..%01/..%01/ ..%01/..%01/..%01/..% The Intrusion detection system can only give the optimum 01/..%01/..%01/..%01/..%01/..%01/..%01 /..%01/..%01/..%01/.. benefit if it is also able to detect those attacks for which
signatures are not defined in its database. The area of work will be to give attention to this Snort limitation and thus increasing the scalability and responsiveness of the system towards the various types of attacks so as to achieve the motto of building a smart agile and secure system to face the new challenges of technological arena. Though honeypot deployment is a cost-effective solution for the security of large organization but in future refinement is required to elimination false alarm generations. REFERENCES 1. Vidar Ajaxon Grønland: Building IDS signatures by means of a honeypot Norwegian Information system Laboratory. 2. Chi-Hung Chi , Ming Li Dongxi Liu : A method to obtain Signatures From Honeypots Data, School of Computing National University of Singapore 3. Babak Khosravifar, Jamal Bentahar: An Experience Improving Intrusion Detection Systems False Alarm Ratio by Using Honeypot. Department of Electrical and Computer Engineering, Concordia University 4. Greg M. Bednarski and Jake Branson: Understanding Network Threats through Honeypot Deployment, Carnegie Mellon University March 2004. 5. Richard Hammer : Enhancing IDS using, Tiny Honeypot SANS Institute InfoSec Reading Room 6. Solution Base: What you need to know about honeypots http://articles.techrepublic.com.com/5100- 22_11-5758218.html

Empfohlen

An Approach to for Improving the Efficiency of IDS System Using Honeypot
An Approach to for Improving the Efficiency of IDS System Using HoneypotAn Approach to for Improving the Efficiency of IDS System Using Honeypot
An Approach to for Improving the Efficiency of IDS System Using HoneypotEditor Jacotech
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Disha Bedi
 
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionCloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionWei-Yu Chen
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesYOU SHENG CHEN
 
Future Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudFuture Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudSedthakit Prasanphanich
 
Double guard
Double guardDouble guard
Double guardDivya Gowda
 
International Journal of Computer Science and Security Volume (1) Issue (3)
International Journal of Computer Science and Security Volume (1) Issue (3)International Journal of Computer Science and Security Volume (1) Issue (3)
International Journal of Computer Science and Security Volume (1) Issue (3)CSCJournals
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 

Empfohlen

An Approach to for Improving the Efficiency of IDS System Using Honeypot
An Approach to for Improving the Efficiency of IDS System Using HoneypotAn Approach to for Improving the Efficiency of IDS System Using Honeypot
An Approach to for Improving the Efficiency of IDS System Using HoneypotEditor Jacotech
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Disha Bedi
 
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionCloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionWei-Yu Chen
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesYOU SHENG CHEN
 
Future Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudFuture Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudSedthakit Prasanphanich
 
Double guard
Double guardDouble guard
Double guardDivya Gowda
 
International Journal of Computer Science and Security Volume (1) Issue (3)
International Journal of Computer Science and Security Volume (1) Issue (3)International Journal of Computer Science and Security Volume (1) Issue (3)
International Journal of Computer Science and Security Volume (1) Issue (3)CSCJournals
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAREAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAijp2p
 
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...Disha Bedi
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningeSAT Publishing House
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Review on Honeypot Security
Review on Honeypot SecurityReview on Honeypot Security
Review on Honeypot SecurityIRJET Journal
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemDevil's Cafe
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
Day4
Day4Day4
Day4Jai4uk
 
35 38
35 3835 38
35 38Ijarcsee Journal
 
Using Genetic algorithm for Network Intrusion Detection
Using Genetic algorithm for Network Intrusion DetectionUsing Genetic algorithm for Network Intrusion Detection
Using Genetic algorithm for Network Intrusion DetectionSagar Uday Kumar
 
Day3
Day3Day3
Day3Jai4uk
 
Network security
Network securityNetwork security
Network securitySidiq Dwi Laksana
 
Day3 Backup
Day3 BackupDay3 Backup
Day3 BackupJai4uk
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention SystemVishwanath Badiger
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionUmesh Dhital
 
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...Disha Bedi
 
System and web security
System and web securitySystem and web security
System and web securitychirag patil
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysisBikrant Gautam
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniLoay Elbasyouni
 
Cube2012 Submission 359
Cube2012 Submission 359Cube2012 Submission 359
Cube2012 Submission 359Sandeep Saxena
 
Rp059 Icect2012 E694
Rp059 Icect2012 E694Rp059 Icect2012 E694
Rp059 Icect2012 E694Sandeep Saxena
 
MEDIA ICMI 09
MEDIA ICMI 09MEDIA ICMI 09
MEDIA ICMI 09ICMI Pusat
 

Weitere ähnliche Inhalte

Was ist angesagt?

REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAREAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAijp2p
 
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...Disha Bedi
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningeSAT Publishing House
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Review on Honeypot Security
Review on Honeypot SecurityReview on Honeypot Security
Review on Honeypot SecurityIRJET Journal
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemDevil's Cafe
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
Using Genetic algorithm for Network Intrusion Detection
Using Genetic algorithm for Network Intrusion DetectionUsing Genetic algorithm for Network Intrusion Detection
Using Genetic algorithm for Network Intrusion DetectionSagar Uday Kumar
 
Day3 Backup
Day3 BackupDay3 Backup
Day3 BackupJai4uk
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionUmesh Dhital
 
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...Disha Bedi
 
System and web security
System and web securitySystem and web security
System and web securitychirag patil
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysisBikrant Gautam
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniLoay Elbasyouni
 

Was ist angesagt? (19)

REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAREAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
 
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learning
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
Review on Honeypot Security
Review on Honeypot SecurityReview on Honeypot Security
Review on Honeypot Security
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
 
Day4
Day4Day4
Day4
 
35 38
35 3835 38
35 38
 
Using Genetic algorithm for Network Intrusion Detection
Using Genetic algorithm for Network Intrusion DetectionUsing Genetic algorithm for Network Intrusion Detection
Using Genetic algorithm for Network Intrusion Detection
 
Day3
Day3Day3
Day3
 
Network security
Network securityNetwork security
Network security
 
Day3 Backup
Day3 BackupDay3 Backup
Day3 Backup
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
 
System and web security
System and web securitySystem and web security
System and web security
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysis
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
 

Andere mochten auch

Cube2012 Submission 359
Cube2012 Submission 359Cube2012 Submission 359
Cube2012 Submission 359Sandeep Saxena
 
Cloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security MetricsCloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security MetricsSandeep Saxena
 
MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11 MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11 ICMI Pusat
 
Synopsis on wireless power transfer
Synopsis on wireless power transferSynopsis on wireless power transfer
Synopsis on wireless power transferMohammad Atif
 
Wireless Power Transfer Project
Wireless Power Transfer ProjectWireless Power Transfer Project
Wireless Power Transfer Projectsagnikchoudhury
 
Wireless power / Wireless Electricity
Wireless power / Wireless ElectricityWireless power / Wireless Electricity
Wireless power / Wireless ElectricityMuhammad Umair Iqbal
 
Wireless power transmission ppt
Wireless power transmission pptWireless power transmission ppt
Wireless power transmission pptAishwary Verma
 
Wireless power transmission
Wireless power transmissionWireless power transmission
Wireless power transmissionrakeshkk
 
What's Next in Growth? 2016
What's Next in Growth? 2016What's Next in Growth? 2016
What's Next in Growth? 2016Andrew Chen
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome EconomyHelge Tennø
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your BusinessBarry Feldman
 

Andere mochten auch (14)

Cube2012 Submission 359
Cube2012 Submission 359Cube2012 Submission 359
Cube2012 Submission 359
 
Rp059 Icect2012 E694
Rp059 Icect2012 E694Rp059 Icect2012 E694
Rp059 Icect2012 E694
 
MEDIA ICMI 09
MEDIA ICMI 09MEDIA ICMI 09
MEDIA ICMI 09
 
Cloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security MetricsCloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security Metrics
 
MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11 MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11
 
Synopsis on wireless power transfer
Synopsis on wireless power transferSynopsis on wireless power transfer
Synopsis on wireless power transfer
 
Wireless Power Transfer Project
Wireless Power Transfer ProjectWireless Power Transfer Project
Wireless Power Transfer Project
 
Ppt seminar
Ppt seminarPpt seminar
Ppt seminar
 
Wireless power / Wireless Electricity
Wireless power / Wireless ElectricityWireless power / Wireless Electricity
Wireless power / Wireless Electricity
 
Wireless power transmission ppt
Wireless power transmission pptWireless power transmission ppt
Wireless power transmission ppt
 
Wireless power transmission
Wireless power transmissionWireless power transmission
Wireless power transmission
 
What's Next in Growth? 2016
What's Next in Growth? 2016What's Next in Growth? 2016
What's Next in Growth? 2016
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome Economy
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
 

Ähnlich wie Icmis

Detect Network Threat Using SNORT Intrusion Detection System
Detect Network Threat Using SNORT Intrusion Detection SystemDetect Network Threat Using SNORT Intrusion Detection System
Detect Network Threat Using SNORT Intrusion Detection SystemIRJET Journal
 
A virtual honeypot framework
A virtual honeypot frameworkA virtual honeypot framework
A virtual honeypot frameworkUltraUploader
 
Optimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning AlgorithmOptimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning Algorithmijtsrd
 
Efficient String Matching Algorithm for Intrusion Detection
Efficient String Matching Algorithm for Intrusion DetectionEfficient String Matching Algorithm for Intrusion Detection
Efficient String Matching Algorithm for Intrusion Detectioneditor1knowledgecuddle
 
IRJET - IDS for Wifi Security
IRJET - IDS for Wifi SecurityIRJET - IDS for Wifi Security
IRJET - IDS for Wifi SecurityIRJET Journal
 
A secure intrusion detection system against ddos attack in wireless mobile ad...
A secure intrusion detection system against ddos attack in wireless mobile ad...A secure intrusion detection system against ddos attack in wireless mobile ad...
A secure intrusion detection system against ddos attack in wireless mobile ad...vishnuRajan20
 
The Media Access Control Address
The Media Access Control AddressThe Media Access Control Address
The Media Access Control AddressAngie Lee
 
TACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentTACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentSaikat Chaudhuri
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAkhil Kumar
 
Intrusion Detection in WLANs
Intrusion Detection in WLANsIntrusion Detection in WLANs
Intrusion Detection in WLANsronrulzzz
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1whitehat 'People'
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Networkijtsrd
 
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEMNETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEMIJORCS
 
A honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network securityA honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network securityIAEME Publication
 

Ähnlich wie Icmis (20)

1376841709 17879811
1376841709 178798111376841709 17879811
1376841709 17879811
 
1376841709 17879811
1376841709 178798111376841709 17879811
1376841709 17879811
 
Detect Network Threat Using SNORT Intrusion Detection System
Detect Network Threat Using SNORT Intrusion Detection SystemDetect Network Threat Using SNORT Intrusion Detection System
Detect Network Threat Using SNORT Intrusion Detection System
 
A virtual honeypot framework
A virtual honeypot frameworkA virtual honeypot framework
A virtual honeypot framework
 
Optimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning AlgorithmOptimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning Algorithm
 
Efficient String Matching Algorithm for Intrusion Detection
Efficient String Matching Algorithm for Intrusion DetectionEfficient String Matching Algorithm for Intrusion Detection
Efficient String Matching Algorithm for Intrusion Detection
 
Describe firewalls
Describe firewallsDescribe firewalls
Describe firewalls
 
IRJET - IDS for Wifi Security
IRJET - IDS for Wifi SecurityIRJET - IDS for Wifi Security
IRJET - IDS for Wifi Security
 
M0704071074
M0704071074M0704071074
M0704071074
 
A secure intrusion detection system against ddos attack in wireless mobile ad...
A secure intrusion detection system against ddos attack in wireless mobile ad...A secure intrusion detection system against ddos attack in wireless mobile ad...
A secure intrusion detection system against ddos attack in wireless mobile ad...
 
The Media Access Control Address
The Media Access Control AddressThe Media Access Control Address
The Media Access Control Address
 
TACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentTACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN Environment
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
20320140501016
2032014050101620320140501016
20320140501016
 
Intrusion Detection in WLANs
Intrusion Detection in WLANsIntrusion Detection in WLANs
Intrusion Detection in WLANs
 
Network security
Network securityNetwork security
Network security
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Network
 
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEMNETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
 
A honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network securityA honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network security
 

Icmis

  • 1. Enhancing the efficiency of IDS system with Honey pot placement in Network Architecture Vijay K. Chaurasiya1, Ashish Srivastava2 Shuchi Chandra3Shashank Srivastava4, Sandeep Saxena5, Manish Rai6, IIIT-Allahabad, India The Intrusion Detection System specially involves two types of techniques: Anomaly Detection involving the Abstract -- Increasing technology space has pressurized the detection based on behavior/heuristic rules and Misuse orgainsational enviroment to safegraurd its network from Detection involving the detection based on patterns and outside as well as inside attack. Any malicious intrusion can signatures. Anomaly detection lags behind as it requires dragdown a highly reputed organisation to the floors of too much time to detect the behavior and Misuse defamation and even insolvency. Henceforth network Detection lags behind for detection of new attack security is one of the biggest challenge for organisation. Although traditional concepts of firewall and intrusion signature. So Honeypot is used as a tool to support the detction system is prevailing yet there is a need to secure the technique of Misuse Detection so that new attacks can be enviroment from the so called zero day attacks. Attackers detected before they can harm internal network and the every now and then generate exploits to penetrate the secure signature can be framed in the IDS to defend the network network enviroment and the existing known signatures are from internal and external threat of such attack in future. not able to detect such an attack. This paper brings forth the concept of deployment of honeypot so as to make the IDS Honeypots are Bait Servers which are not the part of any system more effective and efficient for the zero day attack production server in the organization and are just placed leading to least penetration to the network enviroment. This isolated so as to attract the attackers to plug and play with paper lays down a new network architecture so that the IDS it and at its end it logs all the actions of the attacker so system can be updated with the latest attack scenarios. The that it can be analyzed further to generate signatures for aforesaid objective is achived with the help of establishment of honeypot. Later tcpdump is used for he further analysis of IDS. Attackers before making an attack performs a ping payload so as to generate alert signautre in IDS(Snort v2.0). sweep and if the honeypot is pinged. As the request reaches the honeypot server it records all the activities, even the keystrokes typed by the attackers so every command entered by the attacker becomes a part of log to I. INTRODUCTION the honeypot server. It also stores all tools used by the intruders in records as a forensic machine. The high use of internet in today’s IT world has purged in The given paper describes how the data returned from the the concept of security deployment in the organization so honeypot server is used to write custom IDS rules. Thus as to make it almost immune to various upcoming attack new network architecture is designed to collect the scenarios. One of the critical areas is the protection of response to write custom IDS rules by seeing the data internal network from new attacks. Although the most payload and writing the rules matching the payload. desirable is the deployment of intrusion and prevention system in the network architecture but this system is still II. RELATED WORK vulnerable to zero day attacks. The IDS generally includes signatures for known attacks and generates the alerts for the same but if any new attack penetrates the One of the drawback stumble upon with network intrusion system then it lacks behind. To deal with this problem the detection systems is that the logging of failed connection concept of honeypot can be used along with any packet attempts just occurs when services are not listening on a analyzing tool so as to generate signatures for zero-day scanned port. When a RST signal terminates a TCP attacks in IDS. connection attempt, the system never logs the data packet that the remote machine was trying to send into the network. A honeypot as a one of the greatest security tool
  • 2. suggests a mechanism by completing the connection attempt and providing an attacker a false illusion of accessing the critical servers and then recording the interactions between the honeypot and the remote machine. Honeypot placement is one of the greatest issues to be taken care of to optimize the efficiency of the implemented Intrusion Detection System. Various network architectures are presented till now to achieve the aforesaid motive but the basic idea behind this as we suppose is detection of hackers scripts and actions to penetrate into the system and henceforth the proposed architecture is presented which will help the organizational security to build up patches for the existing loophole and make their system robust and stringent to attack scenarios. III. PROPOSED DESIGN AND IMPLEMENTATION Fig 1.1 Deployment of IDS & honeypot in the LAN Architecture In this configuration, main network is a “TCP/IP based In this section we outline the requirements of the network” which contains clients and servers. Snort 2.0 is proposed infrastructure which is considered as a solution used as IDS and is capable to be configured with server. to decrease the malicious inflow of packets in the Honeyd is a honeypot system that is configured as a organizational environment and enhance the efficiency of separate server and is connected to the main server. We IDS system deployed. assume a”switched network” in our approach, with a configurable switch which is connected to the main server The real honeypot server is used to safeguard the main and the respective clients. As the LAN architecture is server from if the hacker is able to compromise the developed in within a primary network henceforth the honeypot server. Although it is hard to implement the real server is supported with two Ethernet cards eth0 and eth1. honeypot but it is desirable for large organizations as such Eth0 directs the internet connection to the main sever and servers do not hamper the production process in the eth1 manages the intranet traffic within the private LAN organization and only IT staff is able to access the 192.168.0.1. required logs. Neither the attacker nor the organizational The attacker first performs a ping sweep attack to detect staff knows where honeypot is placed. the available servers in the network and the honeypot server entices him to perform attacks to penetrate the The given network architecture is used to develop an network. Once the requests are directed to the honeypot understanding as to why and how honeypots are used to server the incoming connection is established with the enhance the work of IDS system. attacking system. As the attacker gets a feel of entering into the server it performs all his efforts to penetrate into different servers. Honeypot gives him the illusion of different servers and constantly interacts with him to record his activities and send the specific response to the syslog server for future analysis and investigation.
  • 3. IV. EXPERIMENTAL SETUP %01/..%01/..%01/..%01/..%01/..%01/..%0 1/..%01/..%01/..%01/. To implement honeypot an additional tool Arpd is .%01/..%01/..%01/..%01/..%01/..%01/..% embedded in it. Honeypot cannot do everything alone and 01/..%01/..%01/..%01/ ..%01/..%01/..%01/..%01/..%01/..%01/.. requires the help of Arpd. Arpd is used for ARP spoofing; %01/..%01/..%01/..%01 this is what actually monitors the unused IP space and /..%01/..%01/..%01/..%01/..%01/..%01/. directs the attacks to the honeypot. Honeyd is only able to .%01/..%01/..%01/..%0 interact with attackers. For example if the aim is to 1/..%01/..%01/..%01/..%01/..%01//etc/s monitor all the unused IPs in the 192.168.1.0/24 network, hadow HTTP/1.1 the required commands to start both Arpd and Honeyd are Host: 202.174.22.145:10000 as follows: It is visible that the attacking port is 10000 thus port 10000 is of interest. The various ip addresses from where arpd 192.168.0.1/24 such request came can be filtered using tcpdump analysis. honeyd -p nmap.prints -f honeyd.conf 192.168.0.1/24 Based on the commands, the Arpd process monitors the B. Results and Discussion unused IPs, directs all corresponding attacks to the honeyd and spoofs the victim’s IP address with the MAC Once the analysis is done now it is the time to write the address of the honeypot. For the honeyd command –p snort rule. By the analysis of the payload it is visible that nmap.prints refers to the nmap fingerprint database and -f the string started with “GET/unauthenticated/” honeyd.conf is the honeyd configuration file. thus following snort rule can be set: Once the installation is honeypot server is completed the alert tcp $EXTERNAL_NET any -> traffic directed to honeypot server is dumped o other $192.168.0.1 10000 (content:"GET /unauthenticated/"; system using packet analyzing tool tcpdump with the help msg:"Get unauthenticated";) of following command: tcpdump -nn -x -s 1500 host 192.168.0.145 -w store.cap Now any attack coming from the specified port will The tcpdump command will dump all the malicious generate the alert to the administrator of penetration for packets directed to the honeypot and hence will help in unauthorized access in the network environment by the writing the snort rule set by analyzing the payload. attacker. If the set rule has to be further customized then the A. Writing of Snort Rules: following payload can be added: alert tcp any any -> any 10000 Penetrating in the network to gain access by getting the (content:"GET /unauthenticated/..%01/..%01/"; msg:"Get etc/passwd file in the Linux environment or the password unauthenticated";) shadow file i.e. etc/shadow which contains the username The point of concern here is that adding too much of and password of all users. No such rule is defined in the payload may result in false negatives which will overall latest snort rule set. Suppose you get the following log lower down the implementation of snort in organizational generated in honeypot: network. # cat 44F75D6380122.shell :::::::::::::: V. CONCLUSION GET/unauthenticated/..%01/..%01/..%01/ ..%01/..%01/..%01/..% The Intrusion detection system can only give the optimum 01/..%01/..%01/..%01/..%01/..%01/..%01 /..%01/..%01/..%01/.. benefit if it is also able to detect those attacks for which
  • 4. signatures are not defined in its database. The area of work will be to give attention to this Snort limitation and thus increasing the scalability and responsiveness of the system towards the various types of attacks so as to achieve the motto of building a smart agile and secure system to face the new challenges of technological arena. Though honeypot deployment is a cost-effective solution for the security of large organization but in future refinement is required to elimination false alarm generations. REFERENCES 1. Vidar Ajaxon Grønland: Building IDS signatures by means of a honeypot Norwegian Information system Laboratory. 2. Chi-Hung Chi , Ming Li Dongxi Liu : A method to obtain Signatures From Honeypots Data, School of Computing National University of Singapore 3. Babak Khosravifar, Jamal Bentahar: An Experience Improving Intrusion Detection Systems False Alarm Ratio by Using Honeypot. Department of Electrical and Computer Engineering, Concordia University 4. Greg M. Bednarski and Jake Branson: Understanding Network Threats through Honeypot Deployment, Carnegie Mellon University March 2004. 5. Richard Hammer : Enhancing IDS using, Tiny Honeypot SANS Institute InfoSec Reading Room 6. Solution Base: What you need to know about honeypots http://articles.techrepublic.com.com/5100- 22_11-5758218.html