The introduction of Internet had made positive impacts like faster spread of information, new
development in the form of e-business and in the negative side,it also attracted many intruders and attackers.The term intrusion means trying to gain access to the unauthorized system.The four main steps in intrusion are port-scanning, intruding and residing in the system, planting Trojans and clearing trails . The port-scan is the initial step in whole of the intrusion, so the detection of it is very difficult to cope with. Nowadays, a variety of new techniques are available to scan such as stealth scan, fragmentation scan, changes of scan order, slow scan, randomizing inter probe timing, scan with forged address and distributed scan and so on, thereby making the detection process more difficult and sophisticated. If we can detect these activities as early and accurately as possible, we can easily deal with hackers attacks.
development in the form of e-business and in the negative side,it also attracted many intruders and attackers.The term intrusion means trying to gain access to the unauthorized system.The four main steps in intrusion are port-scanning, intruding and residing in the system, planting Trojans and clearing trails . The port-scan is the initial step in whole of the intrusion, so the detection of it is very difficult to cope with. Nowadays, a variety of new techniques are available to scan such as stealth scan, fragmentation scan, changes of scan order, slow scan, randomizing inter probe timing, scan with forged address and distributed scan and so on, thereby making the detection process more difficult and sophisticated. If we can detect these activities as early and accurately as possible, we can easily deal with hackers attacks.
The main focus of Computer Security is on passive defense strategies using tools and technologies like Firewalls and Intrusion Detection System (IDS). IDS works by monitoring network traffic passively for suspicious or unauthorized activity. Rules-based IDS is based on a series patterns or signatures. Anomaly-based IDS has to define a normal network behavior that is extremely difficult to establish with the development of new applications and technologies.Also, most IDS is not designed to detect unknown attacks. Apart from these two technologies which are now commonly used, a honeypot has received much attention in recent years. A honeypot can be thought of as a decoy computer system that uses deception to lure intruders so that we can learn their behaviors. The honeypot is usually a system that is deliberately made vulnerable with fake services to make it look and act like a real system. Intruders who discover the honeypot may choose to compromise it since it is a relatively easy task. As a result, system administrators can investigate the traces left by intruders to learn about their tools and techniques in detail. The only purpose of Honeypot is to get exploited. It is a trap made for computer hackers without making them realise they are trapped. An attack registered honeypot can provide valuable information about both the attack and the attackers profile by proper investigation of the attacking pattern. A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource ie it is a system designed with deliberate vulnerabilities, which is exposed to a public network. By making use of this honeypot system , firstly intruders can be kept away from real system,and secondly ,security professionals can closely track the activities of the intruder,to study the vulnerabilities of the system. Honeypot machines emulates the operations of a real system in such a way that an attacker would falsely believe that he/she is accessing a production system. If this Honeypot machine is designed properly without any back-door,an attacker would not be able to distinguish between the real system and honeypot system. By monitoring the different intrusions that are logged in the honeypot system, an administrator can use the information gathered to update the security of the real system. The administrator could be able to learn about the weaknesses of the Honeypot machine and correlate those to the problems with the actual system. Thus, weaknesses and vulnerabilities in the real system could easily be detected and then
fixed.
Types of Honeypots
The classification of Honeypot based on design criteria ,into three categories are pure, high interaction, and low interaction. A pure honeypot is a full fledged production system. The activities of the attacker is monitored using a casual tap has been installed on the honeypot’s link to the network .No other softwares are needed to be installed. Even though a pure honeypot is uselful,stealthiness of the defense mechanisms can be ensured by a more controlled mechanism.Honeypots with monitoring agents fall into two general categories: high interaction and low interaction.
High Interaction Honeypots
High interaction honeypots imitate the activities of the real systems that host a varities of services and therefore,allow an attacker may be allowed a lot of services to waste his time.According to recent researches in high interaction honeypot technology,by employing,virtualmachines,multiple honeypots can be hosted on single physical machine.Therefore,even if thehoneypot is compromised,there is chance for quicker recovery . In general high interaction honeypots provide more security by being difficult to detect, but on the negative side, it is highly expensive to maintain. If virtual machines are not available, each honeypot need to maintained for each physical computer ,which can be exorbitantly expensive.Example:Honeynet.
Low Interaction Honeypots
Low Interaction Honeypots
The design of the low interaction honeypot is based on the services that the attacker normally request for.These services are simulated by this classification of honeypot. There are many positives with the requirement of only few serivices by the attackers:Easiness in hosting multiple virtual machines on one physical system since they consume relatively few resources.The response time of the virtual systems is relatively quick.The smaller length of code reduces the complexity in the security of the virtual systems.Example:Honeyd.
No comments:
Post a Comment