HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.

Slides:



Advertisements
Similar presentations
Honeynet Introduction Tang Chin Hooi APAN Secretariat.
Advertisements

Uzair Masood MASYU001.  What is a honey Pot ? “ A honey pot is an information system resource whose value lies in unauthorized or illicit use.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Honeypot Group 1E Zahra Kamali (KAMZY001) Pratik Doshi (DOSPY001) Tapan Dave (DAVTH001)
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Honeypots Presented by Javier Garcia April 21, 2010.
Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Honeypots and Network Security Research by: Christopher MacLellan Project Mentor: Jim Ward EPSCoR and Honors Program.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Presented by Stanley Chand & Damien Prescod
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Dec, Honeyd Virtual Honeypot Frame Work Niels Provos Presented by: Fadi MohsenSupervised by: Dr. Chow CS591 Research Project Presented by: Fadi Mohsen.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
1 The Honeynet Project: Trapping the Hackers Lance Spitzner, Sun Microsystems Presented by Vikrant Karan.
Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.
Honeypots. Building Honeypots Commercial honeypots-emulating services Specter,Honeyed,Deception Toolkit. Setting up of dedicated firewall (data control.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Introduction to Honeypot, Botnet, and Security Measurement
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Speaker : Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1.
Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.
HONEYPOT.  Introduction to Honeypot  Honeytoken  Types of Honeypots  Honeypot Implementation  Advantages and Disadvantages  Role of Honeypot in.
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Honeypot and Intrusion Detection System
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Honeynets Detecting Insider Threats Kirby Kuehl
KFSensor Vs Honeyd Honeypot System Sunil Gurung
1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:
Security tools. Outline Firewalls and network design Honeybots IPTables Snort.
DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.
HONEYPOT By SIDDARTHA ELETI CLEMSON UNIVERSITY. Introduction Introduced in 1990/1991 by Clifford Stoll’™s in his book “The Cuckoo’s Egg” and by Bill Cheswick’€™s.
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
1 Commonwealth Security Information Resource Center Michael Watson Security Incident Management Director 10/17/2008
A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.
Introduction to Honeypot, measurement, and vulnerability exploits
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
Security with Honeyd By Ryan Olsen. What is Honeyd? ➲ Open source program design to create honeypot networks. ➲ What is a honeypot? ● Closely monitored.
Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.
By Daniel, Amitsinh & Alfred.  Collect small data sets which are of high value  All activity is assumed to be malicious  Able to capture encrypted.
HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.
Role Of Network IDS in Network Perimeter Defense.
-SHAMBHAVI PARADKAR TE COMP  PORT SCANNING.  DENIAL OF SERVICE(DoS). - DISTRIBUTED DENIAL OF SERVICE(DDoS). REFER Pg.637 & Pg.638.
UNDER THE GUIDENCE OF: Mr.M.JAYANTHI RAO,M.Tech HOD OF IT. BY: I.ADITHYA(09511A1212) HONEYPOTS.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
O honeynet Project Lognitive.com Disclaimer This is a technical session that contain non- technical content. Get relaxed so to get ready for some details.
Port Knocking Benjamin DiYanni.
Honeypots at CESNET/MU
Intro to Ethical Hacking
12/6/2018 Honeypot ICT Infrastructure Sashan
Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department.
Security Overview: Honeypots
Intrusion Detection system
Network hardening Chapter 14.
Honeypots.
Honeypots Visit for more Learning Resources 1.
Presentation transcript:

HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan

Topics to be covered Network IDS - Brief Intro Network IDS - Brief Intro What is a Honeypot ? What is a Honeypot ? Honeypot - in a Network environment Honeypot - in a Network environment A Three Layered Approach A Three Layered Approach Types of Honeypot Types of Honeypot Honeypot and IDS - Traditional detection problem Honeypot and IDS - Traditional detection problem Honeypot as detection solution Honeypot as detection solution Honeypot implementation and an example attack Honeypot implementation and an example attack Virtual Honeypot Virtual Honeypot Advantages and Disadvantages Advantages and Disadvantages Demo Demo References References

Network IDS – Brief Intro An IDS which detects malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic. An IDS which detects malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic. Inspect incoming network traffic and studies the packets. Inspect incoming network traffic and studies the packets. Reads valuable information about an ongoing intrusion from outgoing or local traffic as well. Reads valuable information about an ongoing intrusion from outgoing or local traffic as well. It can co-exist with other systems as well. For example, update some firewalls' blacklist IP database about computers used by (suspected) hackers. It can co-exist with other systems as well. For example, update some firewalls' blacklist IP database about computers used by (suspected) hackers.

What is a Honeypot ? A trap set to detect, deflect and counteract attempts at unauthorized use of information systems. A trap set to detect, deflect and counteract attempts at unauthorized use of information systems. A security resource whose value lies in being probed, attacked, or compromised. A security resource whose value lies in being probed, attacked, or compromised. A Valuable system that can be used as surveillance and early-warning tool. A Valuable system that can be used as surveillance and early-warning tool.

Honeypot in a Network Environment In general, it consists of a computer or a network site that appears to be part of network but which is actually isolated, unprotected and monitored. In general, it consists of a computer or a network site that appears to be part of network but which is actually isolated, unprotected and monitored. It can also take other forms, such as files or data records, or even unused IP address space. It can also take other forms, such as files or data records, or even unused IP address space.

Honeypot in a Network Environment

A Three Layered Approach Honeypot can be defined in a three layered approach: Prevention Prevention Detection Detection Response Response

A Three Layered Approach Prevention: Honeypots can be used to slow down or stop automated attacks. It can utilize psychological weapons such as deception or deterrence to confuse or stop attacks. Prevention: Honeypots can be used to slow down or stop automated attacks. It can utilize psychological weapons such as deception or deterrence to confuse or stop attacks. Detection: It is used to detect unauthorized activity and capture unknown attacks. Generate very few alerts, but when they do you can almost be sure that something malicious has happened. Detection: It is used to detect unauthorized activity and capture unknown attacks. Generate very few alerts, but when they do you can almost be sure that something malicious has happened. Response: Production honeypots can be used to respond to an attack. Information gathered from the attacked system can be used to respond to the break-in. Response: Production honeypots can be used to respond to an attack. Information gathered from the attacked system can be used to respond to the break-in.

Types of Honeypot Classified based on two categories: Classified based on two categories: Deployment Deployment 1. Production 1. Production 2. Research 2. Research Levels of interaction Levels of interaction 1. Low Interaction 1. Low Interaction 2. High Interaction 2. High Interaction

Deployment Types Production Honeypots: Production Honeypots: Easy to use, capture only limited information, and primarily used by companies or corporations. They are placed along with other production network and help to mitigate risk in an organization. Easy to use, capture only limited information, and primarily used by companies or corporations. They are placed along with other production network and help to mitigate risk in an organization. Research Honeypots: Research Honeypots: Run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of Blackhat community targeting different networks. Run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of Blackhat community targeting different networks.

Levels of Involvement Low Interaction (Honeyd) Low Interaction (Honeyd) Able to simulate big network structures on a single host. With one single instance of the daemon, many different hosts running different services can be simulated. Able to simulate big network structures on a single host. With one single instance of the daemon, many different hosts running different services can be simulated. High Interaction (HoneyNet) High Interaction (HoneyNet) Network of real systems. A stealth inline network bridge that closely monitors and controls the network data flow to and from the honeypots in the network. Network of real systems. A stealth inline network bridge that closely monitors and controls the network data flow to and from the honeypots in the network.

Honeypot and IDS - Traditional detection problems Data overload Data overload False positives False positives False negatives False negatives Resources Resources Encryption Encryption IPv6 IPv6

Honeypot as detection solution Small data sets Small data sets Reduced false positives Reduced false positives Catching false negatives Catching false negatives Minimal resources Minimal resources Encryption Encryption IPv6 IPv6

Honeyd It's designed to be used on Unix-based operating systems, such as OpenBSD or Linux; however, it may soon be ported to Windows. It's designed to be used on Unix-based operating systems, such as OpenBSD or Linux; however, it may soon be ported to Windows. Since this solution is OpenSource, not only is it free, but we also have full access to the source code, which is under the BSD license. Since this solution is OpenSource, not only is it free, but we also have full access to the source code, which is under the BSD license.Continue…..

Honeyd The primary purpose of Honeyd is detection, specifically to detect unauthorized activity within your organization. The primary purpose of Honeyd is detection, specifically to detect unauthorized activity within your organization. It does this by monitoring all the unused IPs in your network. It does this by monitoring all the unused IPs in your network. Any attempted connection to an unused IP address is assumed to be unauthorized or malicious activity Any attempted connection to an unused IP address is assumed to be unauthorized or malicious activity

Example….

Configuring Honeyd To implement Honeyd we need to compile and use two tools: Arpd and Honeyd. To implement Honeyd we need to compile and use two tools: Arpd and Honeyd. Arpd is used for ARP spoofing Arpd is used for ARP spoofing Monitors the unused IP space and directs attacks to the Honeyd honeypot. Monitors the unused IP space and directs attacks to the Honeyd honeypot.

Building honeypot with UML UML allows to run multiple instances of Linux on the same system at the same time UML allows to run multiple instances of Linux on the same system at the same time The UML kernel receives the system call from its application and sends/requests them to the host kernel The UML kernel receives the system call from its application and sends/requests them to the host kernel UML has many capabilities, among them UML has many capabilities, among them It can log all the keystrokes even if the attacker uses encryption It can log all the keystrokes even if the attacker uses encryption It reduces the chances of revealing its identity as honeypot It reduces the chances of revealing its identity as honeypot Makes UML kernel data secure from tampering by its processes. Makes UML kernel data secure from tampering by its processes.

Honey Net Network of Honeypots Network of Honeypots Supplemented by firewalls and intrusion detection system. Supplemented by firewalls and intrusion detection system.Advantages: More realistic environment More realistic environment Improved possibility to collect data Improved possibility to collect data

How Honey net works A highly controlled network where every packet entering or leaving is monitored, captured and analyzed A highly controlled network where every packet entering or leaving is monitored, captured and analyzed

Virtual Honeypot Virtual machines allow different OS to run at the same time at the same machine Honeypots are guest on the top of another OS. We can implement guest OS on host OS in two ways Raw disc- actual disc partition Virtual disc- file on host file system

Most Exploited Vulnerabilities Top 5 most frequently exploited vulnerabilities with a rating of "severe." Top 5 most frequently exploited vulnerabilities with a rating of "severe."

The Five Most Attacked Ports X-Axis: Port Number X-Axis: Port Number Y-Axis: Number of attackers with the rating of “severe” per honeypot in the last week Y-Axis: Number of attackers with the rating of “severe” per honeypot in the last week

Advantages Productive environment: distraction from the real target Productive environment: distraction from the real target Can peek into guest operating system at anytime. Can peek into guest operating system at anytime. Reinstallation of contaminated guest is also easy. Reinstallation of contaminated guest is also easy. And it is very easy way. And it is very easy way.

Disadvantages Sub-optimal utilization of computational resources. Sub-optimal utilization of computational resources. Reinstallation of polluted system is very difficult. Reinstallation of polluted system is very difficult. Difficulty in monitoring of such system in a safe way. Difficulty in monitoring of such system in a safe way. Detecting the honeypot is easy Detecting the honeypot is easy

References Honeypots: Simple, Cost-Effective Detection Open Source Honeypots: Learning with Honeyd Specter: A Commercial Honeypot Solution for Windows

Thank You! We are happy to answer any questions……

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.