Presentation is loading. Please wait.

Presentation is loading. Please wait.

HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.

Published byNelson Gilmore Modified over 8 years ago

Similar presentations

Presentation on theme: "HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan."— Presentation transcript:

1 HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan

2 Topics to be covered Network IDS - Brief Intro Network IDS - Brief Intro What is a Honeypot ? What is a Honeypot ? Honeypot - in a Network environment Honeypot - in a Network environment A Three Layered Approach A Three Layered Approach Types of Honeypot Types of Honeypot Honeypot and IDS - Traditional detection problem Honeypot and IDS - Traditional detection problem Honeypot as detection solution Honeypot as detection solution Honeypot implementation and an example attack Honeypot implementation and an example attack Virtual Honeypot Virtual Honeypot Advantages and Disadvantages Advantages and Disadvantages Demo Demo References References

3 Network IDS – Brief Intro An IDS which detects malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic. An IDS which detects malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic. Inspect incoming network traffic and studies the packets. Inspect incoming network traffic and studies the packets. Reads valuable information about an ongoing intrusion from outgoing or local traffic as well. Reads valuable information about an ongoing intrusion from outgoing or local traffic as well. It can co-exist with other systems as well. For example, update some firewalls' blacklist IP database about computers used by (suspected) hackers. It can co-exist with other systems as well. For example, update some firewalls' blacklist IP database about computers used by (suspected) hackers.

4 What is a Honeypot ? A trap set to detect, deflect and counteract attempts at unauthorized use of information systems. A trap set to detect, deflect and counteract attempts at unauthorized use of information systems. A security resource whose value lies in being probed, attacked, or compromised. A security resource whose value lies in being probed, attacked, or compromised. A Valuable system that can be used as surveillance and early-warning tool. A Valuable system that can be used as surveillance and early-warning tool.

5 Honeypot in a Network Environment In general, it consists of a computer or a network site that appears to be part of network but which is actually isolated, unprotected and monitored. In general, it consists of a computer or a network site that appears to be part of network but which is actually isolated, unprotected and monitored. It can also take other forms, such as files or data records, or even unused IP address space. It can also take other forms, such as files or data records, or even unused IP address space.

6 Honeypot in a Network Environment

7 A Three Layered Approach Honeypot can be defined in a three layered approach: Prevention Prevention Detection Detection Response Response

8 A Three Layered Approach Prevention: Honeypots can be used to slow down or stop automated attacks. It can utilize psychological weapons such as deception or deterrence to confuse or stop attacks. Prevention: Honeypots can be used to slow down or stop automated attacks. It can utilize psychological weapons such as deception or deterrence to confuse or stop attacks. Detection: It is used to detect unauthorized activity and capture unknown attacks. Generate very few alerts, but when they do you can almost be sure that something malicious has happened. Detection: It is used to detect unauthorized activity and capture unknown attacks. Generate very few alerts, but when they do you can almost be sure that something malicious has happened. Response: Production honeypots can be used to respond to an attack. Information gathered from the attacked system can be used to respond to the break-in. Response: Production honeypots can be used to respond to an attack. Information gathered from the attacked system can be used to respond to the break-in.

9 Types of Honeypot Classified based on two categories: Classified based on two categories: Deployment Deployment 1. Production 1. Production 2. Research 2. Research Levels of interaction Levels of interaction 1. Low Interaction 1. Low Interaction 2. High Interaction 2. High Interaction

10 Deployment Types Production Honeypots: Production Honeypots: Easy to use, capture only limited information, and primarily used by companies or corporations. They are placed along with other production network and help to mitigate risk in an organization. Easy to use, capture only limited information, and primarily used by companies or corporations. They are placed along with other production network and help to mitigate risk in an organization. Research Honeypots: Research Honeypots: Run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of Blackhat community targeting different networks. Run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of Blackhat community targeting different networks.

11 Levels of Involvement Low Interaction (Honeyd) Low Interaction (Honeyd) Able to simulate big network structures on a single host. With one single instance of the daemon, many different hosts running different services can be simulated. Able to simulate big network structures on a single host. With one single instance of the daemon, many different hosts running different services can be simulated. High Interaction (HoneyNet) High Interaction (HoneyNet) Network of real systems. A stealth inline network bridge that closely monitors and controls the network data flow to and from the honeypots in the network. Network of real systems. A stealth inline network bridge that closely monitors and controls the network data flow to and from the honeypots in the network.

12 Honeypot and IDS - Traditional detection problems Data overload Data overload False positives False positives False negatives False negatives Resources Resources Encryption Encryption IPv6 IPv6

13 Honeypot as detection solution Small data sets Small data sets Reduced false positives Reduced false positives Catching false negatives Catching false negatives Minimal resources Minimal resources Encryption Encryption IPv6 IPv6

14 Honeyd It's designed to be used on Unix-based operating systems, such as OpenBSD or Linux; however, it may soon be ported to Windows. It's designed to be used on Unix-based operating systems, such as OpenBSD or Linux; however, it may soon be ported to Windows. Since this solution is OpenSource, not only is it free, but we also have full access to the source code, which is under the BSD license. Since this solution is OpenSource, not only is it free, but we also have full access to the source code, which is under the BSD license.Continue…..

15 Honeyd The primary purpose of Honeyd is detection, specifically to detect unauthorized activity within your organization. The primary purpose of Honeyd is detection, specifically to detect unauthorized activity within your organization. It does this by monitoring all the unused IPs in your network. It does this by monitoring all the unused IPs in your network. Any attempted connection to an unused IP address is assumed to be unauthorized or malicious activity Any attempted connection to an unused IP address is assumed to be unauthorized or malicious activity

16 Example….

17 Configuring Honeyd To implement Honeyd we need to compile and use two tools: Arpd and Honeyd. To implement Honeyd we need to compile and use two tools: Arpd and Honeyd. Arpd is used for ARP spoofing Arpd is used for ARP spoofing Monitors the unused IP space and directs attacks to the Honeyd honeypot. Monitors the unused IP space and directs attacks to the Honeyd honeypot.

18 Building honeypot with UML UML allows to run multiple instances of Linux on the same system at the same time UML allows to run multiple instances of Linux on the same system at the same time The UML kernel receives the system call from its application and sends/requests them to the host kernel The UML kernel receives the system call from its application and sends/requests them to the host kernel UML has many capabilities, among them UML has many capabilities, among them It can log all the keystrokes even if the attacker uses encryption It can log all the keystrokes even if the attacker uses encryption It reduces the chances of revealing its identity as honeypot It reduces the chances of revealing its identity as honeypot Makes UML kernel data secure from tampering by its processes. Makes UML kernel data secure from tampering by its processes.

19 Honey Net Network of Honeypots Network of Honeypots Supplemented by firewalls and intrusion detection system. Supplemented by firewalls and intrusion detection system.Advantages: More realistic environment More realistic environment Improved possibility to collect data Improved possibility to collect data

20 How Honey net works A highly controlled network where every packet entering or leaving is monitored, captured and analyzed A highly controlled network where every packet entering or leaving is monitored, captured and analyzed

21 Virtual Honeypot Virtual machines allow different OS to run at the same time at the same machine Honeypots are guest on the top of another OS. We can implement guest OS on host OS in two ways Raw disc- actual disc partition Virtual disc- file on host file system

22 Most Exploited Vulnerabilities Top 5 most frequently exploited vulnerabilities with a rating of "severe." Top 5 most frequently exploited vulnerabilities with a rating of "severe."

23 The Five Most Attacked Ports X-Axis: Port Number X-Axis: Port Number Y-Axis: Number of attackers with the rating of “severe” per honeypot in the last week Y-Axis: Number of attackers with the rating of “severe” per honeypot in the last week

24 Advantages Productive environment: distraction from the real target Productive environment: distraction from the real target Can peek into guest operating system at anytime. Can peek into guest operating system at anytime. Reinstallation of contaminated guest is also easy. Reinstallation of contaminated guest is also easy. And it is very easy way. And it is very easy way.

25 Disadvantages Sub-optimal utilization of computational resources. Sub-optimal utilization of computational resources. Reinstallation of polluted system is very difficult. Reinstallation of polluted system is very difficult. Difficulty in monitoring of such system in a safe way. Difficulty in monitoring of such system in a safe way. Detecting the honeypot is easy Detecting the honeypot is easy

26 References http://www.securityfocus.com Honeypots: Simple, Cost-Effective Detection Open Source Honeypots: Learning with Honeyd Specter: A Commercial Honeypot Solution for Windows http://www.honeypots.net/ http://en.wikipedia.org/wiki/Honeypot_(computing) http://www.tracking-hackers.com/

27 Thank You! We are happy to answer any questions……

Download ppt "HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan."

Similar presentations

Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Honeynet Introduction Tang Chin Hooi APAN Secretariat.
Uzair Masood 100111089 MASYU001.  What is a honey Pot ? “ A honey pot is an information system resource whose value lies in unauthorized or illicit use.

Uzair Masood MASYU001.  What is a honey Pot ? “ A honey pot is an information system resource whose value lies in unauthorized or illicit use.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Honeypot Group 1E Zahra Kamali (KAMZY001) Pratik Doshi (DOSPY001) Tapan Dave (DAVTH001)

Honeypot Group 1E Zahra Kamali (KAMZY001) Pratik Doshi (DOSPY001) Tapan Dave (DAVTH001)
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Honeypots Presented by Javier Garcia April 21, 2010.

Honeypots Presented by Javier Garcia April 21, 2010.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Honeypots and Network Security Research by: Christopher MacLellan Project Mentor: Jim Ward EPSCoR and Honors Program.

Honeypots and Network Security Research by: Christopher MacLellan Project Mentor: Jim Ward EPSCoR and Honors Program.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Presented by Stanley Chand & Damien Prescod

Presented by Stanley Chand & Damien Prescod
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Dec, 20081 Honeyd Virtual Honeypot Frame Work Niels Provos Presented by: Fadi MohsenSupervised by: Dr. Chow CS591 Research Project Presented by: Fadi Mohsen.

Dec, Honeyd Virtual Honeypot Frame Work Niels Provos Presented by: Fadi MohsenSupervised by: Dr. Chow CS591 Research Project Presented by: Fadi Mohsen.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.

Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Similar presentations

Ads by Google