Sold By: Brilliantng

In stock

Report Abuse
Help us Grow



1.1Background of the Study

This research is on Development of an advanced honey pot architecture for network threats. Today’s world increasingly relies on computer networks. The use of network resources is growing and network infrastructures are gaining in size and complexity. This increase is followed by a rising volume of security problems. New threats and vulnerabilities are found every day, and computers are far from being secure. In the first half of 2008, 3,534 vulnerabilities were disclosed by vendors, researchers and independents, C. Leita and M. Dacier (2009). Between 8 and 16% of these vulnerabilities were exploited the day they were released by malicious programs. The consequences affect users and companies at critical levels, from privacy issues to financial losses.

To address this concern, network operators and security researchers have developed and deployed a variety of solutions. The goal of these solutions is two-fold: first to monitor, and second to protect network assets. Monitoring allows researchers to understand the different threats. Data are being collected to better characterize and quantify malicious activity. The goal of this dissertation is to introduce an innovative framework to better measure malicious threats in the organization network. The framework is based on a flexible hybrid honeypot architecture that we integrate with the organization network using network flows. 

1.2 Statement of the Problem

Network malicious activity can be quantified and characterized through two distinct approaches: the first is to monitor production networks, where live hosts and devices are actually used by people; the second is to monitor an unused address space that nobody uses. The advantage of the second approach over the first is that there is no user traffic to filter out. Indeed, the traffic received by unused addresses falls into three categories: malicious activity, misconfiguration, and backscatter from spoofed addresses. On the other hand, the disadvantage of the second approach is to rely on the assumption that malicious activity destined to unused addresses is similar to the one targeting production machines.

Tools used in these two different approaches can be divided into two groups: passive and active tools. When monitoring production networks, passive security tools include intrusion detection systems (IDSs) such as Snort, and network traffic sniffers such as Tcpdump tc or Netflow. Active tools include firewalls such as Netfilter, intrusion prevention systems (IPSs) such as Snort Inline, and vulnerability scannerssuch as Nessus. When monitoring an unused address space, passive tools are similar, but active tools are specific sensors developed with the only goal of better investigating the malicious activity received. Historically, unused address spaces were only passively monitored. Then researchers had the idea of actively replying to the traffic received to discover the exact threat behind each connection attempt. To understand the research challenges introduced with this new idea, we will now describe the different existing types of active sensors.

1.3   Aim and Objectives of the Study

This study is targeted at surveying the present trends in Advanced Honey pot Architecture for Network Threats.

  1. The aim of this study is to highlight efficient solutions to overcome current honeypot limitations. To addressed the issue of the size and the location of honeynets by correlating network flows with darknet data.
  2. To proffer a solution to  the problem of scalability of high interaction honeypot by implementing an advanced hybrid honeypot architecture called Honeybrid
  3. To adequately offer a solution to the problem of configuring honeynets in large organization network by using a server and scanner discovery program based on network flows.

1.4    Problem Statement.

When deploying honeypots, researchers have to precisely define three elements: a location, an architecture, and a configuration. Data collected by honeypots is critically affected by these three keys. Therefore, they need to be carefully selected. We will now detail the different problems related to each of these elements.

The location is the set of IP addresses used by honeypots to receive and collect network traffic. The current addressing protocol deployed on the Internet is IPv4, which is made of 4.3 billion unique addresses. The volume and the nature of attacks can greatly change from one IP address to another. Some attack threats such as the Slammer worm are globally distributed, while others such as Denials of Service target precise locations. So the location of honeypots can greatly affect the data it will receive. Recent studies started to compare attack data from different locations and defined network characteristics such as reachability or proximity to production networks that could partially explain the differences observed. Moreover, not only the location but the size of the network of honeypots is important to collect significant attack results. The honeypot architecture refers to the type of honeypot. We saw in the previous section that the different types of honeypots were governed by three attributes: fidelity, scalability and security. There is currently no solution available that offers both scalability and a high level of interaction. As a result, researchers and network operators who want to deploy honeypots cannot collect and analyze datasets which have both detailed attack processes and large network space coverage. The configuration defines the set of services offered to attackers and thus the behavior of the honeypot. By set of services we mean the set of opened ports and software listening for network connections on the honeypot. These services can be emulated or real. They can be host-specific resources or vulnerabilities to study specific categories of attack. The problem when deploying honeypots in a large organization network is that there is a very large number of possible configurations to choose from. There is currently no solution to determine whether the configuration of a network of honeypots is optimal to collect malicious threats; and to make sure that the fingerprint of the network of honeypots is small enough to prevent attackers from detecting it. The last major issue of current honeypots is that even if they actively reply to attackers with more or less interaction, they do not allow researchers to select the type of attack they want to study. This means that because honeypots collect attacks randomly, the information collected is not often the information researchers were really looking to analyze. From such point of view, existing honeypots are collecting attack traffic passively. We believe that if honeypots adopt a more active approach when receiving illegitimate connections, they could

  1. Provide better results on the exact threat expected to be studied, and
  2. Reduce the resources spent to analyze and filter data collected.

1.5 Scope of the Study

The scope of this study is limited to external TCP traffic, where external means traffic coming from network addresses that do not belong to the organization’s network, because we will correlate darknet traffic with Netflow information collected at the edge of the organization’s network. The study is limited to TCP traffic because we will use the protocol flag information to more precisely filter the different types of traffic. It will provide the volumes of UDP and ICMP traffic collected to show that TCP traffic is a significant amount of the overall traffic received.

It define an attacker, or source, as a tuple {day; source address; destination port; protocol}. This means that a single source IP address sending TCP packets at two different days to two different ports each day will be seen as four distinct sources. The decision to include the destination port in our definition of a source was made to better identify attacks that are linked to a specific network service

1.6    Limitation and future work of the Study

This study contributes to the field of honeypot technologies by detailing the complete design of a hybrid architecture. The result is a robust and flexible implementation that offers a simple and scalable framework for honeypot researchers. As a result, the main advantages of Honeybrid over other honeypot implementations are:

_ Versatililty: Honeybrid can be used as a front-end to handle traffic toward any low and high interaction honeypots;

_ Flexibility: modules can be added to the Decision Engine of Honeybrid and combined to write highly customized filtering policy;

_ Scalability: Honeybrid was built to process several hundred connections per second with a low resource consumption;

_ Simplicity: Honeybrid is based on two robust engines, each supporting a single functionality. Modules can be easily added to the architecture to handle more advanced functionalities.

The current limitations of honeybrid compared to other advanced honeypot architectures are:

_ Multi-stage attacks: Honeybrid works with a network session granularity, where network sessions are identified by protocol, IP addresses, and ports.

Consequently, an attack made of multiple network sessions might be incorrectly spread out to different low or high interaction honeypots.

1.7    Definition of Terms

Network sensor is an unused IP address instrumented to collect information about suspicious traffic. We separate sensors into two categories: passive sensors, which simply collect data without any interaction with the source of traffic; and active sensors, which can interact with the source of traffic to collect additional information.

Honeypot is a network device that provides a mechanism for completing network connections not normally provided on a system and logging those connection attempts [19]. We note that honeypot and active network sensor are synonyms

Data – Refers to the facts needed by the computer system in order to process and output necessary information.

Computer – An electronic device used for performing high-speed arithmetic and logical operations.

Darknet is a network of passive sensors

System – A complete installation including peripherals, such as disk drive, monitor and printer which all the components are designed to work with each other.

Online – It is activated and ready for operation, capable of communicating with or being controlled by a computer.

Internet – It is an interconnected system of networks that connects computers around the world via the TCP/IP protocol.

Honeynet is a network of honeypots

Honeypot architecture is a specific combination of software solutions to administrate a honeynet

Honeypot framework is the combination of a honeypot architecture and a data processing solution to analyze malicious network activity

0/5 (0 Reviews)
0/5 (0 Reviews)

Your email address will not be published.


There are no reviews yet.

Vendor Information

  • Store Name: Brilliantng
  • Vendor: Brilliantng
  • No ratings found yet!

Main Menu




Add to Cart
%d bloggers like this: